Topic: ModSecurity 2.5.6 Released

[Steffen]

This is a major bugfix release that fixes issues associated with transformation caching which may result in an Apache crash or possibly evading ModSecurity under certain circumstances. If you are using ModSecurity 2.5 you are advised to immediately apply a workaround and upgrade as soon as possible.

To work around these issues until you can upgrade, use the following directive to disable transformation caching:

SecCacheTransformations Off


31 Jul 2008 - 2.5.6
---------------------

* Transformation caching has been deprecated, and is now off by
default. We now advise against using transformation caching in production.

* Fixed two separate transformation caching issues that could cause
incorrect content inspection in some circumstances.

* Fixed an issue with the transformation cache using too much RAM,
potentially crashing Apache with a large number of cache entries. Two
new configuration options have been added to allow for a finer control
of caching:

maxitems: Max number of items to cache (default 1024)
incremental: Whether to cache incrementally (default off)

* Added an experimental regression testing suite. The regression suite
may be executed via "make test-regression", however it is strongly
advised to only be executed on a non-production machine as it will
startup the Apache web server that ModSecurity is compiled against with
various configurations in which it will run tests.

* Added a licensing exception so that ModSecurity can be used in a
derivative work when that derivative is also under an approved open
source license.

* Updated mlogc to version 1.4.5 which adds a LockFile directive and
fixes an issue in which the configuration file may be deleted.

[fingers]

@Steffen,
How is it that your post shows as being posted much earlier than my "heads up" but it was not viewable in the forum until the next day?
dave

EDIT: my bad, I didnt read the date correctly sorry for any stupidity on my part