[mod-security-users] ModSecurity 2.5.7-rc1 Available
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] ModSecurity 2.5.7-rc1 Available
|
From: Brian R. <Bri...@br...> - 2008-09-18 09:11:22
|
ModSecurity 2.5.7 will contain quite a few fixes for some not-so-common issues. The first release candidate for 2.5.7 is available so that those that are seeing these issues can first verify that they are indeed fixed prior to an official 2.5.7 release. To help use in the future, it would be nice to know if these release candidates are useful. Please send me a note (privately) with a comment on how useful you think the release candidates are and how (and if) you are using them. If you are seeing any of the following issues (even if you previously tested a patch), then please verify that 2.5.7-rc1 does indeed correct the issue: 1) Cannot turn off the request body limit check. This release allows you to use ctl:requestBodyAccess=off and/or ctl:ruleEngine=off in phase:1 so that you can selectively bypass this check. 2) Some XML issues were difficult (impossible?) to diagnose as the underlying XML error/warning was not logged. All XML processing errors and warnings are now logged to the debug log (if level is high enough). 3) XML DTD/Schema validation still succeeded when the XML was not well formed, but could still be parsed. This is corrected and the validation will fail on any request parsing errors. 4) The hostname logged in the error log is the canonical name, not the request supplied name. This makes sure that there is always a hostname in the log entry. 5) The REQUEST_BODY variable was not available unless you forced the use of URLENCODED processor. This would cause parsing to fail if it was not a url encoded POST. You can now use ctl:forceRequestBodyVariable=on to force populating the REQUEST_BODY variable without setting the processor and thus avoiding the parsing errors. 6) Certain "legacy" protocols have been ported to be tunneled in HTTP request. Some of these requests use the 8th bit of each byte as a parity bit. This can cause problems when trying to perform matches on the data. It is now possible to transform (t:parityEven7bit, t:parityOdd7bit) or remove (t:parityZero7bit) the parity. Packages can be downloaded from modsecurity.org as always. The complete change log is below... 17 Sep 2008 - 2.5.7-rc1 ----------------------- * Fixed XML DTD/Schema validation which will now fail after request body processing errors, even if the XML parser returns a document tree. * Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force the REQUEST_BODY variable to be set when a request body processor is not set. Previously the REQUEST_BODY target was only populated by the URLENCODED request body processor. * Integrated mlogc source. * Fixed logging the hostname in the error_log which was logging the request hostname instead of the Apache resolved hostname. * Allow for disabling request body limit checks in phase:1. * Added transformations for processing parity for legacy protocols ported to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit * Added t:cssDecode transformation to decode CSS escapes. * Now log XML parsing/validation warnings and errors to be in the debug log at levels 3 and 4, respectivly. thanks, -B -- Brian Rectanus Breach Security |