Skip to content

Releases: SpiderLabs/ModSecurity

v3.0.8

07 Sep 20:16
v3.0.8
996c7e1
Compare
Choose a tag to compare

Note: additional information on the release and some of the key changes will be published separately in short order.

New features and security impacting issues

Bug fixes

v2.9.6

08 Sep 00:23
v2.9.6
dfba4fd
Compare
Choose a tag to compare

Note: additional information on the release and some of the key changes will be published separately in short order.

New features and security impacting issues

Bug fixes

v3.0.7

30 May 20:08
v3.0.7
1bdd047
Compare
Choose a tag to compare

New features

Bug fixes

v2.9.5

22 Nov 23:59
v2.9.5
8602999
Compare
Choose a tag to compare

Security issue

Notes

  • For Windows, as we are not aware of anyone using the 32-bit installer, only the 64-bit installer is now included
  • Users of ModSecurity that cannot update immediately may wish to consult issue #2647, or the related blog post, for mitigation suggestions.

v3.0.6

20 Nov 02:09
v3.0.6
c3d7f4b
Compare
Choose a tag to compare

Security issue

v3.0.5

07 Jul 23:06
v3.0.5
Compare
Choose a tag to compare

New features

  • Having ARGS_NAMES, variables proxied
    [@zimmerle, @martinhsv, @KaNikita]
  • Use explicit path for cross-compile environments.
    [Issue #2485 - @dtoubelis]
  • Fix: FILES variable does not use multipart part name for key
    [Issue #2377 - @martinhsv]
  • Regression: Mark the test as failed in case of segfault.
    [@zimmerle]
  • GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
    [Issues #2378, #2186 - @defanator]
  • Add support to test framework for audit log content verification
    and add regression tests for issues #2000, #2196
  • Support configurable limit on number of arguments processed
    [Issue #2234 - @jleproust, @martinhsv]
  • Multipart Content-Dispostion should allow field: filename*=
    [@martinhsv]
  • Adds support to lua 5.4
    [@zimmerle]
  • Add support for new operator rxGlobal
    [@martinhsv]

Bug fixes

Security Impacting Issues

  • Handle URI received with uri-fragment
    [@martinhsv]

v2.9.4

21 Jun 22:07
Compare
Choose a tag to compare

Enhancements

Bug fixes

  • Store temporaries in the request pool for regexes compiled per-request.
    [Issue #890, #2049 - @lightsey]
  • Fix other usage of the global pool for request temporaries in re_operators.c
    [Issue #890, #2049 - @lightsey]
  • Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
    [Issue #2033 - @studersi]
  • Fix the order of error_msg validation
    [Issue #2128 - @marcstern, @zimmerle]
  • When the input filter finishes, check whether we returned data
    [Issue #2091, #2092 - @rainerjung]
  • fix: care non-null terminated chunk data
    [Issue #2097 - @orisano]
  • Fix for apr_global_mutex_create() crashes with mod_security
    [Issue #1957 - @blappm]
  • Fix inet addr handling on 64 bit big endian systems
    [Issue #1980 - @zimmerle, @airween]

Notes

  • Windows installer no longer includes OWASP CRS.

v3.0.4

13 Jan 17:40
v3.0.4
753145f
Compare
Choose a tag to compare

New features

Bug fixes

Security issue

v2.9.3

05 Dec 16:40
Compare
Choose a tag to compare

Bug fixes

Improvements

v3.0.3

05 Nov 20:54
Compare
Choose a tag to compare

New features

Bug fixes

Improvements