[mod-security-packagers] ModSecurity 2.5.6 Released
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2008-08-01 16:49:12
|
ModSecurity 2.5.6 was released earlier today. This is a major bugfix release that fixes issues associated with transformation caching which may result in an Apache crash or possibly evading ModSecurity under certain circumstances. If you are using ModSecurity 2.5 you are advised to immediately apply a workaround and upgrade as soon as possible. Packages can be downloaded from modsecurity.org as always. To work around these issues until you can upgrade, use the following directive to disable transformation caching: SecCacheTransformations Off 31 Jul 2008 - 2.5.6 ------------------- * Transformation caching has been deprecated, and is now off by default. We now advise against using transformation caching in production. * Fixed two separate transformation caching issues that could cause incorrect content inspection in some circumstances. * Fixed an issue with the transformation cache using too much RAM, potentially crashing Apache with a large number of cache entries. Two new configuration options have been added to allow for a finer control of caching: maxitems: Max number of items to cache (default 1024) incremental: Whether to cache incrementally (default off) * Added an experimental regression testing suite. The regression suite may be executed via "make test-regression", however it is strongly advised to only be executed on a non-production machine as it will startup the Apache web server that ModSecurity is compiled against with various configurations in which it will run tests. * Added a licensing exception so that ModSecurity can be used in a derivative work when that derivative is also under an approved open source license. * Updated mlogc to version 1.4.5 which adds a LockFile directive and fixes an issue in which the configuration file may be deleted. -- Brian Rectanus Breach Security |