openSUSE Security Update: Security update for modsecurity
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2023:0269-1
Rating:             moderate
References:         #1210993 #1213702 
Cross-References:   CVE-2020-15598 CVE-2021-42717 CVE-2023-28882
                    CVE-2023-38285
CVSS scores:
                    CVE-2020-15598 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-42717 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2021-42717 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2023-28882 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2023-28882 (SUSE): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
                    CVE-2023-38285 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    openSUSE Backports SLE-15-SP4
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.

Description:

   This update for modsecurity fixes the following issues:

   Update to version 3.0.10:

   * Security impacting issue (fix boo#1213702, CVE-2023-38285)

     - Fix: worst-case time in implementation of four transformations
     - Additional information on this issue is available at
          s-vulnerability-in-four-transformations-cve-2023-38285/

   * Enhancements and bug fixes

     - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
     - Make MULTIPART_PART_HEADERS accessible to lua
     - Fix: Lua scripts cannot read whole collection at once
     - Fix: quoted Include config with wildcard
     - Support isolated PCRE match limits
     - Fix: meta actions not applied if multiMatch in first rule of chain
     - Fix: audit log may omit tags when multiMatch
     - Exclude CRLF from MULTIPART_PART_HEADER value
     - Configure: use AS_ECHO_N instead echo -n
     - Adjust position of memset from 2890

   Update to version 3.0.9:

   * Add some member variable inits in Transaction class (possible segfault)
   * Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
   * Resolve memory leak on reload (bison-generated variable)
   * Support equals sign in XPath expressions
   * Encode two special chars in error.log output
   * Add JIT support for PCRE2
   * Support comments in ipMatchFromFile file via '#' token
   * Use name package name libmaxminddb with pkg-config
   * Fix: FILES_TMP_CONTENT collection key should use part name
   * Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
   * During configure, do not check for pcre if pcre2 specified
   * Use pkg-config to find libxml2 first
   * Fix two rule-reload memory leak issues
   * Correct whitespace handling for Include directive
   - Fix CVE-2023-28882, a segfault and a resultant crash of a worker process
     in some configurations with certain inputs, boo#1210993

   Update to version 3.0.8

   * Adjust parser activation rules in modsecurity.conf-recommended [#2796]
   * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]
   * Prevent LMDB related segfault [#2755, #2761]
   * Fix msc_transaction_cleanup function comment typo [#2788]
   * Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]
   * Restore Unique_id to include random portion after timestamp [#2752,
     #2758]

   Update to version 3.0.7

   * Support PCRE2
   * Support SecRequestBodyNoFilesLimit
   * Add ctl:auditEngine action support
   * Move PCRE2 match block from member variable
   * Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
   * Fix memory leak when concurrent log includes REMOTE_USER
   * Fix LMDB initialization issues
   * Fix initcol error message wording
   * Tolerate other parameters after boundary in multipart C-T
   * Add DebugLog message for bad pattern in rx operator
   * Fix misuses of LMDB API
   * Fix duplication typo in code comment
   * Fix multiMatch msg, etc, population in audit log
   * Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById,
     etc.
   * Adjust confusing variable name in setRequestBody method
   * Multipart names/filenames may include single quote if double-quote
     enclosed
   * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended

   Update to version 3.0.6

   * Security issue: Support configurable limit on depth of JSON parsing,
     possible DoS issue. CVE-2021-42717

   Update to version 3.0.5

   * New: Having ARGS_NAMES, variables proxied
   * Fix: FILES variable does not use multipart part name for key
   * GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
   * Support configurable limit on number of arguments processed
   * Adds support to lua 5.4
   * Add support for new operator rxGlobal
   * Fix: Replaces put with setenv in SetEnv action
   * Fix: Regex key selection should not be case-sensitive
   * Fix: Only delete Multipart tmp files after rules have run
   * Fixed MatchedVar on chained rules
   * Fix IP address logging in Section A
   * Fix:  rx: exit after full match (remove /g emulation); ensure capture
     groups occuring after unused groups still populate TX vars
   * Fix rule-update-target for non-regex
   * Fix Security Impacting Issues:
   * Handle URI received with uri-fragment, CVE-2020-15598

   Update to version 3.0.4:

   * Fix: audit log data omitted when nolog,auditlog
   * Fix: ModSecurity 3.x inspectFile operator does not pass
   * XML: Remove error messages from stderr
   * Filter comment or blank line for pmFromFile operator
   * Additional adjustment to Cookie header parsing
   * Restore chained rule part H logging to be more like 2.9 behaviour
   * Small fixes in log messages to help debugging the file upload
   * Fix Cookie header parsing issues
   * Fix rules with nolog are logging to part H
   * Fix argument key-value pair parsing cases
   * Fix: audit log part for response body for JSON format to be E
   * Make sure m_rulesMessages is filled after successfull match
   * Fix @pm lookup for possible matches on offset zero.
   * Regex lookup on the key name instead of COLLECTION:key
   * Missing throw in Operator::instantiate
   * Making block action execution dependent of the SecEngine status
   * Making block action execution dependent of the SecEngine status
   * Having body limits to respect the rule engine state
   * Fix SecRuleUpdateTargetById does not match regular expressions
   * Adds missing check for runtime ctl:ruleRemoveByTag
   * Adds a new operator verifySVNR that checks for Austrian social security
     numbers.
   * Fix variables output in debug logs
   * Correct typo validade in log output
   * fix/minor: Error encoding hexa decimal.
   * Limit more log variables to 200 characters.
   * parser: fix parsed file names
   * Allow empty anchored variable
   * Fixed FILES_NAMES collection after the end of multipart parsing
   * Fixed validateByteRange parsing method
   * Removes a memory leak on the JSON parser
   * Enables LMDB on the regression tests.
   * Fix: Extra whitespace in some configuration directives causing error
   * Refactoring on Regex and SMatch classes.
   * Fixed buffer overflow in Utils::Md5::hexdigest()
   * Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
   * Adds initially support to the drop action.
   * Complete merging of particular rule properties
   * Replaces AC_CHECK_FILE with 'test -f'
   * Fix inet addr handling on 64 bit big endian systems
   * Fix tests on FreeBSD
   * Changes ENV test case to read the default MODSECURTIY env var
   * Regression: Sets MODSECURITY env var during the tests execution
   * Fix setenv action to strdup key=variable
   * Allow 0 length JSON requests.
   * Fix "make dist" target to include default configuration
   * Replaced log locking using mutex with fcntl lock
   * Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
   * Adds support to multiple ranges in ctl:ruleRemoveById
   * Rule variable interpolation broken
   * Make the boundary check less strict as per RFC2046
   * Fix buffer size for utf8toUnicode transformation
   * Fix double macros bug
   * Override the default status code if not suitable to redirect action
   * parser: Fix the support for CRLF configuration files
   * Organizes the server logs
   * m_lineNumber in Rule not mapping with the correct line number in file
   * Using shared_ptr instead of unique_ptr on rules exceptions
   * Changes debuglogs schema to avoid unecessary str allocation
   * Fix the SecUnicodeMapFile and SecUnicodeCodePage
   * Changes the timing to save the rule message
   * Fix crash in msc_rules_add_file() when using disruptive action in chain
   * Fix memory leak in AuditLog::init()
   * Fix RulesProperties::appendRules()
   * Fix RULE lookup in chained rules
   * @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
   * Using values after transformation at MATCHED_VARS
   * Adds support to UpdateActionById.
   * Add correct C function prototypes for msc_init and msc_create_rule_set
   * Allow LuaJIT 2.1 to be used
   * Match m_id JSON log with RuleMessage and v2 format
   * Adds support to setenv action.
   * Adds new transaction constructor that accepts the transaction id as
     parameter.
   * Adds request IDs and URIs to the debug log
   * Treating variables exception on load-time instead of run time.
   * Fix: function m.setvar in Lua scripts and add testcases
   * Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
   * Fix parser to support GeoLookup with MaxMind
   * parser: Fix simple quote setvar in the end of the line
   * modsec_rules_check: uses the gnu `.la' instead of `.a' file
   * good practices: Initialize variables before use it
   * Fix utf-8 character encoding conversion
   * Adds support for ctl:requestBodyProcessor=URLENCODED
   * Add LUA compatibility for CentOS and try to use LuaJIT first if available
   * Allow LuaJIT to be used
   * Implement support for Lua 5.1
   * Variable names must match fully, not partially. Match should be case
     insensitive.
   * Improves the performance while loading the rules
   * Allow empty strings to be evaluated by regex::searchAll
   * Adds basic pkg-config info
   * Fixed LMDB collection errors
   * Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
   * Fix ip tree lookup on netmask content
   * Changes the behavior of the default sec actions
   * Refactoring on {global,ip,resources,session,tx,user} collections
   * Fix race condition in UniqueId::uniqueId()
   * Fix memory leak in error message for msc_rules_merge C APIs
   * Return false in SharedFiles::open() when an error happens
   * Use rvalue reference in ModSecurity::serverLog
   * Build System: Fix when multiple lines for curl version.
   * Checks if response body inspection is enabled before process it
   * Fix setvar parsing of quoted data
   * Adds time stamp back to the audit logs
   * Disables skip counter if debug log is disabled
   * Cosmetics: Represents amount of skipped rules without decimal
   * Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
   * Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
   * Fix memory leak in modsecurity::utils::expandEnv()
   * Initialize m_dtd member in ValidateDTD class as NULL
   * Fix broken @detectxss operator regression test case
   * Fix utils::string::ssplit() to handle delimiter in the end of string
   * Fix variable FILES_TMPNAMES
   * Fix memory leak in Collections
   * Fix lib version information while generating the .so file
   * Adds support for ctl:ruleRemoveByTag
   * Fix SecUploadDir configuration merge
   * Include all prerequisites for "make check" into dist archive
   * Fix: Reverse logic of checking output in @inspectFile
   * Adds support to libMaxMind
   * Adds capture action to detectXSS
   * Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
   * Adds capture action to detectSQLi
   * Adds capture action to rbl
   * Adds capture action to verifyCC
   * Adds capture action to verifySSN
   * Adds capture action to verifyCPF
   * Prettier error messages for unsupported configurations (UX)
   * Add missing verify*** transformation statements to parser
   * Fix a set of compilation warnings
   * Check for disruptive action on SecDefaultAction.
   * Fix block-block infinite loop.
   * Correction remove_by_tag and remove_by_msg logic.
   * Fix LMDB compile error
   * Fix msc_who_am_i() to return pointer to a valid C string
   * Added some cosmetics to autoconf related code
   * Fix "make dist" target to include necessary headers for Lua
   * Fix "include /foo/*.conf" for single matched object in directory
   * Add missing Base64 transformation statements to parser
   * Fixed resource load on ip match from file
   * Fixed examples compilation while using disable-shared
   * Fixed compilation issue while xml is disabled
   * Having LDADD and LDFLAGS organized on Makefile.am
   * Checking std::deque size before use it
   * perf improvement: Added the concept of RunTimeString and removed all run
     time parser.
   * perf improvement: Checks debuglog level before format debug msg
   * perf. improvement/rx: Only compute dynamic regex in case of macro
   * Fix uri on the benchmark utility
   * disable Lua on systems with liblua5.1


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP4:

      zypper in -t patch openSUSE-2023-269=1



Package List:

   - openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64):

      libmodsecurity3-3.0.10-bp154.2.3.1
      modsecurity-3.0.10-bp154.2.3.1
      modsecurity-devel-3.0.10-bp154.2.3.1

   - openSUSE Backports SLE-15-SP4 (aarch64_ilp32):

      libmodsecurity3-64bit-3.0.10-bp154.2.3.1

   - openSUSE Backports SLE-15-SP4 (x86_64):

      libmodsecurity3-32bit-3.0.10-bp154.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2020-15598.html
   https://www.suse.com/security/cve/CVE-2021-42717.html
   https://www.suse.com/security/cve/CVE-2023-28882.html
   https://www.suse.com/security/cve/CVE-2023-38285.html
   https://bugzilla.suse.com/1210993
   https://bugzilla.suse.com/1213702

openSUSE: 2023:0269-1 moderate: modsecurity

September 26, 2023
An update that fixes four vulnerabilities is now available

Description

This update for modsecurity fixes the following issues: Update to version 3.0.10: * Security impacting issue (fix boo#1213702, CVE-2023-38285) - Fix: worst-case time in implementation of four transformations - Additional information on this issue is available at s-vulnerability-in-four-transformations-cve-2023-38285/ * Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED - Make MULTIPART_PART_HEADERS accessible to lua - Fix: Lua scripts cannot read whole collection at once - Fix: quoted Include config with wildcard - Support isolated PCRE match limits - Fix: meta actions not applied if multiMatch in first rule of chain - Fix: audit log may omit tags when multiMatch - Exclude CRLF from MULTIPART_PART_HEADER value - Configure: use AS_ECHO_N instead echo -n - Adjust position of memset from 2890 Update to version 3.0.9: * Add some member variable inits in Transaction class (possib...

Read the Full Advisory

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-269=1


Package List

- openSUSE Backports SLE-15-SP4 (aarch64 i586 ppc64le s390x x86_64): libmodsecurity3-3.0.10-bp154.2.3.1 modsecurity-3.0.10-bp154.2.3.1 modsecurity-devel-3.0.10-bp154.2.3.1 - openSUSE Backports SLE-15-SP4 (aarch64_ilp32): libmodsecurity3-64bit-3.0.10-bp154.2.3.1 - openSUSE Backports SLE-15-SP4 (x86_64): libmodsecurity3-32bit-3.0.10-bp154.2.3.1


References

https://www.suse.com/security/cve/CVE-2020-15598.html https://www.suse.com/security/cve/CVE-2021-42717.html https://www.suse.com/security/cve/CVE-2023-28882.html https://www.suse.com/security/cve/CVE-2023-38285.html https://bugzilla.suse.com/1210993 https://bugzilla.suse.com/1213702


Severity
Announcement ID: openSUSE-SU-2023:0269-1
Rating: moderate
Affected Products: openSUSE Backports SLE-15-SP4 .

Related News