=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN095
_____________________________________________________________________

DATE                      : 12/03/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Modsecurity.

======================================================================
http://sourceforge.net/project/shownotes.php?release_id=667542&group_id=68846
http://sourceforge.net/project/shownotes.php?release_id=667538
______________________________________________________________________

ModSecurity

Release Name: 2.5.9

Notes:
This release fixes a potential DoS vulnerability discovered
by "Internet Security Auditors" when parsing multipart
requests.  Additionally, the release cleans up the build
process and adds a few features, including atomic updates of
persistent counters and macro expansion of the append/prepend
actions.  It is highly recommended to upgrade to this release.

NOTE: A pre-released copy of 2.5.9 was inadvertently
uploaded.  If you downloaded prior to 11 March 2009 at 23:25
PDT, then you may have the wrong version and should verify.
These versions only differed in documentation, however.

Changes:
 * Fixed parsing multipart content with a missing part header name which
   would crash Apache.  Discovered by "Internet Security Auditors"
   (isecauditors.com).

 * Added ability to specify the config script directly using --with-apr
   and --with-apu.

 * Updated copyright year to 2009.

 * Added macro expansion for append/prepend action.

 * Fixed race condition in concurrent updates of persistent counters.  Updates
   are now atomic.

 * Cleaned up build, adding an option for verbose configure output and making
   the mlogc build more portable.

_____________________________________________________________________________

ModSecurity

Release Name: 2.5.8

Notes:
This release fixes a potential DoS vulnerability when PDF XSS
protection is enabled (default is disabled) as well as a
minor issue with an invalid "internal error" message.  This
release was immediately superseded by the 2.5.9 to fix
another major issue found during the 2.5.8 release cycle.
You should install the 2.5.9 release instead.

Changes:
 * Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
   Apache httpd process.  Discovered by Steve Grubb at Red Hat.

 * Removed an invalid "Internal error: Issuing "%s" for unspecified error."
   message that was logged when denying with nolog/noauditlog set and
   causing the request to be audited.




======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================