XPost: linux.debian.devel.release
From: tobi@debian.org
Of course I've forgot to add the debdiff…
diff -Nru modsecurity-crs-3.3.4/debian/changelog modsecurity-crs
3.3.4/debian/changelog
--- modsecurity-crs-3.3.4/debian/changelog 2026-01-10 17:35:44.000000000 +0100
+++ modsecurity-crs-3.3.4/debian/changelog 2026-02-22 09:39:48.000000000 +0100
@@ -1,6 +1,15 @@
+modsecurity-crs (3.3.4-1+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload for the LTS team, targeting o-s-p-u.
+ * Backported from upstream 3.3.5:
+ - CVE-2023-38199 - WAF bypass (Closes: #1041109)
+ * Enable salsa-ci.
+
+ -- Tobias Frost Sun, 22 Feb 2026 09:39:48 +0100
+
modsecurity-crs (3.3.4-1+deb12u1) bookworm-security; urgency=medium
- * Fixes CVE-2025-21876 (Closes: #1125084)
+ * Fixes CVE-2026-21876 (Closes: #1125084)
-- Ervin Hegedüs Sat, 10 Jan 2026 17:35:44 +0100
diff -Nru modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch
modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch
--- modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch 1970-01-01
01:00:00.000000000 +0100
+++ modsecurity-crs-3.3.4/debian/patches/CVE-2023-38199.patch 2026-02-17
20:38:44.000000000 +0100
@@ -0,0 +1,83 @@
+Description: CVE-2023-38199 - WAF bypass
+Origin: https://github.com/coreruleset/coreruleset/pull/3253
+Origin: (backported from:) https://github.com/coreruleset/corer
leset/pull/3237
+Bug: https://github.com/coreruleset/coreruleset/issues/3191
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041109
+
+From 621600fbfcb88c51cc4beaddcc6896d1b837d23f Mon Sep 17 00:00:00 2001
+From: Felipe Zipitria
+Date: Mon, 17 Jul 2023 22:51:53 +0200
+Subject: [PATCH] feat: new rule 920620
+
+Signed-off-by: Felipe Zipitria
+---
+ rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf | 31 +++++++++++++++++++
+ .../920620.yaml | 17 ++++++++++
+ 2 files changed, 48 insertions(+)
+ create mode 100644 tests/regression/tests/REQUEST-920-PROTOCOL
ENFORCEMENT/920620.yaml
+
+diff --git a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf b/rule
/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+index 6aae1a99a0..4e3ca293b5 100644
+--- a/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
++++ b/rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf
+@@ -1161,6 +1161,37 @@ SecRule REQUEST_HEADERS:Accept "!@rx ^(?
(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:
+ severity:'CRITICAL',\
+ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
++#
++# The following rule (920620) checks for the presence of 2 or more request
Content-Type headers.
++# Content-Type confusion poses a significant security risk to a web
application. It occurs when
++# the server and client have different interpretations of the Content-Type
header, leading to
++# miscommunication, potential exploitation and WAF bypass.
++#
++# Using Apache, when multiple Content-Type request headers are received, the
server combines them
++# into a single header with the values separated by commas. For example, if
a client sends multiple
++# Content-Type headers with values "application/json" and "text/plain",
Apache will combine them
++# into a single header like this: "Content-Type: application/json,
text/plain".
++#
++# On the other hand, Nginx handles multiple Content-Type headers
differently. It preserves each
++# header as a separate entity without combining them. So, if a client sends
multiple Content-Type
++# headers, Nginx will keep them separate, maintaining the original values.
++#
++SecRule &REQUEST_HEADERS:Content-Type "@gt 1" \
++ "id:920620,\
++ phase:1,\
++ block,\
++ t:none,\
++ msg:'Multiple Content-Type Request Headers',\
++ logdata:'%{MATCHED_VAR}',\
++ tag:'application-multi',\
++ tag:'language-multi',\
++ tag:'platform-multi',\
++ tag:'attack-protocol',\
++ tag:'paranoia-level/1',\
++ tag:'OWASP_CRS',\
++ ver:'OWASP_CRS/3.3.4',\
++ severity:'CRITICAL',\
++ setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+
+ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920013,phase:1
pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+ SecRule TX:EXECUTING_PARANOIA_LEVEL "@lt 2" "id:920014,phase:2
pass,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"
+diff --git a/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORC
MENT/920620.yaml b/tests/regression/tests/REQUEST-920-PROTOCOL-E
FORCEMENT/920620.yaml
+new file mode 100644
+index 0000000000..7fa4b050ca
+--- /dev/null
++++ b/tests/regression/tests/REQUEST-920-PROTOCOL-ENFORCEMENT/920620.yaml
+@@ -0,0 +1,17 @@
++---
++meta:
++ author: "Andrea (theMiddle) Menin"
++ enabled: false
++ name: "920620.yaml"
++ description: "Tests for 920620"
++tests:
++ - test_title: 920620-1
++ desc: Multiple Content-Type request headers
++ stages:
++ - stage:
++ input:
++ dest_addr: "127.0.0.1"
++ port: 80
++ encoded_request: "R0VUIC9nZXQgSFRUUC8xLjENCkhvc3Q6
GxvY2FsaG9zdA0KVXNlci1BZ2VudDogT1dBU1AgQ1JTIHRlc3QgYWdlbnQNCkFjY
VwdDogdGV4dC94bWwsYXBwbGljYXRpb24veG1sLGFwcGxpY2F0aW9uL3hodG1sK3
tbCx0ZXh0L2h0bWw7cT0wLjksdGV4dC9wbGFpbjtxPTAuOCxpbWFnZS9wbmc
sKi8qO3E9MC41DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24NCkNvbnR
bnQtVHlwZTogYXBwbGljYXRpb24veG1sDQoNCg=="
++ output:
++ log_contains: "id \"920620\""
diff -Nru modsecurity-crs-3.3.4/debian/patches/series modsecurit
-crs-3.3.4/debian/patches/series
--- modsecurity-crs-3.3.4/debian/patches/series 2026-01-10 17:35:44.000000000
+0100
+++ modsecurity-crs-3.3.4/debian/patches/series 2026-02-22 09:39:48.000000000
+0100
@@ -1,2 +1,3 @@
fix_paths
cve-2026-21876.patch
+CVE-2023-38199.patch
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
