Releases: owasp-modsecurity/ModSecurity
Releases · owasp-modsecurity/ModSecurity
v3.0.12
Security impacting issue
- Change REQUEST_FILENAME and REQUEST_BASENAME behavior
[Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween]
WAF bypass of the ModSecurity v3 release line for path-based payloads by submitting a specially crafted request URL. For details, see CVE 2024-1019.
Enhancements and bug fixes
- Set the minimum security protocol version (TLSv1.2) for SecRemoteRules
[Issue security/code-scanning/2 - @airween]
Contributors
airween, theseion, and 3 other contributors
Assets 5
v3.0.11
Security impacting issue
- Add WRDE_NOCMD to wordexp call
[Issue #3024 - @sahruldotid, @martinhsv ]
Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways.
New feature
- Add support for expirevar action
[Issue #1803, #3001 - @martinhsv]
Enhancements and bug fixes
- Fix: validateDTD compile fails if libxml2 not installed
[Issue #3014 - @zangobot, @martinhsv] - Fix memory leak of validateDTD's dtd object
[Issue #3008 - @martinhsv, @zimmerle ] - Fix memory leaks in ValidateSchema
[Issue #3005 - @martinhsv, @zimmerle] - Fix: lmdb regex match on non-null terminated string
[Issue #2985 - @martinhsv] - Fix memory leaks in lmdb code (new'd strings)
[Issue #2983 - @martinhsv] - Configure: add additional name to pcre2 pkg-config list
[Issue #2939 - @agebhar1, @fzipi, @martinhsv]
Contributors
zimmerle, agebhar1, and 4 other contributors
Assets 5
v3.0.10
Security impacting issue
- Fix: worst-case time in implementation of four transformations
[Issue #2934 - @martinhsv]
Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
Enhancements and bug fixes
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
[Issue #2901 - @airween] - Make MULTIPART_PART_HEADERS accessible to lua
[Issue #2916 - @martinhsv] - Fix: Lua scripts cannot read whole collection at once
[Issue #2900 - @udi-aharon, @airween, @martinhsv] - Fix: quoted Include config with wildcard
[Issue #2905 - @wiseelf, @airween, @martinhsv] - Support isolated PCRE match limits
[Issue #2736 - @brandonpayton, @martinhsv] - Fix: meta actions not applied if multiMatch in first rule of chain
[Issue #2867, #2868 - @mlevogiannis, @martinhsv] - Fix: audit log may omit tags when multiMatch
[Issue #2866 - @mlevogiannis] - Exclude CRLF from MULTIPART_PART_HEADER value
[Issue #2870 - @airween, @martinhsv] - Configure: use AS_ECHO_N instead echo -n
[Issue #2894 - @liudongmiao, @martinhsv] - Adjust position of memset from 2890
[Issue #2891 -@mirkodziadzka-avi, @martinhsv]
Contributors
airween, liudongmiao, and 6 other contributors
Assets 5
v3.0.9
Security issue
- Add some member variable inits in Transaction class (possible segfault)
[Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]
Enhancements and bug fixes
- Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
[Issue #2877, #2890 - @tomsommer, @martinhsv] - Resolve memory leak on reload (bison-generated variable)
[Issue #2876 - @martinhsv] - Support equals sign in XPath expressions
[Issue #2328 - @dennus, @martinhsv] - Encode two special chars in error.log output
[Issue #2854 - @airween, @martinhsv] - Add JIT support for PCRE2
[Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv] - Support comments in ipMatchFromFile file via '#' token
[Issue #2554 - @tomsommer, @martinhsv] - Use name package name libmaxminddb with pkg-config
[Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout] - Fix: FILES_TMP_CONTENT collection key should use part name
[Issue #2831 - @airween] - Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
[Issue #2806 - @hughmcmaster] - During configure, do not check for pcre if pcre2 specified
[Issue #2750 - @dvershinin, @martinhsv] - Use pkg-config to find libxml2 first
[Issue #2714 - @hughmcmaster] - Fix two rule-reload memory leak issues
[Issue #2801 - @Abce, @martinhsv] - Correct whitespace handling for Include directive
[Issue #2800 - @877509395, @martinhsv]
Contributors
FireBurn, tomsommer, and 13 other contributors
Assets 5
v2.9.7
Security impacting issues
- Fix: FILES_TMP_CONTENT may sometimes lack complete content
[Issue #2857 - gieltje, @airween, @dune73, @martinhsv]
New features
- Support configurable limit on number of arguments processed
[Issue #2844 - @jleproust, @martinhsv] - Support for PCRE2
[Issue #2840, #2833, #2737, #2827 - @martinhsv]
Bug fixes and enhancements
- Silence compiler warning about discarded const
[Issue #2843 - @Steve8291, @martinhsv] - Use uid for user if apr_uid_name_get() fails
[Issue #2046 - @arminabf, @marcstern] - Fix: handle error with SecConnReadStateLimit configuration
[Issue #2815, #2834 - @marcstern, @martinhsv]] - Adjustment of previous fix for log messages
[Issue #2832 - @marcstern, @erkia] - Mark apache error log messages as from mod_security2
[Issue #2781 - @erkia] - Use pkg-config to find libxml2 first
[Issue #2818 - @hughmcmaster]
Contributors
airween, dune73, and 7 other contributors
Assets 8
v3.0.8
Note: additional information on the release and some of the key changes will be published separately in short order.
New features and security impacting issues
- Adjust parser activation rules in modsecurity.conf-recommended
[Issue #2796 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
[Issue #2795 - @terjanq, @martinhsv]
Bug fixes
- Prevent LMDB related segfault
[Issue #2755, #2761 - @dvershinin] - Fix msc_transaction_cleanup function comment typo
[Issue #2788 - @lookat23] - Fix: MULTIPART_INVALID_PART connected to wrong internal variable
[Issue #2785 - @martinhsv] - Restore Unique_id to include random portion after timestamp
[Issue #2752, #2758 - @datkps11, @martinhsv]
Contributors
dvershinin, lookat23, and 3 other contributors
Assets 5
v2.9.6
Note: additional information on the release and some of the key changes will be published separately in short order.
New features and security impacting issues
- Adjust parser activation rules in modsecurity.conf-recommended
[Issue #2799 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
[Issue #2797 - @terjanq, @martinhsv]
Bug fixes
- Limit rsub null termination to where necessary
[Issue #2794 - @marcstern, @martinhsv] - IIS: Update dependencies for next planned release
[@martinhsv] - XML parser cleanup: NULL duplicate pointer
[Issue #2760 - @martinhsv] - Properly cleanup XML parser contexts upon completion
[Issue #2239 - @argenet] - Fix memory leak in streams
[Issue #2208 - @marcstern, @vloup, @JamesColeman-LW] - Fix: negative usec on log line when data type long is 32b
[Issue #2753 - @ABrauer-CPT, @martinhsv] - mlogc log-line parsing fails due to enhanced timestamp
[Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv] - Allow no-key, single-value JSON body
[Issue #2735 - @marcstern, @martinhsv] - Set SecStatusEngine Off in modsecurity.conf-recommended
[Issue #2717 - @un99known99, @martinhsv] - Fix memory leak that occurs on JSON parsing error
[Issue #2236 @argenet, @vloup, @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed
[Issue #2352 @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
[Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]
Contributors
airween, un99known99, and 10 other contributors
Assets 8
v3.0.7
New features
- Support PCRE2
[Issue #2668 - @martinhsv] - Support SecRequestBodyNoFilesLimit
[Issue #2670 - @airween, @martinhsv] - Add ctl:auditEngine action support
[Issue #2606 - @alekravch, @martinhsv]
Bug fixes
- Move PCRE2 match block from member variable
[@martinhsv] - Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
[Issue #2738 - @jleproust, @martinhsv] - Fix memory leak when concurrent log includes REMOTE_USER
[Issue #2727 - @liudongmiao] - Fix LMDB initialization issues
[Issue #2688 - @ziollek @martinhsv] - Fix initcol error message wording
[Issue #2732 - @877509395, @martinhsv] - Tolerate other parameters after boundary in multipart C-T
[Issue #1900 - @martinhsv] - Add DebugLog message for bad pattern in rx operator
[Issue #2723 - @martinhsv] - Fix misuses of LMDB API
[Issue #2601, #2602 - @hyc] - Fix duplication typo in code comment
[Issue #2677 - @gleydsonsoares] - Fix multiMatch msg, etc, population in audit log
[Issue #2573 - @Sachin-M-Desai , @martinhsv] - Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
[Issue #2627, #2648 - @lontchianicet , @victorserbu2709 , @martinhsv] - Adjust confusing variable name in setRequestBody method
[Issue #2635 - @Mesar-Ali , @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed
[Issue #2352 - @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
[Issue #2647 - @theMiddleBlue , @airween , @877509395 , @martinhsv]
Contributors
airween, hyc, and 12 other contributors
Assets 5
v2.9.5
Security issue
- Support configurable limit on depth of JSON parsing (possible DoS issue)
[@theMiddleBlue, @airween, @dune73, @martinhsv]
Notes
- For Windows, as we are not aware of anyone using the 32-bit installer, only the 64-bit installer is now included
- Users of ModSecurity that cannot update immediately may wish to consult issue #2647, or the related blog post, for mitigation suggestions.
Contributors
airween, dune73, and 2 other contributors
Assets 8
v3.0.6
Security issue
- Support configurable limit on depth of JSON parsing (possible DoS issue)
[@theMiddleBlue, @martinhsv]
Contributors
theMiddleBlue and martinhsv