Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: ModSecurity 2.5.4 released (hot fix) |
|
| Author |
|
Steffen
Moderator
Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU
|
 Posted: Fri 09 May '08 21:30 Post subject: ModSecurity 2.5.4 released (hot fix) |
 |
|
ModSecurity 2.5.4 was released. This fixes a problem with transformation caching in ModSecurity 2.5 through version 2.5.3.
Was a serious problem, it was crashing Apache, see eg. www.apachelounge.com/viewtopic.php?p=10862
Transformation Caching Issue Details:
If you are using a transformation in SecDefaultAction and t:none in a rule, then there is the potential for the rule to use the wrong cached value (the default transformation value), possibly resulting in a false negative (no match). The Core Rules v1.6 do not require a default transformation, but there is a potential for a false negative if a default transformation is defined. Upgrading to 2.5.4 is encouraged, however, workarounds are available until an upgrade is possible.
Workarounds for Transformation Caching Issue in 2.5.0-2.5.3:
1) (recommended) Disable transformation caching until you can upgrade to 2.5.4 with:
SecCacheTransformations Off
2) Remove any default transformations in SecDefaultAction if other rules are not depending on them.
Steffen |
|
| Back to top |
|
|
|
|
|
|
