Skip to content

docs: add missing libmodsecurity v3.0.16 requirement to v3.3.10 CHANGES#4693

Merged
fzipi merged 1 commit into
v3.3/masterfrom
fix/v3.3.10-changes-libmodsecurity-note
Jul 2, 2026
Merged

docs: add missing libmodsecurity v3.0.16 requirement to v3.3.10 CHANGES#4693
fzipi merged 1 commit into
v3.3/masterfrom
fix/v3.3.10-changes-libmodsecurity-note

Conversation

@fzipi

@fzipi fzipi commented Jul 2, 2026

Copy link
Copy Markdown
Member

what

adds a "requires libmodsecurity v3.0.16 or later" breaking-change bullet to the v3.3.10 entry in CHANGES.md, alongside the existing ModSecurity v2 opt-out note.

why

v3.3.10 (#4689, already merged) added rule 901181, which uses ctl:ruleRemoveTargetByTag=<tag>;XML://@* — the same syntax as v4.25.1's equivalent rule. The @ character in that target fails to parse on libmodsecurity v3 versions older than v3.0.16 (owasp-modsecurity/ModSecurity#3589), a parse-time failure distinct from the already-documented ModSecurity v2 runtime limitation.

v3.3 supports running on nginx/libmodsecurity v3 (see tests/docker-compose.yml's modsec3-nginx service), so this requirement applies here just as it does on v4.25.1 — but the v3.3.10 CHANGES.md entry only documented the ModSecurity v2 side. Missed because the two breaking changes address different engines (v2 vs v3) and different failure modes (silent no-op vs. parse failure); v4.25.1's CHANGES.md has both, v3.3.10's was missing this one.

refs

ai disclosure

  • tools used: Claude (Sonnet 5)
  • assisted with: identifying the missing note by comparing v3.3.10's merged CHANGES.md against v4.25.1's, confirming rule 901181 uses the affected ctl syntax, drafting this PR description
  • review performed: grepped rules/REQUEST-901-INITIALIZATION.conf on v3.3/master post-merge to confirm the ctl:ruleRemoveTargetByTag=...;XML://@* action is present, and checked tests/docker-compose.yml to confirm nginx/libmodsecurity v3 is a supported target for this branch

Rule 901181 (added in v3.3.10) uses the same ctl:ruleRemoveTargetByTag
with an '@'-containing target as v4.25.1's equivalent rule, and v3.3
supports running on nginx/libmodsecurity v3 (see tests/docker-compose.yml).
The v3.3.10 CHANGES.md entry only documented the ModSecurity v2 opt-out
limitation and was missing this separate, already-fixed parse-time
requirement that v4.25.1's CHANGES.md already has.
@fzipi fzipi requested a review from a team July 2, 2026 16:22
@fzipi fzipi added the release:ignore Ignore for changelog release label Jul 2, 2026
@fzipi fzipi merged commit ab9e8bb into v3.3/master Jul 2, 2026
5 checks passed
@fzipi fzipi deleted the fix/v3.3.10-changes-libmodsecurity-note branch July 2, 2026 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

release:ignore Ignore for changelog release

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants