Is there a 2.x patch for security issue CVE-2015-8379?

[SimonEast]

After installing my CakePHP app on a new server I found it triggering mod_security (rule 241601) - it's trying to protect me from the CVE-2015-8379 security issue in CakePHP up to 3.1.5.

1. I tried doing a search, but couldn't work out if (or when) this was patched in CakePHP 2.x. Has it been?
2. If not, is there a simple tweak that can be made to existing code to fix this hole?
3. Is anyone aware of the steps to prevent mod_security from 403ing these requests, other than disabling that particular rule?

[chinpei215]

From the next time, please send an email to security [at] cakephp.org when you want to ask a question about security of CakePHP.

1. This patch should solve the issue: 4b8d628
3. SecRuleRemoveById

[markstory]

2.7.9 was the first release that contained 4b8d628

[onlyjob]

It would be great to mention CVEs on release notes...

[markstory]

@onlyjob I agree. In this situation the CVE was claimed after the release was done, and we were not told about the CVE being claimed.

[ravage84]

@markstory means the CVE should have been published with a correct statement which versions are affected and which are not. That would have answered @onlyjob's question implicitly.

[markstory]

@ravage84 That would be nice too, but the original issue reporter claimed and filled out the CVE report as well.