ModSecurity Changelog

New in version 2.5.12

February 6th, 2010
  • Fixed SecUploadFileMode to set the correct mode.
  • Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
  • Added additional file info definitions introduced in APR 0.9.5 so that build will work with older APRs (IBM HTTP Server v6).
  • Added SecUploadFileLimit to limit the number of uploaded file parts that will be processed in a multipart POST. The default is 100.
  • Fixed path normalization to better handle backreferences that extend above root directories. Reported by Sogeti/ESEC R&D.
  • Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines.
  • Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D.
  • Fixed failure to match internally set TX variables with regex (TX:/.../) syntax.
  • Fixed failure to log full internal TX variable names and populate MATCHED_VAR* vars.
  • Enabled PCRE "studying" by default. This is now a configure-time option.
  • Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to aide in REDoS type attacks. A rule that goes over the limits will set TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release of ModSecurity (2.6.x) will move these flags to a dedicated collection.
  • Reduced default PCRE match limits reducing impact of REDoS on poorly written regex rules. Reported by Sogeti/ESEC R&D.
  • Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
  • Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
  • Update copyright to 2010.
  • Reserved 700,000-799,999 IDs for Ivan Ristic.
  • Fixed SecAction not working when CONNECT request method is used (MODSEC-110). [Ivan Ristic]
  • Do not escape quotes in macro resolution and only escape NUL in setenv values.

New in version 2.5.10 (September 25th, 2009)

  • This release fixes a number of small issues.
  • Notable issues that have been fixed are a cleaner build process, fixes to mlogc to build on Windows and allow more reliable SSL negotiation to the console, less verbose logging when using anomaly scoring with CRS v2.x, and a feature to allow easier use with Apache mpm-itk.

New in version 2.5.9 (March 12th, 2009)

  • This release fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart requests.
  • Additionally, the build process was cleaned up and a few features were added, including atomic updates of persistent counters and macro expansion of the append/prepend actions.
  • Upgrading to this release is highly recommended.

New in version 2.5.7 (September 30th, 2008)

  • This release fixes some not-so-common issues with request limits, logging, XML processing, and handling some "legacy" protocols in the request body.

New in version 2.5.7 RC1 (September 18th, 2008)

  • This is a release candidate available to verify fixes for some not-so-common issues with request limits, logging, XML processing, and handling some "legacy" protocols in the request body.
  • If you are seeing one of these reported issues, then please verify that this release corrects it.