Version in base suite: 3.3.7-1

Base version: modsecurity-crs_3.3.7-1
Target version: modsecurity-crs_3.3.7-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/modsecurity-crs/modsecurity-crs_3.3.7-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/modsecurity-crs/modsecurity-crs_3.3.7-1+deb13u1.dsc

 changelog                    |    6 +++
 patches/cve-2026-21876.patch |   70 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 
 3 files changed, 77 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbbjfj2jh/modsecurity-crs_3.3.7-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpbbjfj2jh/modsecurity-crs_3.3.7-1+deb13u1.dsc: no acceptable signature found
diff -Nru modsecurity-crs-3.3.7/debian/changelog modsecurity-crs-3.3.7/debian/changelog
--- modsecurity-crs-3.3.7/debian/changelog	2024-10-31 18:19:50.000000000 +0000
+++ modsecurity-crs-3.3.7/debian/changelog	2026-01-10 16:00:48.000000000 +0000
@@ -1,3 +1,9 @@
+modsecurity-crs (3.3.7-1+deb13u1) trixie-security; urgency=medium
+
+  * Fixes CVE-2026-21876 (Closes: #1125084)
+
+ -- Ervin Hegedüs <airween@gmail.com>  Sat, 10 Jan 2026 17:00:48 +0100
+
 modsecurity-crs (3.3.7-1) unstable; urgency=medium
 
   * New upstream version 3.3.7
diff -Nru modsecurity-crs-3.3.7/debian/patches/cve-2026-21876.patch modsecurity-crs-3.3.7/debian/patches/cve-2026-21876.patch
--- modsecurity-crs-3.3.7/debian/patches/cve-2026-21876.patch	1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-crs-3.3.7/debian/patches/cve-2026-21876.patch	2026-01-10 16:00:48.000000000 +0000
@@ -0,0 +1,70 @@
+From: Ervin Hegedus <airween@gmail.com>
+Date: Sat, 10 Jan 2026 17:08:07 +0100
+Subject: Add patch from upstream to fix CVE-2026-21876
+
+---
+ rules/REQUEST-922-MULTIPART-ATTACK.conf | 38 +++++++++++++++++++++++++++------
+ 1 file changed, 32 insertions(+), 6 deletions(-)
+
+diff --git a/rules/REQUEST-922-MULTIPART-ATTACK.conf b/rules/REQUEST-922-MULTIPART-ATTACK.conf
+index 75d553f..6344226 100644
+--- a/rules/REQUEST-922-MULTIPART-ATTACK.conf
++++ b/rules/REQUEST-922-MULTIPART-ATTACK.conf
+@@ -48,14 +48,43 @@ SecRule &MULTIPART_PART_HEADERS:_charset_ "!@eq 0" \
+ 
+ # Only allow specific charsets same as Rule 920600
+ # Note: this is in phase:2 because these are headers that come in the body
+-SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
++#
++# How do these rules work:
++# * rule 922140 sets the multipart counter TX variable to 0
++#   note that this is why does not matter if more parts have the same name - see rule's test
++# * rule 922150 collects all multipart headers' 'Content-Type' value
++#   eg. 'text/plain; charset=utf-8'
++# * rule 922110 checks all the collected headers' content type and charset
++SecRule &MULTIPART_PART_HEADERS "@gt 0" \
++    "id:922140,\
++    phase:2,\
++    pass,\
++    t:none,\
++    nolog,\
++    tag:'OWASP_CRS',\
++    ver:'OWASP_CRS/3.3.7',\
++    setvar:'tx.multipart_headers_content_counter=0'"
++
++SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*:\s*(.*)$" \
++    "id:922150,\
++    phase:2,\
++    pass,\
++    capture,\
++    t:none,t:lowercase,\
++    nolog,\
++    tag:'OWASP_CRS',\
++    ver:'OWASP_CRS/3.3.7',\
++    setvar:'tx.multipart_headers_content_types_%{tx.multipart_headers_content_counter}=%{tx.1}',\
++    setvar:'tx.multipart_headers_content_counter=+1'"
++
++SecRule TX:/MULTIPART_HEADERS_CONTENT_TYPES_*/ "!@rx ^(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*(?:[\s\x0b]*,[\s\x0b]*(?:(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)/(?:\*|[^!\"\(\),/:-\?\[-\]\{\}]+)|\*)(?:[\s\x0b]*;[\s\x0b]*(?:charset[\s\x0b]*=[\s\x0b]*\"?(?:iso-8859-15?|utf-8|windows-1252)\b\"?|(?:[^\s\x0b-\"\(\),/:-\?\[-\]c\{\}]|c(?:[^!\"\(\),/:-\?\[-\]h\{\}]|h(?:[^!\"\(\),/:-\?\[-\]a\{\}]|a(?:[^!\"\(\),/:-\?\[-\]r\{\}]|r(?:[^!\"\(\),/:-\?\[-\]s\{\}]|s(?:[^!\"\(\),/:-\?\[-\]e\{\}]|e[^!\"\(\),/:-\?\[-\]t\{\}]))))))[^!\"\(\),/:-\?\[-\]\{\}]*[\s\x0b]*=[\s\x0b]*[^!\(\),/:-\?\[-\]\{\}]+);?)*)*$" \
+     "id:922110,\
+     phase:2,\
+     block,\
+     capture,\
+     t:none,t:lowercase,\
+     msg:'Illegal MIME Multipart Header content-type: charset parameter',\
+-    logdata:'Matched Data: %{TX.1} found within Content-Type multipart form',\
++    logdata:'Matched Data: %{MATCHED_VAR} found within Content-Type multipart form',\
+     tag:'application-multi',\
+     tag:'language-multi',\
+     tag:'platform-multi',\
+@@ -65,10 +94,7 @@ SecRule MULTIPART_PART_HEADERS "@rx ^content-type\s*+:\s*+(.*)$" \
+     tag:'paranoia-level/1',\
+     ver:'OWASP_CRS/3.3.7',\
+     severity:'CRITICAL',\
+-    chain"
+-    SecRule TX:1 "!@rx ^(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*(?:\s*+,\s*+(?:(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+)\/(?:\*|[^\"(),\/:;<=>?![\x5c\]{}]+))(?:\s*+;\s*+(?:(?:charset\s*+=\s*+(?:\"?(?:iso-8859-15?|windows-1252|utf-8)\b\"?))|(?:(?:c(?:h(?:a(?:r(?:s(?:e[^t\"(),\/:;<=>?![\x5c\]{}]|[^e\"(),/:;<=>?![\x5c\]{}])|[^s\"(),/:;<=>?![\x5c\]{}])|[^r\"(),/:;<=>?![\x5c\]{}])|[^a\"(),/:;<=>?![\x5c\]{}])|[^h\"(),/:;<=>?![\x5c\]{}])|[^c\"(),/:;<=>?![\x5c\]{}])[^\"(),/:;<=>?![\x5c\]{}]*(?:)\s*+=\s*+[^(),/:;<=>?![\x5c\]{}]+)|;?))*)*$" \
+-        "t:lowercase,\
+-        setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
++    setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
+ 
+ # Content-Transfer-Encoding was deprecated by rfc7578 in 2015 and should not be used (see: https://www.rfc-editor.org/rfc/rfc7578#section-4.7)
+ # Note: this is in phase:2 because these are headers that come in the body
diff -Nru modsecurity-crs-3.3.7/debian/patches/series modsecurity-crs-3.3.7/debian/patches/series
--- modsecurity-crs-3.3.7/debian/patches/series	2023-03-22 16:17:38.000000000 +0000
+++ modsecurity-crs-3.3.7/debian/patches/series	2026-01-10 16:00:48.000000000 +0000
@@ -1 +1,2 @@
 fix_paths
+cve-2026-21876.patch