Releases: owasp-modsecurity/ModSecurity
Releases · owasp-modsecurity/ModSecurity
v2.9.7
Security impacting issues
- Fix: FILES_TMP_CONTENT may sometimes lack complete content
[Issue #2857 - gieltje, @airween, @dune73, @martinhsv]
New features
- Support configurable limit on number of arguments processed
[Issue #2844 - @jleproust, @martinhsv] - Support for PCRE2
[Issue #2840, #2833, #2737, #2827 - @martinhsv]
Bug fixes and enhancements
- Silence compiler warning about discarded const
[Issue #2843 - @Steve8291, @martinhsv] - Use uid for user if apr_uid_name_get() fails
[Issue #2046 - @arminabf, @marcstern] - Fix: handle error with SecConnReadStateLimit configuration
[Issue #2815, #2834 - @marcstern, @martinhsv]] - Adjustment of previous fix for log messages
[Issue #2832 - @marcstern, @erkia] - Mark apache error log messages as from mod_security2
[Issue #2781 - @erkia] - Use pkg-config to find libxml2 first
[Issue #2818 - @hughmcmaster]
Contributors
airween, dune73, and 7 other contributors
Assets 8
v3.0.8
Note: additional information on the release and some of the key changes will be published separately in short order.
New features and security impacting issues
- Adjust parser activation rules in modsecurity.conf-recommended
[Issue #2796 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
[Issue #2795 - @terjanq, @martinhsv]
Bug fixes
- Prevent LMDB related segfault
[Issue #2755, #2761 - @dvershinin] - Fix msc_transaction_cleanup function comment typo
[Issue #2788 - @lookat23] - Fix: MULTIPART_INVALID_PART connected to wrong internal variable
[Issue #2785 - @martinhsv] - Restore Unique_id to include random portion after timestamp
[Issue #2752, #2758 - @datkps11, @martinhsv]
Contributors
dvershinin, lookat23, and 3 other contributors
Assets 5
v2.9.6
Note: additional information on the release and some of the key changes will be published separately in short order.
New features and security impacting issues
- Adjust parser activation rules in modsecurity.conf-recommended
[Issue #2799 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
[Issue #2797 - @terjanq, @martinhsv]
Bug fixes
- Limit rsub null termination to where necessary
[Issue #2794 - @marcstern, @martinhsv] - IIS: Update dependencies for next planned release
[@martinhsv] - XML parser cleanup: NULL duplicate pointer
[Issue #2760 - @martinhsv] - Properly cleanup XML parser contexts upon completion
[Issue #2239 - @argenet] - Fix memory leak in streams
[Issue #2208 - @marcstern, @vloup, @JamesColeman-LW] - Fix: negative usec on log line when data type long is 32b
[Issue #2753 - @ABrauer-CPT, @martinhsv] - mlogc log-line parsing fails due to enhanced timestamp
[Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv] - Allow no-key, single-value JSON body
[Issue #2735 - @marcstern, @martinhsv] - Set SecStatusEngine Off in modsecurity.conf-recommended
[Issue #2717 - @un99known99, @martinhsv] - Fix memory leak that occurs on JSON parsing error
[Issue #2236 @argenet, @vloup, @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed
[Issue #2352 @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
[Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]
Contributors
airween, un99known99, and 10 other contributors
Assets 8
v3.0.7
New features
- Support PCRE2
[Issue #2668 - @martinhsv] - Support SecRequestBodyNoFilesLimit
[Issue #2670 - @airween, @martinhsv] - Add ctl:auditEngine action support
[Issue #2606 - @alekravch, @martinhsv]
Bug fixes
- Move PCRE2 match block from member variable
[@martinhsv] - Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
[Issue #2738 - @jleproust, @martinhsv] - Fix memory leak when concurrent log includes REMOTE_USER
[Issue #2727 - @liudongmiao] - Fix LMDB initialization issues
[Issue #2688 - @ziollek @martinhsv] - Fix initcol error message wording
[Issue #2732 - @877509395, @martinhsv] - Tolerate other parameters after boundary in multipart C-T
[Issue #1900 - @martinhsv] - Add DebugLog message for bad pattern in rx operator
[Issue #2723 - @martinhsv] - Fix misuses of LMDB API
[Issue #2601, #2602 - @hyc] - Fix duplication typo in code comment
[Issue #2677 - @gleydsonsoares] - Fix multiMatch msg, etc, population in audit log
[Issue #2573 - @Sachin-M-Desai , @martinhsv] - Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
[Issue #2627, #2648 - @lontchianicet , @victorserbu2709 , @martinhsv] - Adjust confusing variable name in setRequestBody method
[Issue #2635 - @Mesar-Ali , @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed
[Issue #2352 - @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
[Issue #2647 - @theMiddleBlue , @airween , @877509395 , @martinhsv]
Contributors
airween, hyc, and 12 other contributors
Assets 5
v2.9.5
Security issue
- Support configurable limit on depth of JSON parsing (possible DoS issue)
[@theMiddleBlue, @airween, @dune73, @martinhsv]
Notes
- For Windows, as we are not aware of anyone using the 32-bit installer, only the 64-bit installer is now included
- Users of ModSecurity that cannot update immediately may wish to consult issue #2647, or the related blog post, for mitigation suggestions.
Contributors
airween, dune73, and 2 other contributors
Assets 8
v3.0.6
Security issue
- Support configurable limit on depth of JSON parsing (possible DoS issue)
[@theMiddleBlue, @martinhsv]
Contributors
theMiddleBlue and martinhsv
Assets 5
v3.0.5
New features
- Having ARGS_NAMES, variables proxied
[@zimmerle, @martinhsv, @KaNikita] - Use explicit path for cross-compile environments.
[Issue #2485 - @dtoubelis] - Fix: FILES variable does not use multipart part name for key
[Issue #2377 - @martinhsv] - Regression: Mark the test as failed in case of segfault.
[@zimmerle] - GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
[Issues #2378, #2186 - @defanator] - Add support to test framework for audit log content verification
and add regression tests for issues #2000, #2196 - Support configurable limit on number of arguments processed
[Issue #2234 - @jleproust, @martinhsv] - Multipart Content-Dispostion should allow field: filename*=
[@martinhsv] - Adds support to lua 5.4
[@zimmerle] - Add support for new operator rxGlobal
[@martinhsv]
Bug fixes
- Replaces put with setenv in SetEnv action
[Issue #2469 - @martinhsv, @WGH-, @zimmerle] - Regex key selection should not be case-sensitive
[Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora,
@airween, @martinhsv, @zimmerle] - Fix: Only delete Multipart tmp files after rules have run
[Issue #2427 - @martinhsv] - Fixed MatchedVar on chained rules
[Issue #2423, #2435, #2436 - @michaelgranzow-avi] - Fix maxminddb link on FreeBSD
[Issue #2131 - @granalberto, @zimmerle] - Fix IP address logging in Section A
[Issue #2300 - @inaratech, @zavazingo, @martinhsv] - rx: exit after full match (remove /g emulation); ensure capture
groups occuring after unused groups still populate TX vars
[Issue #2336 - @martinhsv] - Correct CHANGES file entry for #2234
- Fix rule-update-target for non-regex
[Issue #2251 - @martinhsv] - Fix configure script when packaging for Buildroot
[Issue #2235 - @frankvanbever] - modsecurity.pc.in: add Libs.private
[Issue #1918, #2253 - @ffontaine, @dridi, @victorhora]
Security Impacting Issues
- Handle URI received with uri-fragment
[@martinhsv]
v2.9.4
Enhancements
- Add microsec timestamp resolution to the formatted log timestamp
[Issue #2095 - @rainerjung] - Added missing Geo Countries
[Issue #2123, #2124 - @emphazer]
Bug fixes
- Store temporaries in the request pool for regexes compiled per-request.
[Issue #890, #2049 - @lightsey] - Fix other usage of the global pool for request temporaries in re_operators.c
[Issue #890, #2049 - @lightsey] - Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
[Issue #2033 - @studersi] - Fix the order of error_msg validation
[Issue #2128 - @marcstern, @zimmerle] - When the input filter finishes, check whether we returned data
[Issue #2091, #2092 - @rainerjung] - fix: care non-null terminated chunk data
[Issue #2097 - @orisano] - Fix for apr_global_mutex_create() crashes with mod_security
[Issue #1957 - @blappm] - Fix inet addr handling on 64 bit big endian systems
[Issue #1980 - @zimmerle, @airween]
Notes
- Windows installer no longer includes OWASP CRS.
v3.0.4
New features
- SecRuleUpdateTargetById now supports regular expressions
[Issue #1872 - @zimmerle, @anush-cr, @victorhora, @j0k2r] - Adds a new operator verifySVNR that checks for Austrian social
security numbers.
[Issue #2063 - @Rufus125] - Allow 0 length JSON requests.
[Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern] - Adds support to multiple ranges in ctl:ruleRemoveById
[Issue #1956 - @theseion, @victorhora, @zimmerle]
Bug fixes
- Fix: audit log data omitted when nolog,auditlog
[@martinhsv] - Adds missing check for runtime ctl:ruleRemoveByTag
[Issue #2102, #2099 - @airween] - Fix: ModSecurity 3.x inspectFile operator does not pass FILES_TMPNAMES parameter to lua engine
[Issue #2204, #2205 - @kadirerdogan] - XML: Remove error messages from stderr
[Issue #2010 - @JaiHarpalani, @zimmerle] - Filter comment or blank line for pmFromFile operator
[Issue #1645 - @LeeShan87, @victorhora, @tdoubley] - Additional adjustment to Cookie header parsing
[@martinhsv] - Restore chained rule part H logging to be more like 2.9 behavior
[Issue #2196 - @martinhsv] - Small fixes in log messages to help debugging the file upload
[Issue #2130 - @airween] - Fix Cookie header parsing issues
[Issue #2201 - @airween, @martinhsv] - Fix rules with nolog are logging to part H
[Issue #2196 - @martinhsv] - Fix argument key-value pair parsing cases
[Issue #1904 - @martinhsv] - Fix: audit log part for response body for JSON format to be E
[Issue #2066 - @martinhsv, @zimmerle] - Make sure m_rulesMessages is filled after successful match
[Issue #2000, #2048 - @victorhora, @defanator] - Fix @pm lookup for possible matches on offset zero.
[@zimmerle, @afoxdavidi, @martinhsv, @marshal09] - Regex lookup on the key name instead of COLLECTION:key
[@rdiperri-yottaa, @danbiagini-work, @mmelo-yottaa, @zimmerle] - Missing throw in Operator::instantiate
[Issue #2106 - @marduone] - Making block action execution dependent on the SecEngine status
[Issue #2113, #2111 - @theMiddleBlue, @airween] - Making block action execution dependent of the SecEngine status
[Issue #1960 - @theMiddleBlue, @zimmerle, @airween, @victorhora] - Having body limits to respect the rule engine state
[@zimmerle] - Fix variables output in debug logs
[Issue #2057 - @jleproust] - Correct typo validade in log output
[Issue #2059 - @nerrehmit] - fix/minor: Error encoding hexa decimal.
[Issue #2068 - @tech-ozon-io] - Limit more log variables to 200 characters.
[Issue #2073 - @jleproust] - parser: fix parsed file names
[@zimmerle] - Allow empty anchored variable
[Issue #2024 - @airween] - Fixed FILES_NAMES collection after the end of multipart parsing
[Issue #2016 - @airween] - Fixed validateByteRange parsing method
[Issue #2017 - @airween] - Removes a memory leak on the JSON parser
[@zimmerle] - Enables LMDB on the regression tests.
[Issue #2011, #2008 - @WGH-, @mdunc] - Fix: Extra whitespace in some configuration directives causing error
[Issue #2006 - @porjo, @zimmerle] - Refactoring on Regex and SMatch classes.
[@WGH-] - Fixed buffer overflow in Utils::Md5::hexdigest()
[Issue #2002 - @defanator] - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
[Issue #1990 - @defanator] - Adds initially support the drop action.
[@zimmerle] - Complete merging of particular rule properties
[Issue #1978 - @defanator] - Replaces AC_CHECK_FILE with 'test -f'
[Issue #1984 - @chuckwolber] - Fix inet addr handling on 64 bit big-endian systems
[Issue #1980 - @airween] - Fix tests on FreeBSD
[Issue #1973 - @defanator] - Changes ENV test case to read the default MODSECURTIY env var
[Issue #1969 - @zimmerle, @airween, @inittab] - Regression: Sets MODSECURITY env var during the tests execution
[Issue #1969 - @zimmerle, @airween, @inittab] - Fix setenv action to strdup key=variable
[@zimmerle] - Fix "make dist" target to include default configuration
[Issue #1966 - @defanator] - Replaced log locking using mutex with fcntl lock
[Issue #1949, #1927 - @Cloaked9000] - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
[Issue #1959 - @weliu] - Rule variable interpolation broken
[Issue #1961 - @soonum, @zimmerle] - Make the boundary check less strict as per RFC2046
[Issue #1943 - @victorhora, @allanbomsft] - Fix buffer size for utf8toUnicode transformation
[Issue #1208 - @katef, @victorhora]
Security issue
- Cookie parser problems
[@airween, @theMiddleBlue, @martinhsv]
v2.9.3
Bug fixes
- Fix buffer size for utf8toUnicode transformation
[Issue #1208 - @katef, @victorhora] - Fix sanitizing JSON request bodies in native audit log format
[p0pr0ck5, @victorhora] - Fix NetBSD build by renaming the hmac function to avoid conflicts
[Issue #1241 - @victorhora, @joerg, @sevan] - IIS: Windows build, fix duplicate YAJL dir in script
[Issue #1612 - @allanbomsft, @victorhora] - Fix mpm-itk / mod_ruid2 compatibility
[Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora] - potential off by one in parse_arguments
[Issue #1799 - @tinselcity, @zimmerle] - Fix utf-8 character encoding conversion
[Issue #1794 - @tinselcity, @zimmerle] - Fix ip tree lookup on netmask content
[Issue #1793 - @tinselcity, @zimmerle] - build: fix when multiple lines for curl version
[Issue #1771 - @Artistan] - Fixes SecConnWriteStateLimit
[Issue #1545 - @nicjansma] - Adds missing headers
[Issue #1454 - @devnexen]
Improvements
- Allow 0 length JSON requests.
[Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern] - Include unanmed JSON values in unnamed ARGS
[Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle] - IIS: Update Wix installer to bundle a supported CRS version (3.0)
[@victorhora, @zimmerle] - IIS: Update dependencies for Windows build
[Issue #1848 - @victorhora, @hsluoyz] - IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
[Issue #1299 - @victorhora] - IIS: Update modsecurity.conf
[Issue #788 - @victorhora, @brianclark] - Add sanity check for a couple malloc() and make code more resilient
[Issue #979 - @dogbert2, @victorhora, @zimmerle] - IIS: Remove body prebuffering due to no locking in modsecProcessRequest
[Issue #1917 - @allanbomsft, @victorhora] - Code cosmetics: checks if actionset is not null before use it
[Issue #1556 - @marcstern, @zimmerle, @victorhora] - Only generate SecHashKey when SecHashEngine is On
[Issue #1671 - @dmuey, @monkburger, @zimmerle] - Docs: Reformat README to Markdown and update dependencies
[Issue #1857 - @hsluoyz, @victorhora] - IIS: no lock on ProcessRequest. No reload of config.
[Issue #1826 - @allanbomsft] - IIS: buffer request body before taking lock
[Issue #1651 - @allanbomsft] - good practices: Initialize variables before use it
[Issue #1889 - Marc Stern] - Let body parsers observe SecRequestBodyNoFilesLimit
[Issue #1613 - @allanbomsft] - IIS: set overrideModeDefault to Allow so that individual websites can
add <ModSecurity ...> to their web.config file
[Issue #1781 - @default-kramer] - modsecurity.conf-recommended: Fix spelling
[Issue #1721 - @padraigdoran] - Fix arabic charset in unicode_mapping file
[Issue #1619 - @alaa-ahmed-a] - Optionally preallocates memory when SecStreamInBodyInspection is on
[Issue #1366 - @allanbomsft, @zimmerle] - Fixed typo in build_yajl.bat
[Issue #1366 - @allanbomsft] - Added "empy chunk" check
[Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle] - Add capture action to @detectXSS operator
[Issue #1488, #1482 - @victorhora] - Fix for wildcard operator when loading conf files on Nginx / IIS
[Issue #1486, #1285 - @victorhora and @thierry-f-78] - Set of fixies to make windows build workable with the buildbots
[Commit 94fe3 - @zimmerle] - Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
[Issue #1510 - @marcstern]