Version in base suite: 2.9.11-1 Base version: modsecurity-apache_2.9.11-1 Target version: modsecurity-apache_2.9.11-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/modsecurity-apache/modsecurity-apache_2.9.11-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/modsecurity-apache/modsecurity-apache_2.9.11-1+deb13u1.dsc changelog | 7 + patches/aclocal.patch | 18 --- patches/cve-2025-54571.diff | 211 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 219 insertions(+), 19 deletions(-) diff -Nru modsecurity-apache-2.9.11/debian/changelog modsecurity-apache-2.9.11/debian/changelog --- modsecurity-apache-2.9.11/debian/changelog 2025-07-02 09:23:42.000000000 +0000 +++ modsecurity-apache-2.9.11/debian/changelog 2025-08-07 11:40:00.000000000 +0000 @@ -1,3 +1,10 @@ +modsecurity-apache (2.9.11-1+deb13u1) trixie; urgency=medium + + * Add patch against new CVE; Fixes CVE-2025-54571 (Closes: #1110480) + * Remove d/patches/aclocal.patch, not necessary + + -- Ervin Hegedüs Thu, 07 Aug 2025 13:40:00 +0200 + modsecurity-apache (2.9.11-1) unstable; urgency=medium [ Ervin Hegedüs ] diff -Nru modsecurity-apache-2.9.11/debian/patches/aclocal.patch modsecurity-apache-2.9.11/debian/patches/aclocal.patch --- modsecurity-apache-2.9.11/debian/patches/aclocal.patch 2025-06-05 08:43:35.000000000 +0000 +++ modsecurity-apache-2.9.11/debian/patches/aclocal.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,18 +0,0 @@ -Description: Fix aclocal-1.16 dependency -Author: Ervin Hegedüs -Last-Update: 2025-05-22 ---- -This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ ---- a/Makefile.in -+++ b/Makefile.in -@@ -183,8 +183,8 @@ - $(top_srcdir)/tests/regression/misc/60-pmfromfile-external.t.in \ - $(top_srcdir)/tests/regression/server_root/conf/httpd.conf.in \ - README.md build/ar-lib build/compile build/config.guess \ -- build/config.sub build/depcomp build/install-sh \ -- build/ltmain.sh build/missing -+ build/config.sub build/install-sh build/ltmain.sh \ -+ build/missing - DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) - distdir = $(PACKAGE)-$(VERSION) - top_distdir = $(distdir) diff -Nru modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff --- modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-apache-2.9.11/debian/patches/cve-2025-54571.diff 2025-08-07 11:40:00.000000000 +0000 @@ -0,0 +1,211 @@ +Description: Fix CVE-2025-54571 +Author: Ervin Hegedüs +Last-Update: 2025-08-07 +--- a/apache2/apache2_io.c ++++ b/apache2/apache2_io.c +@@ -192,27 +192,29 @@ + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Input filter: This request does not have a body."); + } +- return 0; ++ return APR_SUCCESS; + } + + if (msr->txcfg->reqbody_access != 1) { + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Input filter: Request body access not enabled."); + } +- return 0; ++ return APR_SUCCESS; + } + + if (msr->txcfg->debuglog_level >= 4) { + msr_log(msr, 4, "Input filter: Reading request body."); + } + if (modsecurity_request_body_start(msr, error_msg) < 0) { +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + + finished_reading = 0; + msr->if_seen_eos = 0; + bb_in = apr_brigade_create(msr->mp, r->connection->bucket_alloc); +- if (bb_in == NULL) return -1; ++ if (bb_in == NULL) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } + do { + apr_status_t rc; + +@@ -222,25 +224,17 @@ + * too large and APR_EGENERAL when the client disconnects. + */ + switch(rc) { +- case APR_INCOMPLETE : +- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -7; +- case APR_EOF : +- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -6; +- case APR_TIMEUP : +- *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -4; + case AP_FILTER_ERROR : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: HTTP Error 413 - Request entity too large. (Most likely.)"); +- return -3; ++ break; + case APR_EGENERAL : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: Client went away."); +- return -2; ++ break; + default : + *error_msg = apr_psprintf(msr->mp, "Error reading request body: %s", get_apr_error(msr->mp, rc)); +- return -1; ++ break; + } ++ return ap_map_http_request_error(rc, HTTP_BAD_REQUEST); + } + + /* Loop through the buckets in the brigade in order +@@ -256,7 +250,7 @@ + rc = apr_bucket_read(bucket, &buf, &buflen, APR_BLOCK_READ); + if (rc != APR_SUCCESS) { + *error_msg = apr_psprintf(msr->mp, "Failed reading input / bucket (%d): %s", rc, get_apr_error(msr->mp, rc)); +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + + if (msr->txcfg->debuglog_level >= 9) { +@@ -269,7 +263,7 @@ + if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) { + *error_msg = apr_psprintf(msr->mp, "Request body is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_limit); +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } else if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) { + + *error_msg = apr_psprintf(msr->mp, "Request body is larger than the " +@@ -290,7 +284,7 @@ + *error_msg = apr_psprintf(msr->mp, "Request body is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_limit); + +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } + } + +@@ -300,7 +294,7 @@ + modsecurity_request_body_to_stream(msr, buf, buflen, error_msg); + #else + if (modsecurity_request_body_to_stream(msr, buf, buflen, error_msg) < 0) { +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + #endif + } +@@ -319,7 +313,7 @@ + if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) { + *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit); +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } else if ((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_PARTIAL)) { + *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit); +@@ -329,12 +323,12 @@ + } else { + *error_msg = apr_psprintf(msr->mp, "Request body no files data length is larger than the " + "configured limit (%ld).", msr->txcfg->reqbody_no_files_limit); +- return -5; ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; + } + } + + if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) +- return -1; ++ return HTTP_INTERNAL_SERVER_ERROR; + } + + } +@@ -357,7 +351,13 @@ + + msr->if_status = IF_STATUS_WANTS_TO_RUN; + +- return rcbe; ++ if (rcbe == -5) { ++ return HTTP_REQUEST_ENTITY_TOO_LARGE; ++ } ++ if (rcbe < 0) { ++ return HTTP_INTERNAL_SERVER_ERROR; ++ } ++ return APR_SUCCESS; + } + + +--- a/apache2/mod_security2.c ++++ b/apache2/mod_security2.c +@@ -1032,56 +1032,15 @@ + } + + rc = read_request_body(msr, &my_error_msg); +- if (rc < 0 && msr->txcfg->is_enabled == MODSEC_ENABLED) { +- switch(rc) { +- case -1 : +- if (my_error_msg != NULL) { +- msr_log(msr, 1, "%s", my_error_msg); +- } +- return HTTP_INTERNAL_SERVER_ERROR; +- break; +- case -4 : /* Timeout. */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_REQUEST_TIME_OUT; +- break; +- case -5 : /* Request body limit reached. */ +- msr->inbound_error = 1; +- if((msr->txcfg->is_enabled == MODSEC_ENABLED) && (msr->txcfg->if_limit_action == REQUEST_BODY_LIMIT_ACTION_REJECT)) { +- r->connection->keepalive = AP_CONN_CLOSE; +- if (my_error_msg != NULL) { +- msr_log(msr, 1, "%s. Deny with code (%d)", my_error_msg, HTTP_REQUEST_ENTITY_TOO_LARGE); +- } +- return HTTP_REQUEST_ENTITY_TOO_LARGE; +- } else { +- if (my_error_msg != NULL) { +- msr_log(msr, 1, "%s", my_error_msg); +- } +- } +- break; +- case -6 : /* EOF when reading request body. */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; +- break; +- case -7 : /* Partial recieved */ +- if (my_error_msg != NULL) { +- msr_log(msr, 4, "%s", my_error_msg); +- } +- r->connection->keepalive = AP_CONN_CLOSE; +- return HTTP_BAD_REQUEST; +- break; +- default : +- /* allow through */ +- break; ++ if (rc != OK) { ++ if (my_error_msg != NULL) { ++ msr_log(msr, 1, "%s", my_error_msg); + } +- +- msr->msc_reqbody_error = 1; +- msr->msc_reqbody_error_msg = my_error_msg; ++ if (rc == HTTP_REQUEST_ENTITY_TOO_LARGE) { ++ msr->inbound_error = 1; ++ } ++ r->connection->keepalive = AP_CONN_CLOSE; ++ return rc; + } + + /* Update the request headers. They might have changed after diff -Nru modsecurity-apache-2.9.11/debian/patches/series modsecurity-apache-2.9.11/debian/patches/series --- modsecurity-apache-2.9.11/debian/patches/series 2025-06-05 08:43:35.000000000 +0000 +++ modsecurity-apache-2.9.11/debian/patches/series 2025-08-07 11:40:00.000000000 +0000 @@ -1,3 +1,3 @@ -aclocal.patch debian_log_dir.patch improve_defaults.patch +cve-2025-54571.diff