SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for modsecurity-3.0.12-24.10.x86_64.rpm :

* Thu Feb 15 2024 Dominique Leuenberger - Update to version 3.0.12: + Change REQUEST_FILENAME and REQUEST_BASENAME behavior WAF bypass of the ModSecurity v3 release line for path-based payloads by submitting a specially crafted request URL (CVE-2024-1019). + Enhancements and bug fixes - Set the minimum security protocol version (TLSv1.2) for SecRemoteRules.
* Mon Jan 29 2024 Dirk Müller - update to 3.0.11:
* Add WRDE_NOCMD to wordexp call
* Fix: validateDTD compile fails if when libxml2 not installed
* Fix memory leak of validateDTD\'s dtd object
* Fix memory leaks in ValidateSchema
* Add support for expirevar action
* Fix: lmdb regex match on non-null terminated string
* Fix memory leaks in lmdb code (new\'d strings)
* Configure: add additional name to pcre2 pkg-config list
* Mon Sep 04 2023 David Anes - Update to version 3.0.10:
* Security impacting issue (fix bsc#1213702, CVE-2023-38285) - Fix: worst-case time in implementation of four transformations - Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
* Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED - Make MULTIPART_PART_HEADERS accessible to lua - Fix: Lua scripts cannot read whole collection at once - Fix: quoted Include config with wildcard - Support isolated PCRE match limits - Fix: meta actions not applied if multiMatch in first rule of chain - Fix: audit log may omit tags when multiMatch - Exclude CRLF from MULTIPART_PART_HEADER value - Configure: use AS_ECHO_N instead echo -n - Adjust position of memset from 2890
* Tue May 09 2023 Danilo Spinella - Update to version 3.0.9:
* Add some member variable inits in Transaction class (possible segfault)
* Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
* Resolve memory leak on reload (bison-generated variable)
* Support equals sign in XPath expressions
* Encode two special chars in error.log output
* Add JIT support for PCRE2
* Support comments in ipMatchFromFile file via \'#\' token
* Use name package name libmaxminddb with pkg-config
* Fix: FILES_TMP_CONTENT collection key should use part name
* Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
* During configure, do not check for pcre if pcre2 specified
* Use pkg-config to find libxml2 first
* Fix two rule-reload memory leak issues
* Correct whitespace handling for Include directive- Fix CVE-2023-28882, a segfault and a resultant crash of a worker process in some configurations with certain inputs, bsc#1210993
* Fri Dec 16 2022 Michael Ströder - Update to version 3.0.8
* Adjust parser activation rules in modsecurity.conf-recommended [#2796]
* Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]
* Prevent LMDB related segfault [#2755, #2761]
* Fix msc_transaction_cleanup function comment typo [#2788]
* Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]
* Restore Unique_id to include random portion after timestamp [#2752, #2758]
* Sun Aug 14 2022 Georg Pfuetzenreuter - Update to version 3.0.7
* Support PCRE2
* Support SecRequestBodyNoFilesLimit
* Add ctl:auditEngine action support
* Move PCRE2 match block from member variable
* Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
* Fix memory leak when concurrent log includes REMOTE_USER
* Fix LMDB initialization issues
* Fix initcol error message wording
* Tolerate other parameters after boundary in multipart C-T
* Add DebugLog message for bad pattern in rx operator
* Fix misuses of LMDB API
* Fix duplication typo in code comment
* Fix multiMatch msg, etc, population in audit log
* Fix some name handling for ARGS_
*NAMES: regex SecRuleUpdateTargetById, etc.
* Adjust confusing variable name in setRequestBody method
* Multipart names/filenames may include single quote if double-quote enclosed
* Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
* Fri Feb 25 2022 Ferdinand Thiessen - Update to version 3.0.6
* Security issue: Support configurable limit on depth of JSON parsing, possible DoS issue. CVE-2021-42717- Update to version 3.0.5
* New: Having ARGS_NAMES, variables proxied
* Fix: FILES variable does not use multipart part name for key
* GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
* Support configurable limit on number of arguments processed
* Adds support to lua 5.4
* Add support for new operator rxGlobal
* Fix: Replaces put with setenv in SetEnv action
* Fix: Regex key selection should not be case-sensitive
* Fix: Only delete Multipart tmp files after rules have run
* Fixed MatchedVar on chained rules
* Fix IP address logging in Section A
* Fix: rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars
* Fix rule-update-target for non-regex
* Fix Security Impacting Issues:
* Handle URI received with uri-fragment, CVE-2020-15598
* Wed Jul 22 2020 Dirk Mueller - add baselibs, fix packaging (install into %_libdir)- update to 3.0.4: - Fix: audit log data omitted when nolog,auditlog - Fix: ModSecurity 3.x inspectFile operator does not pass - XML: Remove error messages from stderr - Filter comment or blank line for pmFromFile operator - Additional adjustment to Cookie header parsing - Restore chained rule part H logging to be more like 2.9 behaviour - Small fixes in log messages to help debugging the file upload - Fix Cookie header parsing issues - Fix rules with nolog are logging to part H - Fix argument key-value pair parsing cases - Fix: audit log part for response body for JSON format to be E - Make sure m_rulesMessages is filled after successfull match - Fix AATTpm lookup for possible matches on offset zero. - Regex lookup on the key name instead of COLLECTION:key - Missing throw in Operator::instantiate - Making block action execution dependent of the SecEngine status - Making block action execution dependent of the SecEngine status - Having body limits to respect the rule engine state - Fix SecRuleUpdateTargetById does not match regular expressions - Adds missing check for runtime ctl:ruleRemoveByTag - Adds a new operator verifySVNR that checks for Austrian social security numbers. - Fix variables output in debug logs - Correct typo validade in log output - fix/minor: Error encoding hexa decimal. - Limit more log variables to 200 characters. - parser: fix parsed file names - Allow empty anchored variable - Fixed FILES_NAMES collection after the end of multipart parsing - Fixed validateByteRange parsing method - Removes a memory leak on the JSON parser - Enables LMDB on the regression tests. - Fix: Extra whitespace in some configuration directives causing error - Refactoring on Regex and SMatch classes. - Fixed buffer overflow in Utils::Md5::hexdigest() - Implemented merge() method for ConfigInt, ConfigDouble, ConfigString - Adds initially support to the drop action. - Complete merging of particular rule properties - Replaces AC_CHECK_FILE with \'test -f\' - Fix inet addr handling on 64 bit big endian systems - Fix tests on FreeBSD - Changes ENV test case to read the default MODSECURTIY env var - Regression: Sets MODSECURITY env var during the tests execution - Fix setenv action to strdup key=variable - Allow 0 length JSON requests. - Fix \"make dist\" target to include default configuration - Replaced log locking using mutex with fcntl lock - Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES - Adds support to multiple ranges in ctl:ruleRemoveById - Rule variable interpolation broken - Make the boundary check less strict as per RFC2046 - Fix buffer size for utf8toUnicode transformation - Fix double macros bug - Override the default status code if not suitable to redirect action - parser: Fix the support for CRLF configuration files - Organizes the server logs - m_lineNumber in Rule not mapping with the correct line number in file - Using shared_ptr instead of unique_ptr on rules exceptions - Changes debuglogs schema to avoid unecessary str allocation - Fix the SecUnicodeMapFile and SecUnicodeCodePage - Changes the timing to save the rule message - Fix crash in msc_rules_add_file() when using disruptive action in chain - Fix memory leak in AuditLog::init() - Fix RulesProperties::appendRules() - Fix RULE lookup in chained rules - AATTipMatch \"Could not add entry\" on slash/32 notation in 2.9.0 - Using values after transformation at MATCHED_VARS - Adds support to UpdateActionById. - Add correct C function prototypes for msc_init and msc_create_rule_set - Allow LuaJIT 2.1 to be used - Match m_id JSON log with RuleMessage and v2 format - Adds support to setenv action. - Adds new transaction constructor that accepts the transaction id as parameter. - Adds request IDs and URIs to the debug log - Treating variables exception on load-time instead of run time. - Fix: function m.setvar in Lua scripts and add testcases - Fix SecResponseBodyAccess and ctl:requestBodyAccess directives - Fix OpenBSD build - Fix parser to support GeoLookup with MaxMind - parser: Fix simple quote setvar in the end of the line - Fix pc file - modsec_rules_check: uses the gnu `.la\' instead of `.a\' file - good practices: Initialize variables before use it - Fix utf-8 character encoding conversion - Adds support for ctl:requestBodyProcessor=URLENCODED - Add LUA compatibility for CentOS and try to use LuaJIT first if available - Allow LuaJIT to be used - Implement support for Lua 5.1 - Variable names must match fully, not partially. Match should be case insensitive. - Improves the performance while loading the rules - Allow empty strings to be evaluated by regex::searchAll - Adds basic pkg-config info - Fixed LMDB collection errors - Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors - Fix ip tree lookup on netmask content - Changes the behavior of the default sec actions - Refactoring on {global,ip,resources,session,tx,user} collections - Fix race condition in UniqueId::uniqueId() - Fix memory leak in error message for msc_rules_merge C APIs - Return false in SharedFiles::open() when an error happens - Use rvalue reference in ModSecurity::serverLog - Build System: Fix when multiple lines for curl version. - Checks if response body inspection is enabled before process it - Code Cleanup. - Fix setvar parsing of quoted data - Fix LDFLAGS for unit tests. - Adds time stamp back to the audit logs - Disables skip counter if debug log is disabled - Cosmetics: Represents amount of skipped rules without decimal - Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser - Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp. - Fix memory leak in modsecurity::utils::expandEnv() - Initialize m_dtd member in ValidateDTD class as NULL - Fix broken AATTdetectxss operator regression test case - Fix utils::string::ssplit() to handle delimiter in the end of string - Fix variable FILES_TMPNAMES - Fix memory leak in Collections - Fix lib version information while generating the .so file - Adds support for ctl:ruleRemoveByTag - Fix SecUploadDir configuration merge - Include all prerequisites for \"make check\" into dist archive - Fix: Reverse logic of checking output in AATTinspectFile - Adds support to libMaxMind - Adds capture action to detectXSS - Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator - Adds capture action to detectSQLi - Adds capture action to rbl - Adds capture action to verifyCC - Adds capture action to verifySSN - Adds capture action to verifyCPF - Prettier error messages for unsupported configurations (UX) - Add missing verify
*
*
* transformation statements to parser - Fix a set of compilation warnings - Check for disruptive action on SecDefaultAction. - Fix block-block infinite loop. - Correction remove_by_tag and remove_by_msg logic. - Fix LMDB compile error - Fix msc_who_am_i() to return pointer to a valid C string - Added some cosmetics to autoconf related code - Fix \"make dist\" target to include necessary headers for Lua - Fix \"include /foo/
*.conf\" for single matched object in directory - Add missing Base64 transformation statements to parser - Fixed resource load on ip match from file - Fixed examples compilation while using disable-shared - Fixed compilation issue while xml is disabled - Having LDADD and LDFLAGS organized on Makefile.am - Checking std::deque size before use it - perf improvement: Added the concept of RunTimeString and removed all run time parser. - perf improvement: Checks debuglog level before format debug msg - perf. improvement/rx: Only compute dynamic regex in case of macro - Fix uri on the benchmark utility - disable Lua on systems with liblua5.1
* Sat Jul 14 2018 jengelhAATTinai.de- Remove rhetoric part from descriptions.
* Mon Jul 09 2018 mrosteckiAATTsuse.com- Remove libltdl7 from build dependencies
  
ICM