CVE-2023-28882

NameCVE-2023-28882
DescriptionTrustwave ModSecurity 3.0.5 through 3.0.8 before 3.0.9 allows a denial of service (worker crash and unresponsiveness) because some inputs cause a segfault in the Transaction class for some configurations.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1035083

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
modsecurity (PTS)buster, buster (security)3.0.3-1+deb10u2fixed
bullseye3.0.4-2fixed
bookworm3.0.9-1+deb12u1fixed
trixie3.0.12-1fixed
sid3.0.12-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
modsecuritysourcebuster(not affected)
modsecuritysourcebullseye(not affected)
modsecuritysource(unstable)3.0.9-11035083

Notes

[bullseye] - modsecurity <not-affected> (Vulnerable code not present)
[buster] - modsecurity <not-affected> (Vulnerable code not present)
https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-309/
https://github.com/SpiderLabs/ModSecurity/pull/2886
Introduced by: https://github.com/SpiderLabs/ModSecurity/commit/8df35deadb16b19e4cd936e6370688dccf1e18a4 (v3.0.5)
Fixed by: https://github.com/SpiderLabs/ModSecurity/commit/db84d8cf771d39db578707cd03ec2b60f74c9785 (v3.0.9)
Search for package or bug name: Reporting problems