Topic: ModSecurity 2.5.9 released

[Steffen]

ModSecurity 2.5.9 is now available. The 2.5.8 release was delayed until the 2.5.9 version was ready due to a vulnerability disclosed after 2.5.8 code freeze. For this reason, the 2.5.8 release should be disregarded in favor of 2.5.9.

The 2.5.9 release fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart requests as well as a potential DoS vulnerability discovered in the PDF XSS protection engine (fixed in 2.5.8 ). Additionally, 2.5.9 cleans up the build process and adds a few features, including atomic updates of persistent counters and macro expansion of the append/prepend actions. It is highly recommended to upgrade to this 2.5.9 release.

Please see the blog post for more information on the vulnerabilities fixed in this release:

http://blog.modsecurity.org/2009/03/modsecurity-vulnerabilities-fixed.html

Change log:

2.5.9
-----

* Fixed parsing multipart content with a missing part header name which
would crash Apache. Discovered by "Internet Security Auditors"
(isecauditors.com).

* Added ability to specify the config script directly using --with-apr
and --with-apu.

* Updated copyright year to 2009.

* Added macro expansion for append/prepend action.

* Fixed race condition in concurrent updates of persistent counters.
Updates are now atomic.

* Cleaned up build, adding an option for verbose configure output and
making the mlogc build more portable.


2.5.8
-----

* Fixed PDF XSS issue where a non-GET request for a PDF file would
crash the Apache httpd process. Discovered by Steve Grubb at Red Hat.

* Removed an invalid "Internal error: Issuing "%s" for unspecified
error." message that was logged when denying with nolog/noauditlog set
and causing the request to be audited.


Steffen