Version in base suite: 3.3.7-1+deb13u1 Base version: modsecurity-crs_3.3.7-1+deb13u1 Target version: modsecurity-crs_3.3.7-1+deb13u2 Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/modsecurity-crs/modsecurity-crs_3.3.7-1+deb13u1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/m/modsecurity-crs/modsecurity-crs_3.3.7-1+deb13u2.dsc changelog | 6 +++++ patches/cve-2026-33691.patch | 44 +++++++++++++++++++++++++++++++++++++++++++ patches/series | 1 3 files changed, 51 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpqytt6pzr/modsecurity-crs_3.3.7-1+deb13u1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpqytt6pzr/modsecurity-crs_3.3.7-1+deb13u2.dsc: no acceptable signature found diff -Nru modsecurity-crs-3.3.7/debian/changelog modsecurity-crs-3.3.7/debian/changelog --- modsecurity-crs-3.3.7/debian/changelog 2026-01-10 16:00:48.000000000 +0000 +++ modsecurity-crs-3.3.7/debian/changelog 2026-03-29 16:29:12.000000000 +0000 @@ -1,3 +1,9 @@ +modsecurity-crs (3.3.7-1+deb13u2) trixie; urgency=medium + + * Fixes CVE-2026-33691 + + -- Ervin Hegedüs Sun, 29 Mar 2026 18:29:12 +0200 + modsecurity-crs (3.3.7-1+deb13u1) trixie-security; urgency=medium * Fixes CVE-2026-21876 (Closes: #1125084) diff -Nru modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch --- modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch 1970-01-01 00:00:00.000000000 +0000 +++ modsecurity-crs-3.3.7/debian/patches/cve-2026-33691.patch 2026-03-29 16:29:12.000000000 +0000 @@ -0,0 +1,44 @@ +From: Ervin Hegedus +Date: Sun, 29 Mar 2026 18:23:55 +0200 +Subject: Add patch from upstream to fix CVE-2026-33691 + +--- + rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf | 2 +- + rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +index 002088a..aca6301 100644 +--- a/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf ++++ b/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf +@@ -573,7 +573,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'Restricted File Upload Attempt',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +diff --git a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +index 707ed45..666643e 100644 +--- a/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf ++++ b/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf +@@ -91,7 +91,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ +@@ -673,7 +673,7 @@ SecRule FILES|REQUEST_HEADERS:X-Filename|REQUEST_HEADERS:X_Filename|REQUEST_HEAD + phase:2,\ + block,\ + capture,\ +- t:none,t:lowercase,\ ++ t:none,t:lowercase,t:removeWhitespace,\ + msg:'PHP Injection Attack: PHP Script File Upload Found',\ + logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\ + tag:'application-multi',\ diff -Nru modsecurity-crs-3.3.7/debian/patches/series modsecurity-crs-3.3.7/debian/patches/series --- modsecurity-crs-3.3.7/debian/patches/series 2026-01-10 16:00:48.000000000 +0000 +++ modsecurity-crs-3.3.7/debian/patches/series 2026-03-29 16:29:12.000000000 +0000 @@ -1,2 +1,3 @@ fix_paths cve-2026-21876.patch +cve-2026-33691.patch \ No newline at end of file