Debian Security Advisory DSA 2659-1 (libapache-mod-security - XML external entity processing vulnerability)

Information

Severity

Severity

High

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

7.5

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Solution Type

Solution Type

Vendor Patch

Created

Created

9 years ago

Modified

Modified

6 months ago

Summary

Timur Yunusov and Alexey Osipov from Positive Technologies discovered that the XML files parser of ModSecurity, an Apache module whose purpose is to tighten the Web application security, is vulnerable to XML external entities attacks. A specially-crafted XML file provided by a remote attacker, could lead to local file disclosure or excessive resources (CPU, memory) consumption when processed. This update introduces a SecXmlExternalEntity option which is Off by default. This will disable the ability of libxml2 to load external entities.

Affected Software

Affected Software

libapache-mod-security on Debian Linux

Detection Method

Detection Method

This check tests the installed software version using the apt package manager.

Solution

Solution

For the stable distribution (squeeze), this problem has been fixed in version 2.5.12-1+squeeze2. For the testing distribution (wheezy), this problem has been fixed in version 2.6.6-6 of the modsecurity-apache package. For the unstable distribution (sid), this problem has been fixed in version 2.6.6-6 of the modsecurity-apache package. We recommend that you upgrade your libapache-mod-security packages.

Common Vulnerabilities and Exposures (CVE)

Want the latest vulnerabilities news?

Sign up to stay up to date. It is free and always will be.

Processing. Please wait...

We care about the protection of your data. Read our Privacy Policy.