Changes with Mod Security 2.6.x

• Check CHANGES file from the ApacheHaus's Mod Security zip files. Additionally CHANGES can be found from address:  http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.6.x/CHANGES

Changes with Mod Security 2.5.12

• Fixed SecUploadFileMode to set the correct mode.
• Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
• Added additional file info definitions introduced in APR 0.9.5 so that build will work with older APRs (IBM HTTP Server v6).
• Added SecUploadFileLimit to limit the number of uploaded file parts that will be processed in a multipart POST. The default is 100.
• Fixed path normalization to better handle backreferences that extend above root directories. Reported by Sogeti/ESEC R&D.
• Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines.
• Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D.
• Fixed failure to match internally set TX variables with regex (TX:/.../) syntax.
• Fixed failure to log full internal TX variable names and populate MATCHED_VAR
• vars.
• Enabled PCRE "studying" by default. This is now a configure-time option.
• Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to aide in REDoS type attacks. A rule that goes over the limits will set TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release of ModSecurity (2.6.x) will move these flags to a dedicated collection.
• Reduced default PCRE match limits reducing impact of REDoS on poorly written regex rules. Reported by Sogeti/ESEC R&D.
• Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
• Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
• Update copyright to 2010.
• Reserved 700,000-799,999 IDs for Ivan Ristic.
• Fixed SecAction not working when CONNECT request method is used (MODSEC-110). [Ivan Ristic]
• Do not escape quotes in macro resolution and only escape NUL in setenv values.

• Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be set true if any invalid quoting is found during multipart parsing.
• Fixed parsing quoted strings in multipart Content-Disposition headers. Discovered by Stefan Esser.
• Cleanup persistence database locking code.
• Added warning during configure if libcurl is found linked against gnutls for SSL. The openssl lib is recommended as gnutls has proven to cause issues with mutexes and may crash.
• Cleanup some mlogc (over)logging.
• Do not log output filter errors in the error log.
• Moved output filter to run before other stock filters (mod_deflate, mod_cache, mod_expires, mod_filter) to avoid analyzing modified data in the response. Patch originally submitted by Ivan Ristic.

• Cleanup mlogc so that it builds on Windows.
• Added more detailed messages to replace "Unknown error" in filters.
• Cleanup SecUploadFileMode implementation.
• Fixed crash on configuration if SecMarker is used before any rules.
• Fixed SecRuleUpdateActionById so that it will work on chain starters.
• Cleanup build system for mlogc.
• Allow mlogc to periodically flush memory pools.
• Using nolog,auditlog will now log the "Message:" line to the auditlog, but nothing to the error log. Prior versions dropped the "Message:" line from both logs. To do this now, just use "nolog" or "nolog,noauditlog".
• Forced mlogc to use SSLv3 to avoid some potential auto negotiation issues with some libcurl versions.
• Fixed mlogc issue seen on big endian machines where content type could be listed as zero.
• Removed extra newline from audit log message line when logging XML errors. This was causing problems parsing audit logs.
• Fixed @pm/@pmFromFile case insensitivity.
• Truncate long parameters in log message for "Match of ... against ... required" messages.
• Correctly resolve chained rule actions in logs.
• Cleanup some code for portability.
• AIX does not support hidden visibility with xlc compiler.
• Allow specifying EXTRA_CFLAGS during configure to override gcc specific values for non-gcc compilers.
• Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
• Handle a newer geo database more gracefully, avoiding a potential crash for new countries that ModSecurity is not yet aware.
• Allow checking &GEO "@eq 0" for a failed @geoLookup.
• Fixed mlogc global mutex locking issue and added more debugging output.
• Cleaned up build dependencies and configure options.

• Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by "Internet Security Auditors" (isecauditors.com).
• Added ability to specify the config script directly using --with-apr and --with-apu.
• Updated copyright year to 2009.
• Added macro expansion for append/prepend action.
• Fixed race condition in concurrent updates of persistent counters. Updates are now atomic.
• Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable.

• Fixed XML DTD/Schema validation which will now fail after request body processing errors, even if the XML parser returns a document tree.
• Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force the REQUEST_BODY variable to be set when a request body processor is not set. Previously the REQUEST_BODY target was only populated by the URLENCODED request body processor.
• Integrated mlogc source.
• Fixed logging the hostname in the error_log which was logging the request hostname instead of the Apache resolved hostname.
• Allow for disabling request body limit checks in phase:1.
• Added transformations for processing parity for legacy protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
• Added t:cssDecode transformation to decode CSS escapes.
• Now log XML parsing/validation warnings and errors to be in the debug log at levels 3 and 4, respectivly.