@zimmerle zimmerle released this Jul 19, 2017

Assets 11

Bug fixes

  • IIS build refactoring and dependencies update
    [Issue #1487 - @victorhora]
  • Best practice: Initialize msre_var pointers
    [Commit fbd57 - Allan Boll]
  • nginx: Obtain port from r->connection->local_sockaddr. As reported by Przemyslaw Duda the lack of this commit may lead to a DoS. This patch is now merged on all nginx trees. But we still recommend nginx users to move forward to version 3.
    [Commit 51314 - @defanator and Przemyslaw Duda]
  • Updates libinjection to v3.10.0
    [Issue #1412 - @client9, @zimmerle and @bjdijk]
  • Avoid log flood while using SecConnEngine
    [Issue #1436 - @victorhora]
  • Make url path absolute for SecHashEngine only when it is relative in the first place.
    [Issue #752, #1071 - @hideaki]
  • Fix the hex digit size for SHA1 on msc_crypt implementation.
    [Issue #1354 - @zimmerle and @parthasarathi204]
  • Avoid to flush xml buffer while assembling the injected html.
    [Issue #742 - @zimmerle]
  • Avoid additional operator invokation if last transform of a multimatch doesn't modify the input
    [Issue #1086, #1087 - Daniel Stelter-Gliese]
  • Adds a sanity check before use ctl:ruleRemoveTargetByTag.
    [Issue #1353 - @LukeP21 and @zimmerle]
  • Uses an optional global lock while manipulating collections.
    [Issues #1224 - @mturk and @zimmerle]
  • Fix collection naming problem while merging collections.
    [Issue #1274 - Coty Sutherland and @zimmerle]
  • Fix --enable-docs adding missing Makefile, modifying autoconf and filenames
    [Issue #1322 - @victorhora]
  • Change from using rand() to thread-safe ap_random_pick.
    [Issue #1289 - Robert Bost]
  • Cosmetics: added comments on odd looking code to prevent future scrutiny
    [Issue #1279 - Coty Sutherland]
  • {dis|en}able-server-context-logging: Option to disable logging of server info (log producer, sanitized objects, ...) in audit log.
    [Issue #1069 - Marc Stern]
  • Allow drop to work with mod_http2
    [Issue #1308, #992 - @bazzadp]
  • Fix SecConn(Read|Write)StateLimit on Apache 2.4
    [Issue #1340, #1337, #786 - Sander Hoentjen]
  • {dis|en}able-stopwatch-logging: Option to disable logging of stopwatches
    in audit log.
    [Issue #1067 - Marc Stern]
  • {dis|en}able-dechunk-logging: Option to disable logging of dechunking in audit log when log level < 9.
    [Issue #1068 - Marc Stern]
  • Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4
    [ModSecurity team]
  • {dis|en}able-handler-logging: Option to disable logging of Apache handler in audit log
    [Issue #1070, #1381 - Marc Stern]
  • {dis|en}able-collection-delete-problem-logging: Option to disable logging of collection delete problem in audit log when log level < 9.
    [Issue #1380 - Marc Stern]
  • Adds rule id in logs whenever a rule fail.
    [Issue #1379, #391 - Marc Stern]
  • {dis|en}able-server-logging: Option to disable logging of "Server" in audit log when log level < 9.
    [Issue #1070 - Marc Stern]
  • {dis|en}able-filename-logging: Option to disable logging of filename in audit log.
    [Issue #1065 - Marc Stern]
  • Reads fuzzy hash databases on init
    [Issue #1339 - Robert Paprocki and @Rendername]
  • Changes the configuration to recognize soap+xml as XML
    [Issue #1374 - @emphazer and Chaim Sanders]
  • Fix building with nginx >= 1.11.11
    [Issue #1373, #1359 - Andrei Belov and Thomas Deutschmann]
  • Using Czechia instea of Czech Republic
    [Issue #1258 - Michael Kjeldsen]
  • {dis|en}able-rule-id-validation: Option to disable rule id validation
    [Issue #1150 - Marc Stern and ModSecurity team]
  • JSON Log: Append a newline to concurrent JSON audit logs
    [Issue #1233 - Robert Paprocki]
  • JSON Log: Don't unnecessarily rename request body parts in cleanup
    [Issue #1223 - Robert Paprocki]
  • Fix error message inside audit logs
    [Issue #1216 and #1073 - Armin Abfalterer]
  • Remove port from IPV4 address when running under IIS.
    [Issue #1220, #1109 and #734 - Robert Culyer]
  • Remove logdata and msg fields from JSON audit log rule.
    [Issue #1190 and #1174 - Robert Paprocki]
  • Better handle the json parser cleanup
    [Issue #1204 - Ephraim Vider]
  • Fix status failing to report in Nginx auditlogs
    [Issue #977, #1171 - @charlymps and Chaim Sanders]
  • Fix file upload JSON audit log entry
    [Issue #1181 and #1173 - Robert Paprocki and Christian Folini]
  • configure: Fix detection whether libcurl is linked against gnutls and, move verbose_output declaration up to the beginning.
    [Issue #1158 - Thomas Deutschmann (@Whissi)]
  • Treat APR_INCOMPLETE as APR_EOF while receiving the request body.
    [Issue #1060, #334 - Alexey Sintsov]

Security Issues

  • Allan Boll reported an uninitialize variable that may lead to a crash on Windows platform.
  • Brian Adeloye reported an infinite loop on the version of libInjection used on ModSecurity 2.9.1.