Skip to content

@zimmerle zimmerle released this Jan 13, 2020 · 84 commits to v3/master since this release

New features

Bug fixes

Security issue

Assets 5

@victorhora victorhora released this Dec 5, 2018 · 14 commits to v2/master since this release

Bug fixes

Improvements

Assets 11

@zimmerle zimmerle released this Nov 5, 2018 · 241 commits to v2/master since this release

New features

Bug fixes

Improvements

Assets 5

@zimmerle zimmerle released this Apr 3, 2018 · 355 commits to v3/master since this release

Bug fixes

Assets 5

@zimmerle zimmerle released this Apr 2, 2018 · 358 commits to v3/master since this release

New features

Bug fixes

Improvements

  • Include all prerequisites for "make check" into dist archive
    [Issue #1716 - @defanator]
  • Adds capture action to detectXSS
    [Issue #1698 - @victorhora]
  • Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
    [Issue #1701 - @victorhora]
  • Adds capture action to detectSQLi
    [Issue #1698 - @zimmerle]
  • Adds capture action to rbl
    [Issue #1698 - @zimmerle]
  • Adds capture action to verifyCC
    [Issue #1698 - @michaelgranzow-avi, @zimmerle]
  • Adds capture action to verifySSN
    [Issue #1698 - @zimmerle]
  • Adds capture action to verifyCPF
    [Issue #1698 - @zimmerle]
  • Prettier error messages for unsupported configurations (UX)
    [@victorhora]
  • Add missing verify*** transformation statements to parser
    [Issue #1006 and #1007 - @victorhora]
  • Fix a set of compilation warnings
    [Issue #1650 - @zimmerle, @JayCase]
  • Added some cosmetics to autoconf related code
    [Issue #1652 - @airween]
  • Fix "make dist" target to include necessary headers for Lua
    [Issue #1678 - @defanator]
  • Having LDADD and LDFLAGS organized on Makefile.am
    [0xd0e85e - @zimmerle]
  • perf improvement: Added the concept of RunTimeString and removed
    all run time parser.
    [0x3eae51 0x0320e0 0xb5688f 0xfe47a9 0xfa9842 0x1affc3 0x079de4
    0xc7c04f 0x5262ea 0x01974a 0xd5ee1e - @zimmerle]
  • perf improvement: Checks debuglog level before format debug msg
    [0x42ee9 - @zimmerle]
  • perf. improvement/rx: Only compute dynamic regex in case of macro
    [0x91ff3 - @zimmerle]
Assets 5

@zimmerle zimmerle released this Dec 14, 2017 · 241 commits to v2/master since this release

Bug fixes

Improvements

Assets 5
Pre-release
Pre-release

@zimmerle zimmerle released this Aug 28, 2017 · 241 commits to v2/master since this release

This is the first release candidate for ModSecurity version 3.

If you are not familiar with ModSecurity version 3, most likely this release is not what you are looking for. For the Apache module please refer to the v2.x releases.

There is no change log as this is the first release candidate. The goal was to mimic the version 2 most popular functionalities.

In order to use this library within your webserver, you need use a compatible connectors: ModSecurity-nginx, ModSecurity-apache.

Further information about this release can be found in our wiki: ModSecurity-version-3-RC1

Assets 5

@zimmerle zimmerle released this Jul 19, 2017

Bug fixes

  • IIS build refactoring and dependencies update
    [Issue #1487 - @victorhora]
  • Best practice: Initialize msre_var pointers
    [Commit fbd57 - Allan Boll]
  • nginx: Obtain port from r->connection->local_sockaddr. As reported by Przemyslaw Duda the lack of this commit may lead to a DoS. This patch is now merged on all nginx trees. But we still recommend nginx users to move forward to version 3.
    [Commit 51314 - @defanator and Przemyslaw Duda]
  • Updates libinjection to v3.10.0
    [Issue #1412 - @client9, @zimmerle and @bjdijk]
  • Avoid log flood while using SecConnEngine
    [Issue #1436 - @victorhora]
  • Make url path absolute for SecHashEngine only when it is relative in the first place.
    [Issue #752, #1071 - @hideaki]
  • Fix the hex digit size for SHA1 on msc_crypt implementation.
    [Issue #1354 - @zimmerle and @parthasarathi204]
  • Avoid to flush xml buffer while assembling the injected html.
    [Issue #742 - @zimmerle]
  • Avoid additional operator invokation if last transform of a multimatch doesn't modify the input
    [Issue #1086, #1087 - Daniel Stelter-Gliese]
  • Adds a sanity check before use ctl:ruleRemoveTargetByTag.
    [Issue #1353 - @LukeP21 and @zimmerle]
  • Uses an optional global lock while manipulating collections.
    [Issues #1224 - @mturk and @zimmerle]
  • Fix collection naming problem while merging collections.
    [Issue #1274 - Coty Sutherland and @zimmerle]
  • Fix --enable-docs adding missing Makefile, modifying autoconf and filenames
    [Issue #1322 - @victorhora]
  • Change from using rand() to thread-safe ap_random_pick.
    [Issue #1289 - Robert Bost]
  • Cosmetics: added comments on odd looking code to prevent future scrutiny
    [Issue #1279 - Coty Sutherland]
  • {dis|en}able-server-context-logging: Option to disable logging of server info (log producer, sanitized objects, ...) in audit log.
    [Issue #1069 - Marc Stern]
  • Allow drop to work with mod_http2
    [Issue #1308, #992 - @bazzadp]
  • Fix SecConn(Read|Write)StateLimit on Apache 2.4
    [Issue #1340, #1337, #786 - Sander Hoentjen]
  • {dis|en}able-stopwatch-logging: Option to disable logging of stopwatches
    in audit log.
    [Issue #1067 - Marc Stern]
  • {dis|en}able-dechunk-logging: Option to disable logging of dechunking in audit log when log level < 9.
    [Issue #1068 - Marc Stern]
  • Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4
    [ModSecurity team]
  • {dis|en}able-handler-logging: Option to disable logging of Apache handler in audit log
    [Issue #1070, #1381 - Marc Stern]
  • {dis|en}able-collection-delete-problem-logging: Option to disable logging of collection delete problem in audit log when log level < 9.
    [Issue #1380 - Marc Stern]
  • Adds rule id in logs whenever a rule fail.
    [Issue #1379, #391 - Marc Stern]
  • {dis|en}able-server-logging: Option to disable logging of "Server" in audit log when log level < 9.
    [Issue #1070 - Marc Stern]
  • {dis|en}able-filename-logging: Option to disable logging of filename in audit log.
    [Issue #1065 - Marc Stern]
  • Reads fuzzy hash databases on init
    [Issue #1339 - Robert Paprocki and @rendername]
  • Changes the configuration to recognize soap+xml as XML
    [Issue #1374 - @emphazer and Chaim Sanders]
  • Fix building with nginx >= 1.11.11
    [Issue #1373, #1359 - Andrei Belov and Thomas Deutschmann]
  • Using Czechia instea of Czech Republic
    [Issue #1258 - Michael Kjeldsen]
  • {dis|en}able-rule-id-validation: Option to disable rule id validation
    [Issue #1150 - Marc Stern and ModSecurity team]
  • JSON Log: Append a newline to concurrent JSON audit logs
    [Issue #1233 - Robert Paprocki]
  • JSON Log: Don't unnecessarily rename request body parts in cleanup
    [Issue #1223 - Robert Paprocki]
  • Fix error message inside audit logs
    [Issue #1216 and #1073 - Armin Abfalterer]
  • Remove port from IPV4 address when running under IIS.
    [Issue #1220, #1109 and #734 - Robert Culyer]
  • Remove logdata and msg fields from JSON audit log rule.
    [Issue #1190 and #1174 - Robert Paprocki]
  • Better handle the json parser cleanup
    [Issue #1204 - Ephraim Vider]
  • Fix status failing to report in Nginx auditlogs
    [Issue #977, #1171 - @charlymps and Chaim Sanders]
  • Fix file upload JSON audit log entry
    [Issue #1181 and #1173 - Robert Paprocki and Christian Folini]
  • configure: Fix detection whether libcurl is linked against gnutls and, move verbose_output declaration up to the beginning.
    [Issue #1158 - Thomas Deutschmann (@Whissi)]
  • Treat APR_INCOMPLETE as APR_EOF while receiving the request body.
    [Issue #1060, #334 - Alexey Sintsov]

Security Issues

  • Allan Boll reported an uninitialize variable that may lead to a crash on Windows platform.
  • Brian Adeloye reported an infinite loop on the version of libInjection used on ModSecurity 2.9.1.
Assets 11

@zimmerle zimmerle released this Mar 9, 2016

There are no changes between the version 2.9.1-RC1 and version 2.9.1.

Known issues

  • Depending upon your Apache configuration you may have two "client" entries on the logs. The extended description of this issue can be found at: #840.
Assets 11
Pre-release
Pre-release

@zimmerle zimmerle released this Feb 3, 2016

New features

  • Added support to generate audit logs in JSON format.

    [Issue #914, #897, #656 - Robert Paprocki]
  • Extended Lua support to include version 5.3

    [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
  • mlogc: Allows user to choose between TLS versions (TLSProtocol option
    introduced).

    [Issue #881 - Ishwor Gurung]
  • Allows mod_proxy's "nocanon" behavior to be specified in proxy actions.

    [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]

Bug fixes

  • Creating AuditLog serial file (or parallel index) respecting the
    permission configured with SecAuditLogFileMode. Previously, it was
    used only to save the transactions while in parallel mode.

    [Issue #852 - @littlecho and ModSecurity team]
  • Checking for hashing injection response, to report in case of failure.

    [Issue #1041 - ModSecurity team]
  • Stop buffering when the request is larger than SecRequestBodyLimit
    in ProcessPartial mode

    [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
  • Refactoring conditional #if/#defs directives.

    [Issue #996 - Wesley M and ModSecurity team]
  • mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
    files with Apache 2.4

    [Issue #775 - Elia Pinto]
  • Understands IIS 10 as compatible on Windows installer.

    [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
  • Fix apache logging limitation by using correct Apache call.

    [Issue #840 - Christian Folini]
  • Fix apr_crypto.h check on 32-bit Linux platform

    [Issue #882, #883 - Kurt Newman]
  • Fix variable resolution duration (Content of the DURATION variable).

    [Issue #662 - Andrew Elble]
  • Fix crash while adding empty keys to persistent collections.

    [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
  • Remove misguided call to srand()

    [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
  • Fix compilation problem while ssdeep is installed in non-standard
    location.

    [Issue #872 - Kurt Newman]
  • Fix invalid storage reference by apr_psprintf at msc_crypt.c

    [Issue #609 - Jeff Trawick]

Known issues

  • Instabilities of nginx add-on are still expected. Please use the "nginx
    refactoring" branch and stay tuned for the ModSecurity version 3.
Assets 11
You can’t perform that action at this time.