Written by Administrator
Changes with Mod Security 2.6.x
Changes with Mod Security 2.5.12
- Fixed SecUploadFileMode to set the correct mode.
- Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
- Added additional file info definitions introduced in APR 0.9.5 so that build will work with older APRs (IBM HTTP Server v6).
- Added SecUploadFileLimit to limit the number of uploaded file parts that will be processed in a multipart POST. The default is 100.
- Fixed path normalization to better handle backreferences that extend above root directories. Reported by Sogeti/ESEC R&D.
- Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines.
- Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D.
- Fixed failure to match internally set TX variables with regex (TX:/.../) syntax.
- Fixed failure to log full internal TX variable names and populate MATCHED_VAR
- Enabled PCRE "studying" by default. This is now a configure-time option.
- Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to aide in REDoS type attacks. A rule that goes over the limits will set TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release of ModSecurity (2.6.x) will move these flags to a dedicated collection.
- Reduced default PCRE match limits reducing impact of REDoS on poorly written regex rules. Reported by Sogeti/ESEC R&D.
- Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
- Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
- Update copyright to 2010.
- Reserved 700,000-799,999 IDs for Ivan Ristic.
- Fixed SecAction not working when CONNECT request method is used (MODSEC-110). [Ivan Ristic]
- Do not escape quotes in macro resolution and only escape NUL in setenv values.
Changes with Mod Security 2.5.11
- Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be set true if any invalid quoting is found during multipart parsing.
- Fixed parsing quoted strings in multipart Content-Disposition headers. Discovered by Stefan Esser.
- Cleanup persistence database locking code.
- Added warning during configure if libcurl is found linked against gnutls for SSL. The openssl lib is recommended as gnutls has proven to cause issues with mutexes and may crash.
- Cleanup some mlogc (over)logging.
- Do not log output filter errors in the error log.
- Moved output filter to run before other stock filters (mod_deflate, mod_cache, mod_expires, mod_filter) to avoid analyzing modified data in the response. Patch originally submitted by Ivan Ristic.
Changes with Mod Security 2.5.10
- Cleanup mlogc so that it builds on Windows.
- Added more detailed messages to replace "Unknown error" in filters.
- Cleanup SecUploadFileMode implementation.
- Fixed crash on configuration if SecMarker is used before any rules.
- Fixed SecRuleUpdateActionById so that it will work on chain starters.
- Cleanup build system for mlogc.
- Allow mlogc to periodically flush memory pools.
- Using nolog,auditlog will now log the "Message:" line to the auditlog, but nothing to the error log. Prior versions dropped the "Message:" line from both logs. To do this now, just use "nolog" or "nolog,noauditlog".
- Forced mlogc to use SSLv3 to avoid some potential auto negotiation issues with some libcurl versions.
- Fixed mlogc issue seen on big endian machines where content type could be listed as zero.
- Removed extra newline from audit log message line when logging XML errors. This was causing problems parsing audit logs.
- Fixed @pm/@pmFromFile case insensitivity.
- Truncate long parameters in log message for "Match of ... against ... required" messages.
- Correctly resolve chained rule actions in logs.
- Cleanup some code for portability.
- AIX does not support hidden visibility with xlc compiler.
- Allow specifying EXTRA_CFLAGS during configure to override gcc specific values for non-gcc compilers.
- Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
- Handle a newer geo database more gracefully, avoiding a potential crash for new countries that ModSecurity is not yet aware.
- Allow checking &GEO "@eq 0" for a failed @geoLookup.
- Fixed mlogc global mutex locking issue and added more debugging output.
- Cleaned up build dependencies and configure options.
Changes with Mod Security 2.5.9
- Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by "Internet Security Auditors" (isecauditors.com).
- Added ability to specify the config script directly using --with-apr and --with-apu.
- Updated copyright year to 2009.
- Added macro expansion for append/prepend action.
- Fixed race condition in concurrent updates of persistent counters. Updates are now atomic.
- Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable.
Changes with Mod Security 2.5.7
- Fixed XML DTD/Schema validation which will now fail after request body processing errors, even if the XML parser returns a document tree.
- Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force the REQUEST_BODY variable to be set when a request body processor is not set. Previously the REQUEST_BODY target was only populated by the URLENCODED request body processor.
- Integrated mlogc source.
- Fixed logging the hostname in the error_log which was logging the request hostname instead of the Apache resolved hostname.
- Allow for disabling request body limit checks in phase:1.
- Added transformations for processing parity for legacy protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
- Added t:cssDecode transformation to decode CSS escapes.
- Now log XML parsing/validation warnings and errors to be in the debug log at levels 3 and 4, respectivly.
Last Updated on Friday, 20 April 2012 10:40