February 6th, 2010
· Fixed SecUploadFileMode to set the correct mode.
· Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
· Added additional file info definitions introduced in APR 0.9.5 so that build will work with older APRs (IBM HTTP Server v6).
· Added SecUploadFileLimit to limit the number of uploaded file parts that will be processed in a multipart POST. The default is 100.
· Fixed path normalization to better handle backreferences that extend above root directories. Reported by Sogeti/ESEC R&D.
· Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines.
· Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D.
· Fixed failure to match internally set TX variables with regex (TX:/.../) syntax.
· Fixed failure to log full internal TX variable names and populate MATCHED_VAR* vars.
· Enabled PCRE "studying" by default. This is now a configure-time option.
· Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to aide in REDoS type attacks. A rule that goes over the limits will set TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release of ModSecurity (2.6.x) will move these flags to a dedicated collection.
· Reduced default PCRE match limits reducing impact of REDoS on poorly written regex rules. Reported by Sogeti/ESEC R&D.
· Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
· Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
· Update copyright to 2010.
· Reserved 700,000-799,999 IDs for Ivan Ristic.
· Fixed SecAction not working when CONNECT request method is used (MODSEC-110). [Ivan Ristic]
· Do not escape quotes in macro resolution and only escape NUL in setenv values.
September 25th, 2009
· This release fixes a number of small issues.
· Notable issues that have been fixed are a cleaner build process, fixes to mlogc to build on Windows and allow more reliable SSL negotiation to the console, less verbose logging when using anomaly scoring with CRS v2.x, and a feature to allow easier use with Apache mpm-itk.
March 12th, 2009
· This release fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart requests.
· Additionally, the build process was cleaned up and a few features were added, including atomic updates of persistent counters and macro expansion of the append/prepend actions.
· Upgrading to this release is highly recommended.
September 30th, 2008
· This release fixes some not-so-common issues with request limits, logging, XML processing, and handling some "legacy" protocols in the request body.
September 18th, 2008
· This is a release candidate available to verify fixes for some not-so-common issues with request limits, logging, XML processing, and handling some "legacy" protocols in the request body.
· If you are seeing one of these reported issues, then please verify that this release corrects it.