modsecurity-crs (3.2.3-0+deb10u3) buster-security; urgency=medium

  * If you are using modsecurity-crs with apache2 / libapache2-modsecurity,
    please make sure to review your modsecurity configuration,
    usually /etc/modsecurity/modsecurity.conf, against the updated recommended
    configration, available in /etc/modsecurity/modsecurity.conf-recommended.

    Some of the changes to the recommended rules are required to avoid Web
    Application Firewall bypasses in certain circumstances.

  * the modesecrity-crs ruleset requires an updated modsecurity component to
    mitigate CVE-2022-39956.
    For the apache2 module, packaged as libapache2-mod-security, the required
    updated package is available through the regular Debian LTS channel
    and will be automatically installed.

    If you are using some other solution in connection with the modsecurity-crs,
    for example one that it is using libmodsecurity3, your solution might error out
    with an error message like "Error creating rule: Unknown variable:
    MULTIPART_PART_HEADERS". In this case you can disable the mitigation for
    CVE-2022-29956 by removing the rule file REQUEST-922-MULTIPART-ATTACK.conf.
    However, be aware that this will disable the protection and could allow
    attackers to bypass your Web Application Firewall.

    There is no package in Debian which depends on libmodsecurity3, so if you
    are only using software which is available from Debian, you are not affected
    by this limitation.

 -- Tobias Frost <tobi@debian.org>  Sat, 28 Jan 2023 10:46:28 +0100
