Brian Rectanus wrote:
> Hello all,
> ModSecurity 2.5.4 was released. This fixes a problem with
> transformation caching in ModSecurity 2.5 through version 2.5.3.
> Transformation Caching Issue Details:
> If you are using a transformation in SecDefaultAction and t:none in a
> rule, then there is the potential for the rule to use the wrong cached
> value (the default transformation value), possibly resulting in a false
> negative (no match). The Core Rules v1.6 do not require a default
> transformation, but there is a potential for a false negative if a
> default transformation is defined. Upgrading to 2.5.4 is encouraged,
> however, workarounds are available until an upgrade is possible.
> Workarounds for Transformation Caching Issue in 2.5.0-2.5.3:
> 1) (recommended) Disable transformation caching until you can upgrade to
> 2.5.4 with:
> SecCacheTransformations Off
> 2) Remove any default transformations in SecDefaultAction if other rules
> are not depending on them.
> Packages can be downloaded from modsecurity.org as always.
I just wanted to clarify that the workarounds were *either* 1 *or* 2 and
both are not required.