Vulnerability from csaf_opensuse
Published
2023-09-25 22:01
Modified
2023-09-25 22:01
Summary
Security update for modsecurity
Notes
Title of the patch
Security update for modsecurity
Description of the patch
This update for modsecurity fixes the following issues:
Update to version 3.0.10:
* Security impacting issue (fix boo#1213702, CVE-2023-38285)
- Fix: worst-case time in implementation of four transformations
- Additional information on this issue is available at
https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
* Enhancements and bug fixes
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
- Make MULTIPART_PART_HEADERS accessible to lua
- Fix: Lua scripts cannot read whole collection at once
- Fix: quoted Include config with wildcard
- Support isolated PCRE match limits
- Fix: meta actions not applied if multiMatch in first rule of chain
- Fix: audit log may omit tags when multiMatch
- Exclude CRLF from MULTIPART_PART_HEADER value
- Configure: use AS_ECHO_N instead echo -n
- Adjust position of memset from 2890
Update to version 3.0.9:
* Add some member variable inits in Transaction class (possible segfault)
* Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
* Resolve memory leak on reload (bison-generated variable)
* Support equals sign in XPath expressions
* Encode two special chars in error.log output
* Add JIT support for PCRE2
* Support comments in ipMatchFromFile file via '#' token
* Use name package name libmaxminddb with pkg-config
* Fix: FILES_TMP_CONTENT collection key should use part name
* Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
* During configure, do not check for pcre if pcre2 specified
* Use pkg-config to find libxml2 first
* Fix two rule-reload memory leak issues
* Correct whitespace handling for Include directive
- Fix CVE-2023-28882, a segfault and a resultant crash of a worker process
in some configurations with certain inputs, boo#1210993
Update to version 3.0.8
* Adjust parser activation rules in modsecurity.conf-recommended [#2796]
* Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]
* Prevent LMDB related segfault [#2755, #2761]
* Fix msc_transaction_cleanup function comment typo [#2788]
* Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]
* Restore Unique_id to include random portion after timestamp [#2752, #2758]
Update to version 3.0.7
* Support PCRE2
* Support SecRequestBodyNoFilesLimit
* Add ctl:auditEngine action support
* Move PCRE2 match block from member variable
* Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
* Fix memory leak when concurrent log includes REMOTE_USER
* Fix LMDB initialization issues
* Fix initcol error message wording
* Tolerate other parameters after boundary in multipart C-T
* Add DebugLog message for bad pattern in rx operator
* Fix misuses of LMDB API
* Fix duplication typo in code comment
* Fix multiMatch msg, etc, population in audit log
* Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
* Adjust confusing variable name in setRequestBody method
* Multipart names/filenames may include single quote if double-quote enclosed
* Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
Update to version 3.0.6
* Security issue: Support configurable limit on depth of JSON
parsing, possible DoS issue. CVE-2021-42717
Update to version 3.0.5
* New: Having ARGS_NAMES, variables proxied
* Fix: FILES variable does not use multipart part name for key
* GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
* Support configurable limit on number of arguments processed
* Adds support to lua 5.4
* Add support for new operator rxGlobal
* Fix: Replaces put with setenv in SetEnv action
* Fix: Regex key selection should not be case-sensitive
* Fix: Only delete Multipart tmp files after rules have run
* Fixed MatchedVar on chained rules
* Fix IP address logging in Section A
* Fix: rx: exit after full match (remove /g emulation); ensure
capture groups occuring after unused groups still populate TX vars
* Fix rule-update-target for non-regex
* Fix Security Impacting Issues:
* Handle URI received with uri-fragment, CVE-2020-15598
Update to version 3.0.4:
* Fix: audit log data omitted when nolog,auditlog
* Fix: ModSecurity 3.x inspectFile operator does not pass
* XML: Remove error messages from stderr
* Filter comment or blank line for pmFromFile operator
* Additional adjustment to Cookie header parsing
* Restore chained rule part H logging to be more like 2.9 behaviour
* Small fixes in log messages to help debugging the file upload
* Fix Cookie header parsing issues
* Fix rules with nolog are logging to part H
* Fix argument key-value pair parsing cases
* Fix: audit log part for response body for JSON format to be E
* Make sure m_rulesMessages is filled after successfull match
* Fix @pm lookup for possible matches on offset zero.
* Regex lookup on the key name instead of COLLECTION:key
* Missing throw in Operator::instantiate
* Making block action execution dependent of the SecEngine status
* Making block action execution dependent of the SecEngine status
* Having body limits to respect the rule engine state
* Fix SecRuleUpdateTargetById does not match regular expressions
* Adds missing check for runtime ctl:ruleRemoveByTag
* Adds a new operator verifySVNR that checks for Austrian social security numbers.
* Fix variables output in debug logs
* Correct typo validade in log output
* fix/minor: Error encoding hexa decimal.
* Limit more log variables to 200 characters.
* parser: fix parsed file names
* Allow empty anchored variable
* Fixed FILES_NAMES collection after the end of multipart parsing
* Fixed validateByteRange parsing method
* Removes a memory leak on the JSON parser
* Enables LMDB on the regression tests.
* Fix: Extra whitespace in some configuration directives causing error
* Refactoring on Regex and SMatch classes.
* Fixed buffer overflow in Utils::Md5::hexdigest()
* Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
* Adds initially support to the drop action.
* Complete merging of particular rule properties
* Replaces AC_CHECK_FILE with 'test -f'
* Fix inet addr handling on 64 bit big endian systems
* Fix tests on FreeBSD
* Changes ENV test case to read the default MODSECURTIY env var
* Regression: Sets MODSECURITY env var during the tests execution
* Fix setenv action to strdup key=variable
* Allow 0 length JSON requests.
* Fix 'make dist' target to include default configuration
* Replaced log locking using mutex with fcntl lock
* Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
* Adds support to multiple ranges in ctl:ruleRemoveById
* Rule variable interpolation broken
* Make the boundary check less strict as per RFC2046
* Fix buffer size for utf8toUnicode transformation
* Fix double macros bug
* Override the default status code if not suitable to redirect action
* parser: Fix the support for CRLF configuration files
* Organizes the server logs
* m_lineNumber in Rule not mapping with the correct line number in file
* Using shared_ptr instead of unique_ptr on rules exceptions
* Changes debuglogs schema to avoid unecessary str allocation
* Fix the SecUnicodeMapFile and SecUnicodeCodePage
* Changes the timing to save the rule message
* Fix crash in msc_rules_add_file() when using disruptive action in chain
* Fix memory leak in AuditLog::init()
* Fix RulesProperties::appendRules()
* Fix RULE lookup in chained rules
* @ipMatch 'Could not add entry' on slash/32 notation in 2.9.0
* Using values after transformation at MATCHED_VARS
* Adds support to UpdateActionById.
* Add correct C function prototypes for msc_init and msc_create_rule_set
* Allow LuaJIT 2.1 to be used
* Match m_id JSON log with RuleMessage and v2 format
* Adds support to setenv action.
* Adds new transaction constructor that accepts the transaction id as parameter.
* Adds request IDs and URIs to the debug log
* Treating variables exception on load-time instead of run time.
* Fix: function m.setvar in Lua scripts and add testcases
* Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
* Fix parser to support GeoLookup with MaxMind
* parser: Fix simple quote setvar in the end of the line
* modsec_rules_check: uses the gnu `.la' instead of `.a' file
* good practices: Initialize variables before use it
* Fix utf-8 character encoding conversion
* Adds support for ctl:requestBodyProcessor=URLENCODED
* Add LUA compatibility for CentOS and try to use LuaJIT first if available
* Allow LuaJIT to be used
* Implement support for Lua 5.1
* Variable names must match fully, not partially. Match should be case insensitive.
* Improves the performance while loading the rules
* Allow empty strings to be evaluated by regex::searchAll
* Adds basic pkg-config info
* Fixed LMDB collection errors
* Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
* Fix ip tree lookup on netmask content
* Changes the behavior of the default sec actions
* Refactoring on {global,ip,resources,session,tx,user} collections
* Fix race condition in UniqueId::uniqueId()
* Fix memory leak in error message for msc_rules_merge C APIs
* Return false in SharedFiles::open() when an error happens
* Use rvalue reference in ModSecurity::serverLog
* Build System: Fix when multiple lines for curl version.
* Checks if response body inspection is enabled before process it
* Fix setvar parsing of quoted data
* Adds time stamp back to the audit logs
* Disables skip counter if debug log is disabled
* Cosmetics: Represents amount of skipped rules without decimal
* Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
* Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
* Fix memory leak in modsecurity::utils::expandEnv()
* Initialize m_dtd member in ValidateDTD class as NULL
* Fix broken @detectxss operator regression test case
* Fix utils::string::ssplit() to handle delimiter in the end of string
* Fix variable FILES_TMPNAMES
* Fix memory leak in Collections
* Fix lib version information while generating the .so file
* Adds support for ctl:ruleRemoveByTag
* Fix SecUploadDir configuration merge
* Include all prerequisites for 'make check' into dist archive
* Fix: Reverse logic of checking output in @inspectFile
* Adds support to libMaxMind
* Adds capture action to detectXSS
* Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
* Adds capture action to detectSQLi
* Adds capture action to rbl
* Adds capture action to verifyCC
* Adds capture action to verifySSN
* Adds capture action to verifyCPF
* Prettier error messages for unsupported configurations (UX)
* Add missing verify*** transformation statements to parser
* Fix a set of compilation warnings
* Check for disruptive action on SecDefaultAction.
* Fix block-block infinite loop.
* Correction remove_by_tag and remove_by_msg logic.
* Fix LMDB compile error
* Fix msc_who_am_i() to return pointer to a valid C string
* Added some cosmetics to autoconf related code
* Fix 'make dist' target to include necessary headers for Lua
* Fix 'include /foo/*.conf' for single matched object in directory
* Add missing Base64 transformation statements to parser
* Fixed resource load on ip match from file
* Fixed examples compilation while using disable-shared
* Fixed compilation issue while xml is disabled
* Having LDADD and LDFLAGS organized on Makefile.am
* Checking std::deque size before use it
* perf improvement: Added the concept of RunTimeString and removed all run time parser.
* perf improvement: Checks debuglog level before format debug msg
* perf. improvement/rx: Only compute dynamic regex in case of macro
* Fix uri on the benchmark utility
* disable Lua on systems with liblua5.1
Patchnames
openSUSE-2023-269
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for modsecurity", title: "Title of the patch", }, { category: "description", text: "This update for modsecurity fixes the following issues:\n\nUpdate to version 3.0.10:\n\n* Security impacting issue (fix boo#1213702, CVE-2023-38285)\n\n - Fix: worst-case time in implementation of four transformations\n - Additional information on this issue is available at \n https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/\n\n* Enhancements and bug fixes\n\n - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED\n - Make MULTIPART_PART_HEADERS accessible to lua\n - Fix: Lua scripts cannot read whole collection at once\n - Fix: quoted Include config with wildcard\n - Support isolated PCRE match limits\n - Fix: meta actions not applied if multiMatch in first rule of chain\n - Fix: audit log may omit tags when multiMatch\n - Exclude CRLF from MULTIPART_PART_HEADER value\n - Configure: use AS_ECHO_N instead echo -n\n - Adjust position of memset from 2890\n\nUpdate to version 3.0.9:\n\n* Add some member variable inits in Transaction class (possible segfault)\n* Fix: possible segfault on reload if duplicate ip+CIDR in ip match list\n* Resolve memory leak on reload (bison-generated variable)\n* Support equals sign in XPath expressions\n* Encode two special chars in error.log output\n* Add JIT support for PCRE2\n* Support comments in ipMatchFromFile file via '#' token\n* Use name package name libmaxminddb with pkg-config\n* Fix: FILES_TMP_CONTENT collection key should use part name\n* Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro\n* During configure, do not check for pcre if pcre2 specified\n* Use pkg-config to find libxml2 first\n* Fix two rule-reload memory leak issues\n* Correct whitespace handling for Include directive\n- Fix CVE-2023-28882, a segfault and a resultant crash of a worker process\n in some configurations with certain inputs, boo#1210993\n\nUpdate to version 3.0.8\n\n* Adjust parser activation rules in modsecurity.conf-recommended [#2796]\n* Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]\n* Prevent LMDB related segfault [#2755, #2761]\n* Fix msc_transaction_cleanup function comment typo [#2788]\n* Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]\n* Restore Unique_id to include random portion after timestamp [#2752, #2758]\n\nUpdate to version 3.0.7\n\n* Support PCRE2\n* Support SecRequestBodyNoFilesLimit\n* Add ctl:auditEngine action support\n* Move PCRE2 match block from member variable\n* Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended\n* Fix memory leak when concurrent log includes REMOTE_USER\n* Fix LMDB initialization issues\n* Fix initcol error message wording\n* Tolerate other parameters after boundary in multipart C-T\n* Add DebugLog message for bad pattern in rx operator\n* Fix misuses of LMDB API\n* Fix duplication typo in code comment\n* Fix multiMatch msg, etc, population in audit log\n* Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.\n* Adjust confusing variable name in setRequestBody method\n* Multipart names/filenames may include single quote if double-quote enclosed\n* Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended\n\nUpdate to version 3.0.6\n\n* Security issue: Support configurable limit on depth of JSON\n parsing, possible DoS issue. CVE-2021-42717\n\nUpdate to version 3.0.5\n\n* New: Having ARGS_NAMES, variables proxied\n* Fix: FILES variable does not use multipart part name for key\n* GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE\n* Support configurable limit on number of arguments processed\n* Adds support to lua 5.4\n* Add support for new operator rxGlobal\n* Fix: Replaces put with setenv in SetEnv action\n* Fix: Regex key selection should not be case-sensitive\n* Fix: Only delete Multipart tmp files after rules have run\n* Fixed MatchedVar on chained rules\n* Fix IP address logging in Section A\n* Fix: rx: exit after full match (remove /g emulation); ensure\n capture groups occuring after unused groups still populate TX vars\n* Fix rule-update-target for non-regex\n* Fix Security Impacting Issues:\n* Handle URI received with uri-fragment, CVE-2020-15598\n\nUpdate to version 3.0.4:\n\n* Fix: audit log data omitted when nolog,auditlog\n* Fix: ModSecurity 3.x inspectFile operator does not pass\n* XML: Remove error messages from stderr\n* Filter comment or blank line for pmFromFile operator\n* Additional adjustment to Cookie header parsing\n* Restore chained rule part H logging to be more like 2.9 behaviour\n* Small fixes in log messages to help debugging the file upload\n* Fix Cookie header parsing issues\n* Fix rules with nolog are logging to part H\n* Fix argument key-value pair parsing cases\n* Fix: audit log part for response body for JSON format to be E\n* Make sure m_rulesMessages is filled after successfull match\n* Fix @pm lookup for possible matches on offset zero.\n* Regex lookup on the key name instead of COLLECTION:key\n* Missing throw in Operator::instantiate\n* Making block action execution dependent of the SecEngine status\n* Making block action execution dependent of the SecEngine status\n* Having body limits to respect the rule engine state\n* Fix SecRuleUpdateTargetById does not match regular expressions\n* Adds missing check for runtime ctl:ruleRemoveByTag\n* Adds a new operator verifySVNR that checks for Austrian social security numbers.\n* Fix variables output in debug logs\n* Correct typo validade in log output\n* fix/minor: Error encoding hexa decimal.\n* Limit more log variables to 200 characters.\n* parser: fix parsed file names\n* Allow empty anchored variable\n* Fixed FILES_NAMES collection after the end of multipart parsing\n* Fixed validateByteRange parsing method\n* Removes a memory leak on the JSON parser\n* Enables LMDB on the regression tests.\n* Fix: Extra whitespace in some configuration directives causing error\n* Refactoring on Regex and SMatch classes.\n* Fixed buffer overflow in Utils::Md5::hexdigest()\n* Implemented merge() method for ConfigInt, ConfigDouble, ConfigString\n* Adds initially support to the drop action.\n* Complete merging of particular rule properties\n* Replaces AC_CHECK_FILE with 'test -f'\n* Fix inet addr handling on 64 bit big endian systems\n* Fix tests on FreeBSD\n* Changes ENV test case to read the default MODSECURTIY env var\n* Regression: Sets MODSECURITY env var during the tests execution\n* Fix setenv action to strdup key=variable\n* Allow 0 length JSON requests.\n* Fix 'make dist' target to include default configuration\n* Replaced log locking using mutex with fcntl lock\n* Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES\n* Adds support to multiple ranges in ctl:ruleRemoveById\n* Rule variable interpolation broken\n* Make the boundary check less strict as per RFC2046\n* Fix buffer size for utf8toUnicode transformation\n* Fix double macros bug\n* Override the default status code if not suitable to redirect action\n* parser: Fix the support for CRLF configuration files\n* Organizes the server logs\n* m_lineNumber in Rule not mapping with the correct line number in file\n* Using shared_ptr instead of unique_ptr on rules exceptions\n* Changes debuglogs schema to avoid unecessary str allocation\n* Fix the SecUnicodeMapFile and SecUnicodeCodePage\n* Changes the timing to save the rule message\n* Fix crash in msc_rules_add_file() when using disruptive action in chain\n* Fix memory leak in AuditLog::init()\n* Fix RulesProperties::appendRules()\n* Fix RULE lookup in chained rules\n* @ipMatch 'Could not add entry' on slash/32 notation in 2.9.0\n* Using values after transformation at MATCHED_VARS\n* Adds support to UpdateActionById.\n* Add correct C function prototypes for msc_init and msc_create_rule_set\n* Allow LuaJIT 2.1 to be used\n* Match m_id JSON log with RuleMessage and v2 format\n* Adds support to setenv action.\n* Adds new transaction constructor that accepts the transaction id as parameter.\n* Adds request IDs and URIs to the debug log\n* Treating variables exception on load-time instead of run time.\n* Fix: function m.setvar in Lua scripts and add testcases\n* Fix SecResponseBodyAccess and ctl:requestBodyAccess directives\n* Fix parser to support GeoLookup with MaxMind\n* parser: Fix simple quote setvar in the end of the line\n* modsec_rules_check: uses the gnu `.la' instead of `.a' file\n* good practices: Initialize variables before use it\n* Fix utf-8 character encoding conversion\n* Adds support for ctl:requestBodyProcessor=URLENCODED\n* Add LUA compatibility for CentOS and try to use LuaJIT first if available\n* Allow LuaJIT to be used\n* Implement support for Lua 5.1\n* Variable names must match fully, not partially. Match should be case insensitive.\n* Improves the performance while loading the rules\n* Allow empty strings to be evaluated by regex::searchAll\n* Adds basic pkg-config info\n* Fixed LMDB collection errors\n* Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors\n* Fix ip tree lookup on netmask content\n* Changes the behavior of the default sec actions\n* Refactoring on {global,ip,resources,session,tx,user} collections\n* Fix race condition in UniqueId::uniqueId()\n* Fix memory leak in error message for msc_rules_merge C APIs\n* Return false in SharedFiles::open() when an error happens\n* Use rvalue reference in ModSecurity::serverLog\n* Build System: Fix when multiple lines for curl version.\n* Checks if response body inspection is enabled before process it\n* Fix setvar parsing of quoted data\n* Adds time stamp back to the audit logs\n* Disables skip counter if debug log is disabled\n* Cosmetics: Represents amount of skipped rules without decimal\n* Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser\n* Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.\n* Fix memory leak in modsecurity::utils::expandEnv()\n* Initialize m_dtd member in ValidateDTD class as NULL\n* Fix broken @detectxss operator regression test case\n* Fix utils::string::ssplit() to handle delimiter in the end of string\n* Fix variable FILES_TMPNAMES \n* Fix memory leak in Collections\n* Fix lib version information while generating the .so file\n* Adds support for ctl:ruleRemoveByTag\n* Fix SecUploadDir configuration merge\n* Include all prerequisites for 'make check' into dist archive\n* Fix: Reverse logic of checking output in @inspectFile\n* Adds support to libMaxMind\n* Adds capture action to detectXSS\n* Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator\n* Adds capture action to detectSQLi\n* Adds capture action to rbl\n* Adds capture action to verifyCC\n* Adds capture action to verifySSN\n* Adds capture action to verifyCPF\n* Prettier error messages for unsupported configurations (UX)\n* Add missing verify*** transformation statements to parser\n* Fix a set of compilation warnings\n* Check for disruptive action on SecDefaultAction.\n* Fix block-block infinite loop.\n* Correction remove_by_tag and remove_by_msg logic.\n* Fix LMDB compile error\n* Fix msc_who_am_i() to return pointer to a valid C string\n* Added some cosmetics to autoconf related code\n* Fix 'make dist' target to include necessary headers for Lua\n* Fix 'include /foo/*.conf' for single matched object in directory\n* Add missing Base64 transformation statements to parser\n* Fixed resource load on ip match from file\n* Fixed examples compilation while using disable-shared\n* Fixed compilation issue while xml is disabled\n* Having LDADD and LDFLAGS organized on Makefile.am\n* Checking std::deque size before use it\n* perf improvement: Added the concept of RunTimeString and removed all run time parser.\n* perf improvement: Checks debuglog level before format debug msg\n* perf. improvement/rx: Only compute dynamic regex in case of macro\n* Fix uri on the benchmark utility\n* disable Lua on systems with liblua5.1\n", title: "Description of the patch", }, { category: "details", text: "openSUSE-2023-269", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2023_0269-1.json", }, { category: "self", summary: "URL for openSUSE-SU-2023:0269-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ILAHCTDLNZCBSVGSQN2ZDHVDHYE2OZ2N/", }, { category: "self", summary: "E-Mail link for openSUSE-SU-2023:0269-1", url: "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/ILAHCTDLNZCBSVGSQN2ZDHVDHYE2OZ2N/", }, { category: "self", summary: "SUSE Bug 1210993", url: "https://bugzilla.suse.com/1210993", }, { category: "self", summary: "SUSE Bug 1213702", url: "https://bugzilla.suse.com/1213702", }, { category: "self", summary: "SUSE CVE CVE-2020-15598 page", url: "https://www.suse.com/security/cve/CVE-2020-15598/", }, { category: "self", summary: "SUSE CVE CVE-2021-42717 page", url: "https://www.suse.com/security/cve/CVE-2021-42717/", }, { category: "self", summary: "SUSE CVE CVE-2023-28882 page", url: "https://www.suse.com/security/cve/CVE-2023-28882/", }, { category: "self", summary: "SUSE CVE CVE-2023-38285 page", url: "https://www.suse.com/security/cve/CVE-2023-38285/", }, ], title: "Security update for modsecurity", tracking: { current_release_date: "2023-09-25T22:01:56Z", generator: { date: "2023-09-25T22:01:56Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "openSUSE-SU-2023:0269-1", initial_release_date: "2023-09-25T22:01:56Z", revision_history: [ { date: "2023-09-25T22:01:56Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", product: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", product_id: "libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", }, }, { category: "product_version", name: "modsecurity-3.0.10-bp154.2.3.1.aarch64", product: { name: "modsecurity-3.0.10-bp154.2.3.1.aarch64", product_id: "modsecurity-3.0.10-bp154.2.3.1.aarch64", }, }, { category: "product_version", name: "modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", product: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", product_id: "modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", }, }, ], category: "architecture", name: "aarch64", }, { branches: [ { category: "product_version", name: "libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", product: { name: "libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", product_id: "libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", }, }, ], category: "architecture", name: "aarch64_ilp32", }, { branches: [ { category: "product_version", name: "libmodsecurity3-3.0.10-bp154.2.3.1.i586", product: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.i586", product_id: "libmodsecurity3-3.0.10-bp154.2.3.1.i586", }, }, { category: "product_version", name: "modsecurity-3.0.10-bp154.2.3.1.i586", product: { name: "modsecurity-3.0.10-bp154.2.3.1.i586", product_id: "modsecurity-3.0.10-bp154.2.3.1.i586", }, }, { category: "product_version", name: "modsecurity-devel-3.0.10-bp154.2.3.1.i586", product: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.i586", product_id: "modsecurity-devel-3.0.10-bp154.2.3.1.i586", }, }, ], category: "architecture", name: "i586", }, { branches: [ { category: "product_version", name: "libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", product: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", product_id: "libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", }, }, { category: "product_version", name: "modsecurity-3.0.10-bp154.2.3.1.ppc64le", product: { name: "modsecurity-3.0.10-bp154.2.3.1.ppc64le", product_id: "modsecurity-3.0.10-bp154.2.3.1.ppc64le", }, }, { category: "product_version", name: "modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", product: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", product_id: "modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", }, }, ], category: "architecture", name: "ppc64le", }, { branches: [ { category: "product_version", name: "libmodsecurity3-3.0.10-bp154.2.3.1.s390x", product: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.s390x", product_id: "libmodsecurity3-3.0.10-bp154.2.3.1.s390x", }, }, { category: "product_version", name: "modsecurity-3.0.10-bp154.2.3.1.s390x", product: { name: "modsecurity-3.0.10-bp154.2.3.1.s390x", product_id: "modsecurity-3.0.10-bp154.2.3.1.s390x", }, }, { category: "product_version", name: "modsecurity-devel-3.0.10-bp154.2.3.1.s390x", product: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.s390x", product_id: "modsecurity-devel-3.0.10-bp154.2.3.1.s390x", }, }, ], category: "architecture", name: "s390x", }, { branches: [ { category: "product_version", name: "libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", product: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", product_id: "libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", }, }, { category: "product_version", name: "libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", product: { name: "libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", product_id: "libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", }, }, { category: "product_version", name: "modsecurity-3.0.10-bp154.2.3.1.x86_64", product: { name: "modsecurity-3.0.10-bp154.2.3.1.x86_64", product_id: "modsecurity-3.0.10-bp154.2.3.1.x86_64", }, }, { category: "product_version", name: "modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", product: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", product_id: "modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_name", name: "SUSE Package Hub 15 SP4", product: { name: "SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4", }, }, { category: "product_name", name: "openSUSE Leap 15.4", product: { name: "openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4", product_identification_helper: { cpe: "cpe:/o:opensuse:leap:15.4", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.i586 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.i586", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.s390x as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", }, product_reference: "libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.i586 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.i586", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.ppc64le as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.s390x as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.aarch64 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.i586 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.i586", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.s390x as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.s390x", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.x86_64 as component of SUSE Package Hub 15 SP4", product_id: "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "SUSE Package Hub 15 SP4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.i586 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.i586", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.s390x as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.s390x", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-3.0.10-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", }, product_reference: "libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.aarch64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.i586 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.i586", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.ppc64le as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.ppc64le", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.s390x as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.s390x", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-3.0.10-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "modsecurity-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.aarch64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.i586 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.i586", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.s390x as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.s390x", relates_to_product_reference: "openSUSE Leap 15.4", }, { category: "default_component_of", full_product_name: { name: "modsecurity-devel-3.0.10-bp154.2.3.1.x86_64 as component of openSUSE Leap 15.4", product_id: "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", }, product_reference: "modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", relates_to_product_reference: "openSUSE Leap 15.4", }, ], }, vulnerabilities: [ { cve: "CVE-2020-15598", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2020-15598", }, ], notes: [ { category: "general", text: "** DISPUTED ** Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports \"Trustwave has signaled they are disputing our claims.\" The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the administrator to decide on when it is appropriate to trade resources for potential security benefit.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2020-15598", url: "https://www.suse.com/security/cve/CVE-2020-15598", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-09-25T22:01:56Z", details: "moderate", }, ], title: "CVE-2020-15598", }, { cve: "CVE-2021-42717", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2021-42717", }, ], notes: [ { category: "general", text: "ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2021-42717", url: "https://www.suse.com/security/cve/CVE-2021-42717", }, { category: "external", summary: "SUSE Bug 1195450 for CVE-2021-42717", url: "https://bugzilla.suse.com/1195450", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-09-25T22:01:56Z", details: "important", }, ], title: "CVE-2021-42717", }, { cve: "CVE-2023-28882", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-28882", }, ], notes: [ { category: "general", text: "Trustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-28882", url: "https://www.suse.com/security/cve/CVE-2023-28882", }, { category: "external", summary: "SUSE Bug 1210993 for CVE-2023-28882", url: "https://bugzilla.suse.com/1210993", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", version: "3.1", }, products: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-09-25T22:01:56Z", details: "moderate", }, ], title: "CVE-2023-28882", }, { cve: "CVE-2023-38285", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2023-38285", }, ], notes: [ { category: "general", text: "Trustwave ModSecurity 3.x before 3.0.10 has Inefficient Algorithmic Complexity.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, references: [ { category: "external", summary: "CVE-2023-38285", url: "https://www.suse.com/security/cve/CVE-2023-38285", }, { category: "external", summary: "SUSE Bug 1213702 for CVE-2023-38285", url: "https://bugzilla.suse.com/1213702", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, products: [ "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "SUSE Package Hub 15 SP4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:libmodsecurity3-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-32bit-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:libmodsecurity3-64bit-3.0.10-bp154.2.3.1.aarch64_ilp32", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-3.0.10-bp154.2.3.1.x86_64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.aarch64", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.i586", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.ppc64le", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.s390x", "openSUSE Leap 15.4:modsecurity-devel-3.0.10-bp154.2.3.1.x86_64", ], }, ], threats: [ { category: "impact", date: "2023-09-25T22:01:56Z", details: "important", }, ], title: "CVE-2023-38285", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.