[Git][security-tracker-team/security-tracker][master] Reserve DLA-4265-1 for modsecurity-crs

Adrian Bunk (@bunk) bunk at debian.org
Fri Aug 8 21:54:51 BST 2025 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
ab10e83b by Adrian Bunk at 2025-08-08T23:54:21+03:00
Reserve DLA-4265-1 for modsecurity-crs

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -262786,24 +262786,20 @@ CVE-2022-39959 (Panini Everest Engine 2.0.4 allows unprivileged users to create
 CVE-2022-39958 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bo ...)
 	{DLA-3293-1}
 	- modsecurity-crs 3.3.4-1 (bug #1021137)
-	[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)
 	NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
 CVE-2022-39957 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a response bo ...)
 	{DLA-3293-1}
 	- modsecurity-crs 3.3.4-1 (bug #1021137)
-	[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)
 	NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
 CVE-2022-39956 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rul ...)
 	{DLA-3293-1}
 	- modsecurity-crs 3.3.4-1 (bug #1021137)
-	[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)
 	NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
 	NOTE: Depends on changes to be done in src:libmodsecurity3 / src:modsecurity-apache, cf.
 	NOTE: https://bugs.debian.org/1020303
 CVE-2022-39955 (The OWASP ModSecurity Core Rule Set (CRS) is affected by a partial rul ...)
 	{DLA-3293-1}
 	- modsecurity-crs 3.3.4-1 (bug #1021137)
-	[bullseye] - modsecurity-crs <no-dsa> (Minor issues; will be fixed in point release)
 	NOTE: https://coreruleset.org/20220919/crs-version-3-3-3-and-3-2-2-covering-several-cves/
 CVE-2022-39954 (An improper restriction of xml external entity reference in Fortinet F ...)
 	NOT-FOR-US: Fortinet
@@ -412761,7 +412757,6 @@ CVE-2020-22670
 CVE-2020-22669 (Modsecurity owasp-modsecurity-crs 3.2.0 (Paranoia level at PL1) has a  ...)
 	{DLA-3293-1}
 	- modsecurity-crs 3.3.2-1
-	[bullseye] - modsecurity-crs <no-dsa> (Minor issue)
 	NOTE: https://github.com/coreruleset/coreruleset/pull/1793
 	NOTE: https://github.com/coreruleset/coreruleset/commit/1a6e9e097587cecc038f1a1a76fc067c7797bbcd (v3.3.1-rc1)
 	NOTE: https://github.com/coreruleset/coreruleset/commit/909cab560b56f998faee88dd8a7aa9cf086d2d9f (v3.3.1-rc1)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[08 Aug 2025] DLA-4265-1 modsecurity-crs - security update
+	{CVE-2020-22669 CVE-2022-39955 CVE-2022-39956 CVE-2022-39957 CVE-2022-39958}
+	[bullseye] - modsecurity-crs 3.3.4-1~deb11u1
 [04 Aug 2025] DLA-4264-1 exempi - security update
 	{CVE-2021-36045 CVE-2021-36046 CVE-2021-36047 CVE-2021-36048 CVE-2021-36050 CVE-2021-36051 CVE-2021-36052 CVE-2021-36053 CVE-2021-36054 CVE-2021-36055 CVE-2021-36056 CVE-2021-36057 CVE-2021-36058 CVE-2021-36064 CVE-2021-39847 CVE-2021-40716 CVE-2021-40732 CVE-2021-42528 CVE-2021-42529 CVE-2021-42530 CVE-2021-42531 CVE-2021-42532}
 	[bullseye] - exempi 2.5.2-1+deb11u1


=====================================
data/dla-needed.txt
=====================================
@@ -247,11 +247,6 @@ mimetex
   NOTE: 20250629: There doesn't seem to be a fix so far according to #1103801 (dleidert)
   NOTE: 20250629: Best course of action seems to be some kind of mitigation similar to https://moodle.org/mod/forum/discuss.php?d=467592 (dleidert)
 --
-modsecurity-crs (bunk)
-  NOTE: 20250718: Added by Front-Desk (Beuc)
-  NOTE: 20250718: Follow DLA-3293-1 for buster (7 CVEs) (Beuc/front-desk)
-  NOTE: 20250804: work ongoing (bunk)
---
 mupdf (Chris Lamb)
   NOTE: 20250805: Added by Front-Desk (rouca)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab10e83b2383e0b0f0ef2ae0faf2039f7f07d908

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ab10e83b2383e0b0f0ef2ae0faf2039f7f07d908
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250808/f5ebf1ef/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list