libmodsecurity3-3.0.6-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12118 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z libmodsecurity3-3.0.6-1.1 on GA media These are all security issues fixed in the libmodsecurity3-3.0.6-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12118 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12118 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2020-15598/ SUSE CVE CVE-2020-15598 page https://www.suse.com/security/cve/CVE-2021-42717/ SUSE CVE CVE-2021-42717 page openSUSE Tumbleweed libmodsecurity3-3.0.6-1.1 libmodsecurity3-32bit-3.0.6-1.1 modsecurity-3.0.6-1.1 modsecurity-devel-3.0.6-1.1 libmodsecurity3-3.0.6-1.1 as a component of openSUSE Tumbleweed libmodsecurity3-32bit-3.0.6-1.1 as a component of openSUSE Tumbleweed modsecurity-3.0.6-1.1 as a component of openSUSE Tumbleweed modsecurity-devel-3.0.6-1.1 as a component of openSUSE Tumbleweed ** DISPUTED ** Trustwave ModSecurity 3.x through 3.0.4 allows denial of service via a special request. NOTE: The discoverer reports "Trustwave has signaled they are disputing our claims." The CVE suggests that there is a security issue with how ModSecurity handles regular expressions that can result in a Denial of Service condition. The vendor does not consider this as a security issue because1) there is no default configuration issue here. An attacker would need to know that a rule using a potentially problematic regular expression was in place, 2) the attacker would need to know the basic nature of the regular expression itself to exploit any resource issues. It's well known that regular expression usage can be taxing on system resources regardless of the use case. It is up to the administrator to decide on when it is appropriate to trade resources for potential security benefit. CVE-2020-15598 openSUSE Tumbleweed:libmodsecurity3-3.0.6-1.1 openSUSE Tumbleweed:libmodsecurity3-32bit-3.0.6-1.1 openSUSE Tumbleweed:modsecurity-3.0.6-1.1 openSUSE Tumbleweed:modsecurity-devel-3.0.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-15598.html CVE-2020-15598 ModSecurity 3.x through 3.0.5 mishandles excessively nested JSON objects. Crafted JSON objects with nesting tens-of-thousands deep could result in the web server being unable to service legitimate requests. Even a moderately large (e.g., 300KB) HTTP request can occupy one of the limited NGINX worker processes for minutes and consume almost all of the available CPU on the machine. Modsecurity 2 is similarly vulnerable: the affected versions include 2.8.0 through 2.9.4. CVE-2021-42717 openSUSE Tumbleweed:libmodsecurity3-3.0.6-1.1 openSUSE Tumbleweed:libmodsecurity3-32bit-3.0.6-1.1 openSUSE Tumbleweed:modsecurity-3.0.6-1.1 openSUSE Tumbleweed:modsecurity-devel-3.0.6-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-42717.html CVE-2021-42717 https://bugzilla.suse.com/1195450 SUSE Bug 1195450