Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHQz1rLDkYvtVu6PnfS=4HoE8c+Tb4PAAp-COJdOB7HW35-_ug@mail.gmail.com>
Date: Tue, 9 Apr 2013 10:43:48 -0300
From: Breno Silva <breno.silva@...il.com>
To: Athmane Madjoudj <athmanem@...il.com>
Cc: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, 
	oss-security@...ts.openwall.com
Subject: Re: Re: CVE Request -- ModSecurity (X < 2.7.3):
 Vulnerable to XXE attacks

Good. Do you have any idea when it will be available for users ?

The guy who discovered it want to write a blog post with details. So i ask
him to wait at least when we have some packages backported.

Thanks

Breno


On Tue, Apr 9, 2013 at 10:41 AM, Athmane Madjoudj <athmanem@...il.com>wrote:

> On Tue, Apr 09, 2013 at 05:26:42AM -0400, Jan Lieskovsky wrote:
> > Hi Breno,
> >
> >   (Cc-ing Athmane on this due reasons which will get obvious below).
> >
> >   thank you for checking with us.
> >
> > AFAICT to fix this in Fedora and Fedora EPEL-6 versions, we have
> > just rebased to latest upstream 2.7.3 version. But you are truly
> > right (assuming this being the reason you are checking with us),
> > that on Fedora EPEL-5 we are shipping older (2.6.8 based version
> > of ModSecurity).
> >
> > FWIHL:
> >   [1] https://bugzilla.redhat.com/show_bug.cgi?id=947842#c1
> >
> <...snip...>
>
> Hi,
>
> I forgot to mention in bug report that an EPEL5 update which still uses
> 2.6.8 release (libxml2 in el5 is too old) is scheduled with backborted
> patch just like with CVE-2012-4528.
>
> Thanks.
>
> -- Athmane, Fedora / EPEL mod_security maintainer
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.