Version in base suite: 3.3.4-1 Version in overlay suite: 3.3.4-1+deb12u2 Base version: modsecurity-crs_3.3.4-1+deb12u2 Target version: modsecurity-crs_3.3.4-1+deb12u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/modsecurity-crs/modsecurity-crs_3.3.4-1+deb12u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/modsecurity-crs/modsecurity-crs_3.3.4-1+deb12u3.dsc changelog | 6 +++++ patches/cve-2026-33691.patch | 44 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 51 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7gu07_g_/modsecurity-crs_3.3.4-1+deb12u2.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmp7gu07_g_/modsecurity-crs_3.3.4-1+deb12u3.dsc: no acceptable signature found diff -Nru modsecurity-crs-3.3.4/debian/changelog modsecurity-crs-3.3.4/debian/changelog --- modsecurity-crs-3.3.4/debian/changelog 2026-02-22 08:39:48.000000000 +0000 +++ modsecurity-crs-3.3.4/debian/changelog 2026-03-29 17:02:25.000000000 +0000 @@ -1,3 +1,9 @@ +modsecurity-crs (3.3.4-1+deb12u3) bookworm; urgency=medium + + * Fixes CVE-2026-33691 + + -- Hegedüs Ervin Sun, 29 Mar 2026 19:02:25 +0200 + modsecurity-crs (3.3.4-1+deb12u2) bookworm; urgency=medium * Non-maintainer upload for the LTS team, targeting o-s-p-u. diff -Nru modsecurity-crs-3.3.4/debian/patches/cve-2026-33691.patch modsecurity-crs-3.3.4/debian/patches/cve-2026-33691.patch --- modsecurity-crs-3.3.4/debian/patches/cve-2026-33691.patch 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-3.3.4/debian/patches/cve-2026-33691.patch 2026-03-29 17:02:25.000000000 +0000 @@ -0,0 +1,44 @@ +From: Ervin Hegedus +Date: Sun, 29 Mar 2026 18:53:15 +0200 +Subject: Add patch from upstream to fix CVE-2026-33691 + +--- + rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 2 +- + rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +index c8fe438..9046f28 100644 +--- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf ++++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +@@ -573,7 +573,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'Restricted File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +index f4bb189..743d130 100644 +--- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf ++++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +@@ -91,7 +91,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +@@ -673,7 +673,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ diff -Nru modsecurity-crs-3.3.4/debian/patches/series modsecurity-crs-3.3.4/debian/patches/series --- modsecurity-crs-3.3.4/debian/patches/series 2026-02-22 08:39:48.000000000 +0000 +++ modsecurity-crs-3.3.4/debian/patches/series 2026-03-29 17:02:25.000000000 +0000 @@ -1,3 +1,4 @@ fix_paths cve-2026-21876.patch CVE-2023-38199.patch +cve-2026-33691.patch