Thjere is a vulnerability in modsecurity that can be used to bypass certain rules under certain conditions. You can read more about it here:https://community.qualys.com/blogs/secu ... t-bypasses
We (unlike the core rules) already had rules for all of these cases, so if you are using the real time rules or ASL you should be fine. You are encouraged to upgrade to 2.6.6 as it contains a better multi-part processing engine that mitigates this entire class of attacks. Defense in Depth is always a good thing, and some of the rules to prevent these attacks from working may interfere with strange applications (although so far we havent seen any reports to that effect and some of these rules are pretty old).
To upgrade just run this command as root:
yum -y upgrade mod_security