New in version 2.5.12
February 6th, 2010
- Fixed SecUploadFileMode to set the correct mode.
- Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
- Added additional file info definitions introduced in APR 0.9.5 so that build will work with older APRs (IBM HTTP Server v6).
- Added SecUploadFileLimit to limit the number of uploaded file parts that will be processed in a multipart POST. The default is 100.
- Fixed path normalization to better handle backreferences that extend above root directories. Reported by Sogeti/ESEC R&D.
- Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines.
- Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D.
- Fixed failure to match internally set TX variables with regex (TX:/.../) syntax.
- Fixed failure to log full internal TX variable names and populate MATCHED_VAR* vars.
- Enabled PCRE "studying" by default. This is now a configure-time option.
- Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to aide in REDoS type attacks. A rule that goes over the limits will set TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release of ModSecurity (2.6.x) will move these flags to a dedicated collection.
- Reduced default PCRE match limits reducing impact of REDoS on poorly written regex rules. Reported by Sogeti/ESEC R&D.
- Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
- Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
- Update copyright to 2010.
- Reserved 700,000-799,999 IDs for Ivan Ristic.
- Fixed SecAction not working when CONNECT request method is used (MODSEC-110). [Ivan Ristic]
- Do not escape quotes in macro resolution and only escape NUL in setenv values.
New in version 2.5.10 (September 25th, 2009)
- This release fixes a number of small issues.
- Notable issues that have been fixed are a cleaner build process, fixes to mlogc to build on Windows and allow more reliable SSL negotiation to the console, less verbose logging when using anomaly scoring with CRS v2.x, and a feature to allow easier use with Apache mpm-itk.
New in version 2.5.9 (March 12th, 2009)
- This release fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart requests.
- Additionally, the build process was cleaned up and a few features were added, including atomic updates of persistent counters and macro expansion of the append/prepend actions.
- Upgrading to this release is highly recommended.
New in version 2.5.7 (September 30th, 2008)
- This release fixes some not-so-common issues with request limits, logging, XML processing, and handling some "legacy" protocols in the request body.
New in version 2.5.7 RC1 (September 18th, 2008)
- This is a release candidate available to verify fixes for some not-so-common issues with request limits, logging, XML processing, and handling some "legacy" protocols in the request body.
- If you are seeing one of these reported issues, then please verify that this release corrects it.