Version in base suite: 3.0.14-1

Base version: modsecurity_3.0.14-1
Target version: modsecurity_3.0.14-1+deb13u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/m/modsecurity/modsecurity_3.0.14-1.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/m/modsecurity/modsecurity_3.0.14-1+deb13u1.dsc

 changelog                        |    7 ++
 patches/fix-CVE-2026-30923.patch |   39 +++++++++++++
 patches/fix-CVE-2026-42268.patch |  111 +++++++++++++++++++++++++++++++++++++++
 patches/series                   |    2 
 4 files changed, 159 insertions(+)

dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpiy1kshl8/modsecurity_3.0.14-1.dsc: no acceptable signature found
dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpiy1kshl8/modsecurity_3.0.14-1+deb13u1.dsc: no acceptable signature found
diff -Nru modsecurity-3.0.14/debian/changelog modsecurity-3.0.14/debian/changelog
--- modsecurity-3.0.14/debian/changelog	2025-02-25 15:58:02.000000000 +0000
+++ modsecurity-3.0.14/debian/changelog	2026-04-30 15:23:57.000000000 +0000
@@ -1,3 +1,10 @@
+modsecurity (3.0.14-1+deb13u1) trixie; urgency=medium
+
+  [ Ervin Hegedus ]
+  * Add fixes for CVE-2026-30923 and CVE-2026-42268
+
+ -- Hegedüs Ervin <airween@gmail.com>  Thu, 30 Apr 2026 17:23:57 +0200
+
 modsecurity (3.0.14-1) unstable; urgency=medium
 
   [ Alberto Gonzalez Iniesta ]
diff -Nru modsecurity-3.0.14/debian/patches/fix-CVE-2026-30923.patch modsecurity-3.0.14/debian/patches/fix-CVE-2026-30923.patch
--- modsecurity-3.0.14/debian/patches/fix-CVE-2026-30923.patch	1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-3.0.14/debian/patches/fix-CVE-2026-30923.patch	2026-04-30 15:23:57.000000000 +0000
@@ -0,0 +1,39 @@
+From: Ervin Hegedus <airween@gmail.com>
+Date: Thu, 30 Apr 2026 16:54:36 +0200
+Subject: fix-CVE-2026-30923
+
+---
+ src/actions/transformations/hex_decode.cc                          | 2 +-
+ .../secrules-language-tests/transformations/hexDecode.json         | 7 +++++++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/actions/transformations/hex_decode.cc b/src/actions/transformations/hex_decode.cc
+index ed3c76f..21a69c8 100644
+--- a/src/actions/transformations/hex_decode.cc
++++ b/src/actions/transformations/hex_decode.cc
+@@ -28,7 +28,7 @@ static inline int inplace(std::string &value) {
+     auto d = reinterpret_cast<unsigned char *>(value.data());
+     const auto *data = d;
+ 
+-    for (int i = 0; i <= len - 2; i += 2) {
++    for (std::string::size_type i = 0; i + 1 < len; i += 2) {
+         *d++ = utils::string::x2c(&data[i]);
+     }
+ 
+diff --git a/test/test-cases/secrules-language-tests/transformations/hexDecode.json b/test/test-cases/secrules-language-tests/transformations/hexDecode.json
+index 664fbd8..907a092 100644
+--- a/test/test-cases/secrules-language-tests/transformations/hexDecode.json
++++ b/test/test-cases/secrules-language-tests/transformations/hexDecode.json
+@@ -40,5 +40,12 @@
+        "input" : "01234567890a0",
+        "output" : "\\x01#Eg\\x89\\x0a",
+        "ret" : 1
++   },
++   {
++       "type" : "tfn",
++       "name" : "hexDecode",
++       "input" : "a",
++       "output" : "",
++       "ret" : 1
+    }
+ ]
diff -Nru modsecurity-3.0.14/debian/patches/fix-CVE-2026-42268.patch modsecurity-3.0.14/debian/patches/fix-CVE-2026-42268.patch
--- modsecurity-3.0.14/debian/patches/fix-CVE-2026-42268.patch	1970-01-01 00:00:00.000000000 +0000
+++ modsecurity-3.0.14/debian/patches/fix-CVE-2026-42268.patch	2026-04-30 15:23:57.000000000 +0000
@@ -0,0 +1,111 @@
+From: Ervin Hegedus <airween@gmail.com>
+Date: Thu, 30 Apr 2026 17:21:56 +0200
+Subject: fix-CVE-2026-42268
+
+---
+ src/operators/verify_cpf.cc                                    |  2 +-
+ src/operators/verify_ssn.cc                                    |  2 +-
+ src/operators/verify_svnr.cc                                   |  2 +-
+ .../secrules-language-tests/operators/verifycpf.json           | 10 +++++++---
+ .../secrules-language-tests/operators/verifyssn.json           |  9 +++++++--
+ .../secrules-language-tests/operators/verifysvnr.json          | 10 +++++++---
+ 6 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/src/operators/verify_cpf.cc b/src/operators/verify_cpf.cc
+index 07ebe74..2311266 100644
+--- a/src/operators/verify_cpf.cc
++++ b/src/operators/verify_cpf.cc
+@@ -118,7 +118,7 @@ bool VerifyCPF::evaluate(Transaction *t, RuleWithActions *rule,
+         return false;
+     }
+ 
+-    for (i = 0; i < input.size() - 1 && is_cpf == false; i++) {
++    for (size_t i = 0; i + 1 < input.size() && !is_cpf; i++) {
+         matches = m_re->searchAll(input.substr(i, input.size()));
+         for (const auto & m : matches) {
+             is_cpf = verify(m.str().c_str(), m.str().size());
+diff --git a/src/operators/verify_ssn.cc b/src/operators/verify_ssn.cc
+index eabeb1a..fcb808f 100644
+--- a/src/operators/verify_ssn.cc
++++ b/src/operators/verify_ssn.cc
+@@ -120,7 +120,7 @@ bool VerifySSN::evaluate(Transaction *t, RuleWithActions *rule,
+         return false;
+     }
+ 
+-    for (i = 0; i < input.size() - 1 && is_ssn == false; i++) {
++    for (size_t i = 0; i + 1 < input.size() && !is_ssn; i++) {
+         matches = m_re->searchAll(input.substr(i, input.size()));
+         for (const auto & j : matches) {
+             is_ssn = verify(j.str().c_str(), j.str().size());
+diff --git a/src/operators/verify_svnr.cc b/src/operators/verify_svnr.cc
+index ce3147a..f985f33 100644
+--- a/src/operators/verify_svnr.cc
++++ b/src/operators/verify_svnr.cc
+@@ -87,7 +87,7 @@ bool VerifySVNR::evaluate(Transaction *t, RuleWithActions *rule,
+         return is_svnr;
+     }
+ 
+-    for (i = 0; i < input.size() - 1 && is_svnr == false; i++) {
++    for (size_t i = 0; i + 1 < input.size() && !is_svnr; i++) {
+         matches = m_re->searchAll(input.substr(i, input.size()));
+ 
+         for (const auto & j : matches) {
+diff --git a/test/test-cases/secrules-language-tests/operators/verifycpf.json b/test/test-cases/secrules-language-tests/operators/verifycpf.json
+index fe362a5..642be5f 100644
+--- a/test/test-cases/secrules-language-tests/operators/verifycpf.json
++++ b/test/test-cases/secrules-language-tests/operators/verifycpf.json
+@@ -12,8 +12,12 @@
+       "ret" : 0,
+       "type" : "op",
+       "name" : "verifycpf"
++   },
++   {
++      "param" : "([0-9]{3}\\.){2}[0-9]{3}-[0-9]{2}",
++      "input" : "",
++      "ret" : 0,
++      "type" : "op",
++      "name" : "verifycpf"
+    }
+-
+-
+-
+ ]
+diff --git a/test/test-cases/secrules-language-tests/operators/verifyssn.json b/test/test-cases/secrules-language-tests/operators/verifyssn.json
+index 9ded1af..2c5b001 100644
+--- a/test/test-cases/secrules-language-tests/operators/verifyssn.json
++++ b/test/test-cases/secrules-language-tests/operators/verifyssn.json
+@@ -26,7 +26,12 @@
+       "ret" : 0,
+       "type" : "op",
+       "name" : "verifyssn"
++   },
++   {
++      "param" : "\\d{3}-?\\d{2}-?\\d{4}",
++      "input" : "",
++      "ret" : 0,
++      "type" : "op",
++      "name" : "verifyssn"
+    }
+-
+-
+ ]
+diff --git a/test/test-cases/secrules-language-tests/operators/verifysvnr.json b/test/test-cases/secrules-language-tests/operators/verifysvnr.json
+index 426dd86..52f6cdf 100644
+--- a/test/test-cases/secrules-language-tests/operators/verifysvnr.json
++++ b/test/test-cases/secrules-language-tests/operators/verifysvnr.json
+@@ -19,8 +19,12 @@
+       "ret" : 0,
+       "type" : "op",
+       "name" : "verifysvnr"
++   },
++   {
++      "param" : "([0-9]{4} ?[0-9]{6})",
++      "input" : "",
++      "ret" : 0,
++      "type" : "op",
++      "name" : "verifysvnr"
+    }
+-
+-
+-
+ ]
diff -Nru modsecurity-3.0.14/debian/patches/series modsecurity-3.0.14/debian/patches/series
--- modsecurity-3.0.14/debian/patches/series	2023-12-12 16:52:52.000000000 +0000
+++ modsecurity-3.0.14/debian/patches/series	2026-04-30 15:23:57.000000000 +0000
@@ -1,2 +1,4 @@
 disable-network-dependent-tests.patch
 ftbfs_1034760.patch
+fix-CVE-2026-30923.patch
+fix-CVE-2026-42268.patch