logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Third-party Modules View previous topic :: View next topic
Reply to topic   Topic: ModSecurity 2.7.4/5 available
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3092
Location: Hilversum, NL, EU

PostPosted: Tue 28 May '13 11:45    Post subject: ModSecurity 2.7.4/5 available Reply with quote

ModSecurity 2.7.4 now available for 2.2 and 2.4 at the download pages, also for VC11.

More info, see http://www.modsecurity.org/
and https://github.com/SpiderLabs/ModSecurity/wiki/

Also Attention for the free book, see http://www.apachelounge.com/viewtopic.php?t=4757

4 August 2013: Updated VC11 to 2.7.5, this is a very minor update.

Enjoy,

Steffen

Changes with 2.7.5

Improvements:

* SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter.

* Updated Libinjection to version 3.4.1. Many improvements were made.

* Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug).

Bug Fixes:

* Fixed utf8toUnicode tfn null byte conversion.

* Fixed NGINX crash when issue reload command.

* Fixed flush output buffer before inject modified hashed response body.

* Fixed url normalization for Hash Engine.

* Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files.


Changes with 2.7.4

Improvements:

* Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).

* Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.

* NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.

Bug Fixes:

* Fixed SecRulePerfTime storing unnecessary rules performance times.

* Fixed Possible SDBM deadlock condition.

* Fixed Possible @rsub memory leak.

* Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.

* Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.

* Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.

Security Issues:

* Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
Back to top


Reply to topic   Topic: ModSecurity 2.7.4/5 available View previous topic :: View next topic
Post new topic   Forum Index -> Third-party Modules