mod-security-packagers Mailing List for ModSecurity
Brought to you by:
victorhora,
zimmerletw
You can subscribe to this list here.
2008 |
Jan
|
Feb
(5) |
Mar
(3) |
Apr
(2) |
May
(2) |
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2009 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
(2) |
Sep
(4) |
Oct
|
Nov
(1) |
Dec
|
2010 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
(2) |
Oct
(2) |
Nov
(1) |
Dec
|
2013 |
Jan
(2) |
Feb
(4) |
Mar
(1) |
Apr
(1) |
May
(1) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
(3) |
2014 |
Jan
|
Feb
|
Mar
(3) |
Apr
(4) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(4) |
Dec
(2) |
2015 |
Jan
(2) |
Feb
(2) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2016 |
Jan
|
Feb
(1) |
Mar
(1) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2018 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(9) |
Nov
|
Dec
(1) |
2020 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
|
Nov
|
Dec
|
2021 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
2022 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
|
Dec
|
2023 |
Jan
(1) |
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
2024 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Ervin H. <ai...@gm...> - 2024-01-30 16:27:54
|
Dear ModSecurity packagers, ModSecurity is announcing the release of version 3.0.12. This version includes a bug fixes, see the release notes: ==%== Security impacting issue Change REQUEST_FILENAME and REQUEST_BASENAME behavior [Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween] WAF bypass of the ModSecurity v3 release line for path-based payloads by submitting a specially crafted request URL. For details, see CVE 2024-1019. Enhancements and bug fixes Set the minimum security protocol version (TLSv1.2) for SecRemoteRules [Issue security/code-scanning/2 - @airween] ==%== Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.12 Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Regards: Christian Folini, Marc Stern and Ervin Hegedüs |
From: Martin V. <Mar...@tr...> - 2023-12-07 14:48:01
|
ModSecurity is announcing the release of version 3.0.11. This version includes expirevar support as a new feature, and a mixture of enhancements and bug fixes. The official release announcement can be found at https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-3.0.11/ Security impacting issue - Add WRDE_NOCMD to wordexp call [Issue #3024 - @sahruldotid, @martinhsv] Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways. New feature - Add support for expirevar action [Issue #1803 , #3001 - @martinhsv] Enhancements and bug fixes - Fix: validateDTD compile fails if libxml2 not installed [Issue #3014, - @zangobot, @martinhsv] - Fix memory leak of validateDTD's dtd object [Issue #3008 - @martinhsv, @zimmerle] - Fix memory leaks in ValidateSchema [Issue #3005 - @martinhsv, @zimmerle] - Fix: lmdb regex match on non-null terminated string [Issue #2985 - @martinhsv] - Fix memory leaks in lmdb code (new'd strings) [Issue #2983 - @martinhsv] - Configure: add additional name to pcre2 pkg-config list [Issue #2939 - @agebhar1, @fzipi , @martinhsv] Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.11 Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01DA28EC.71DC0B10] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Martin V. <Mar...@tr...> - 2023-07-25 22:01:12
|
ModSecurity is pleased to announce the release of version 3.0.10. This version contains a mixture of enhancements and bug fixes. The official release announcement will appear shortly at https://www.trustwave.com/en-us/resources/security-resources/software-updates/ There is also a separate blog post describing issue #2934 in more detail at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ Security impacting issue - Fix: worst-case time in implementation of four transformations [Issue #2934 - @martinhsv] Poor worst-case performance in the transformations removeWhitespace, removeNull, replaceNull and removeCommentsChar could enable malicious individuals to cause some DoS effects. This item has been assigned CVE-2023-38285. Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED [Issue #2901 - @airween] - Make MULTIPART_PART_HEADERS accessible to lua [Issue #2916 - @martinhsv] - Fix: Lua scripts cannot read whole collection at once [Issue #2900 - @udi-aharon, @airween, @martinhsv] - Fix: quoted Include config with wildcard [Issue #2905 - @wiseelf, @airween, @martinhsv] - Support isolated PCRE match limits [Issue #2736 - @brandonpayton, @martinhsv] - Fix: meta actions not applied if multiMatch in first rule of chain [Issue #2867, #2868 - @mlevogiannis, @martinhsv] - Fix: audit log may omit tags when multiMatch [Issue #2866 - @mlevogiannis] - Exclude CRLF from MULTIPART_PART_HEADER value [Issue #2870 - @airween, @martinhsv] - Configure: use AS_ECHO_N instead echo -n [Issue #2894 - @liudongmiao, @martinhsv] - Adjust position of memset from 2890 [Issue #2891 -@mirkodziadzka-avi, @martinhsv] Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10 Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01D9BF1F.D6206940] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Martin V. <Mar...@tr...> - 2023-04-13 04:06:07
|
ModSecurity is pleased to announce the release of version 3.0.9. This version contains a mixture of enhancements and bug fixes. The official release announcement will appear shortly at https://www.trustwave.com/en-us/resources/security-resources/software-updates/ Security issue - Add some member variable inits in Transaction class (possible segfault) [Issue #2886 - @GNU-Plus-Windows-User, @airween , @mdounin, @martinhsv] In some configurations with certain inputs, this bug could result in a segfault and a resultant crash of a worker process. A large volume of such requests sent very quickly could lead to the server becoming slow or unresponsive to legitimate requests. This item has been assigned CVE-2023-28882. Enhancements and bug fixes - Fix: possible segfault on reload if duplicate ip+CIDR in ip match list [Issue #2877, #2890 - @tomsommer, @martinhsv] - Resolve memory leak on reload (bison-generated variable) [Issue #2876 - @martinhsv] - Support equals sign in XPath expressions [Issue #2328 - @dennus, @martinhsv] - Encode two special chars in error.log output [Issue #2854 - @airween, @martinhsv] - Add JIT support for PCRE2 [Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv] - Support comments in ipMatchFromFile file via '#' token [Issue #2554 - @tomsommer, @martinhsv] - Use name package name libmaxminddb with pkg-config [Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout] - Fix: FILES_TMP_CONTENT collection key should use part name [Issue #2831 - @airween] - Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro [Issue #2806 - @hughmcmaster] - During configure, do not check for pcre if pcre2 specified [Issue #2750 - @dvershinin, @martinhsv] - Use pkg-config to find libxml2 first [Issue #2714 - @hughmcmaster] - Fix two rule-reload memory leak issues [Issue #2801 - @Abce, @martinhsv] - Correct whitespace handling for Include directive [Issue #2800 - @877509395, @martinhsv] Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9 Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01D96D99.936CB860] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Martin V. <Mar...@tr...> - 2023-01-05 15:12:57
|
ModSecurity is pleased to announce the release of version 2.9.7. This version includes a mixture of new features and bug fixes. The official release announcement can be found at https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-297/ . Security impacting issues - Fix: FILES_TMP_CONTENT may sometimes lack complete content [Issue #2857 - gieltje, @airween, @dune73, @martinhsv] New features - Support configurable limit on number of arguments processed [Issue #2844 - @jleproust, @martinhsv] - Support for PCRE2 [Issue #2840, #2833, #2737, #2827 - @martinhsv] Bug fixes and enhancements - Silence compiler warning about discarded const [Issue #2843 - @Steve8291, @martinhsv] - Use uid for user if apr_uid_name_get() fails [Issue #2046 - @arminabf, @marcstern] - Fix: handle error with SecConnReadStateLimit configuration [Issue #2815, #2834 - @marcstern, @martinhsv]] - Adjustment of previous fix for log messages [Issue #2832 - @marcstern, @erkia] - Mark apache error log messages as from mod_security2 [Issue #2781 - @erkia] - Use pkg-config to find libxml2 first [Issue #2818 - @hughmcmaster] Additional information on the release, including the source and binaries (and hashes/signatures) is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7 . Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01D920EC.2181B6A0] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Martin V. <Mar...@tr...> - 2022-09-08 21:41:49
|
ModSecurity is announcing the release of versions 2.9.6 and 3.0.8. Each of these releases contains a mixture of new features and bug fixes. Additional information regarding 'New features and security impacting issues' is expected to be posted at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ beginning within a day or so. v2.9.6: New features and security impacting issues - Adjust parser activation rules in modsecurity.conf-recommended [Issue #2799 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2797 - @terjanq, @martinhsv] Bug fixes - Limit rsub null termination to where necessary [Issue #2794 - @marcstern, @martinhsv] - IIS: Update dependencies for next planned release [@martinhsv] - XML parser cleanup: NULL duplicate pointer [Issue #2760 - @martinhsv] - Properly cleanup XML parser contexts upon completion [Issue #2239 - @argenet] - Fix memory leak in streams [Issue #2208 - @marcstern, @vloup, @JamesColeman-LW] - Fix: negative usec on log line when data type long is 32b [Issue #2753 - @ABrauer-CPT, @martinhsv] - mlogc log-line parsing fails due to enhanced timestamp [Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv] - Allow no-key, single-value JSON body [Issue #2735 - @marcstern, @martinhsv] - Set SecStatusEngine Off in modsecurity.conf-recommended [Issue #2717 - @un99known99, @martinhsv] - Fix memory leak that occurs on JSON parsing error [Issue #2236 @argenet, @vloup, @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed [Issue #2352 @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv] v3.0.8: New features and security impacting issues - Adjust parser activation rules in modsecurity.conf-recommended [Issue #2796 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2795 - @terjanq, @martinhsv] Bug fixes - Prevent LMDB related segfault [Issue #2755, #2761 - @dvershinin] - Fix msc_transaction_cleanup function comment typo [Issue #2788 - @lookat23] - Fix: MULTIPART_INVALID_PART connected to wrong internal variable [Issue #2785 - @martinhsv] - Restore Unique_id to include random portion after timestamp [Issue #2752, #2758 - @datkps11, @martinhsv] Links to the github releases, which includes the change list and source (and related hashes and signatures) are: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.8 https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6 Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01D8C3A7.F7720870] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Martin V. <Mar...@tr...> - 2022-05-30 23:53:11
|
ModSecurity is pleased to announce the release of version 3.0.7 (libModSecurity). This version contains a mixture of new features and bug fixes. New Features - Support PCRE2 [Issue #2668 - @martinhsv] PCRE2 is now available as an option in libModSecurity. Initially, this functionality will mostly be of interest to those already wishing to use a version of nginx that both supports PCRE2 and uses it by default. Some notes on version compatibility between ModSecurity, ModSecurity-nginx, and nginx are available at #2719 . - Support SecRequestBodyNoFilesLimit [Issue #2670 - @airween , @martinhsv] The SecRequestBodyNoFilesLimit configuration directive was already present in modsecurity.conf-recommended but was not functional. The value specified via this directive is now respected by the processing, so users may wish to review the current value of their setting when upgrading to v3.0.7. - Add ctl:auditEngine action support [Issue #2606 - @alekravch, @martinhsv] Support for the ctl:auditEngine action has been added with functionality comparable to v2: it allows a transaction-level override of the value normally specified by the SecAuditEngine configuration directive. Bug fixes - Move PCRE2 match block from member variable [@martinhsv] - Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended [Issue #2738 - @jleproust, @martinhsv] - Fix memory leak when concurrent log includes REMOTE_USER [Issue #2727 - @liudongmiao] - Fix LMDB initialization issues [Issue #2688 - @ziollek @martinhsv] - Fix initcol error message wording [Issue #2732 - @877509395, @martinhsv] - Tolerate other parameters after boundary in multipart C-T [Issue #1900 - @martinhsv] - Add DebugLog message for bad pattern in rx operator [Issue #2723 - @martinhsv] - Fix misuses of LMDB API [Issue #2601, #2602 - @hyc] - Fix duplication typo in code comment [Issue #2677 - @gleydsonsoares] - Fix multiMatch msg, etc, population in audit log [Issue #2573 - @Sachin-M-Desai , @martinhsv ] - Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. [Issue #2627, #2648 - @lontchianicet , @victorserbu2709 , @martinhsv] - Adjust confusing variable name in setRequestBody method [Issue #2635 - @Mesar-Ali , @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed [Issue #2352 - @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended [Issue #2647 - @theMiddleBlue , @airween , @877509395 , @martinhsv] Additional information on the release, including the source and binaries (and hashes/signatures) is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.7 The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Security Researcher - ModSecurity [cid:image001.png@01D8745C.9EFD6710] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Martin V. <Mar...@tr...> - 2021-11-23 01:12:37
|
ModSecurity is announcing the release of versions 2.9.5 and 3.0.6. Each of these releases contains only one notable change when compared with their respective predecessors. A researcher identified a scenario where JSON-formatted HTTP request bodies with very large parsing depth could be used to enable a DoS attack. Both the v2 and v3 branches have been updated to address the issue by providing a configurable limit on the maximum parsing depth. The change entries in the releases are as follows: v3.0.6: Security issue - Support configurable limit on depth of JSON parsing (possible DoS issue) [@theMiddleBlue, @martinhsv] v2.9.5: Security issue - Support configurable limit on depth of JSON parsing (possible DoS issue) [@theMiddleBlue, @airween, @dune73, @martinhsv] A blog post with additional detail is expected to be posted at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ within a day. A new issue is also planned for https://github.com/SpiderLabs/ModSecurity/issues to provide a summary. Links to the github releases, which includes the change list and source (and related hashes and signatures) are: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.6 https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.5 Releases of ModSecurity 2.9.x are normally accompanied by IIS assets, however these are not yet available and are expected to be published separately in a few days. Martin Vierula Security Researcher - ModSecurity [cid:image001.png@01D7DFD9.F8AD1930] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Felipe Z. <fe...@zi...> - 2021-07-07 23:07:49
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is a pleasure to announce the release of ModSecurity version 3.0.5 (libModSecurity). This version contains several improvements in different areas, including new features, cleanups, overall performance improvements, and fixes. A remarkable feature for version 3.0.5 is the limitation on the number of arguments to process; this is especially useful while inspecting JSON with a high number of key/values. Read more - https://github.com/SpiderLabs/ModSecurity/pull/2234 New features - - Having ARGS_NAMES, variables proxied [@zimmerle, @martinhsv, @KaNikita] - - Use explicit path for cross-compile environments. [Issue #2485 - @dtoubelis] - - Fix: FILES variable does not use multipart part name for key [Issue #2377 - @martinhsv] - - Regression: Mark the test as failed in case of segfault. [@zimmerle] - - GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE [Issues #2378, #2186 - @defanator] - - Add support to test framework for audit log content verification and add regression tests for issues #2000, #2196 [@zimmerle] - - Support configurable limit on number of arguments processed [Issue #2234 - @jleproust, @martinhsv] - - Multipart Content-Dispostion should allow field: filename*= [@martinhsv] - - Adds support to lua 5.4 [@zimmerle] - - Add support for new operator rxGlobal [@martinhsv] Bug fixes - - Replaces put with setenv in SetEnv action [Issue #2469 - @martinhsv, @WGH-, @zimmerle] - - Regex key selection should not be case-sensitive [Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora, @airween, @martinhsv, @zimmerle] - - Fix: Only delete Multipart tmp files after rules have run [Issue #2427 - @martinhsv] - - Fixed MatchedVar on chained rules [Issue #2423, #2435, #2436 - @michaelgranzow-avi] - - Fix maxminddb link on FreeBSD [Issue #2131 - @granalberto, @zimmerle] - - Fix IP address logging in Section A [Issue #2300 - @inaratech, @zavazingo, @martinhsv] - - rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars [Issue #2336 - @martinhsv] - - Correct CHANGES file entry for #2234 - - Fix rule-update-target for non-regex [Issue #2251 - @martinhsv] - - Fix configure script when packaging for Buildroot [Issue #2235 - @frankvanbever] - - modsecurity.pc.in: add Libs.private [Issue #1918, #2253 - @ffontaine, @Dridi, @victorhora] Security impacting issues - - Handle URI received with uri-fragment [@martinhsv] The complete list of changes is available on our changelogs: - - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5 The source and binaries (and the respective hashes/signatures) are available at: - - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5 The list of open issues is available on GitHub: - - https://github.com/SpiderLabs/ModSecurity/labels/3.x Stay tuned. We are going to release a follow-up blog post detailing the significant bits of this release. Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, and participating in the community ;) -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCYOYt2wAKCRDm37CM6LES d1tmAJ9fc8jBWOPX+76nGAm4fTl/2ZQVHACcCbJNBofbrmXU6Glc1CyZkBjE8wg= =OIWQ -----END PGP SIGNATURE----- |
From: Felipe Z. <fe...@zi...> - 2021-06-21 23:13:38
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It is a pleasure to announce ModSecurity version 2.9.4. Release 2.9.4 contains fixes and enhancements atop version 2.9.3. The details on this release are available on GitHub: - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.4 Further details on ModSecurity v2 can be found on the project README: - https://github.com/SpiderLabs/ModSecurity/tree/v2/master The list of open issues is available on GitHub: - https://github.com/SpiderLabs/ModSecurity/labels/2.x IMPORTANT: - - Windows installer no longer includes OWASP CRS. - - Release files are no longer available on modsecurity.org, only on GitHub. - - ModSecurity version 2 will be available and maintained parallel to version 3. There is no ETA to deprecate version 2.x. ModSecurity versions 2 and 3 have a completely independent development/release cycle. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iFwEARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCYNEVfgAKCRDm37CM6LES dxUkAJ4naJ9ysl5HZPSEhmO0wxrLduDI4wCYzRhp8EuuSp/TW5uVNdF+eDl8UA== =yA1i -----END PGP SIGNATURE----- |
From: Felipe Z. <fe...@zi...> - 2021-06-21 23:08:33
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It is a pleasure to announce ModSecurity version 2.9.4. Release 2.9.4 contains fixes and enhancements atop version 2.9.3. The details on this release are available on GitHub: - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.4 Further details on ModSecurity v2 can be found on the project README: - https://github.com/SpiderLabs/ModSecurity/tree/v2/master The list of open issues is available on GitHub: - https://github.com/SpiderLabs/ModSecurity/labels/2.x IMPORTANT: - - Windows installer no longer includes OWASP CRS. - - Release files are no longer available on modsecurity.org, only on GitHub. - - ModSecurity version 2 will be available and maintained parallel to version 3. There is no ETA to deprecate version 2.x. ModSecurity versions 2 and 3 have a completely independent development/release cycle. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iFwEARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCYNEVfgAKCRDm37CM6LES dxUkAJ4naJ9ysl5HZPSEhmO0wxrLduDI4wCYzRhp8EuuSp/TW5uVNdF+eDl8UA== =yA1i -----END PGP SIGNATURE----- |
From: Alberto G. I. <ag...@in...> - 2020-09-16 11:02:06
|
On Mon, Sep 14, 2020 at 11:52:25AM +0200, Christian Folini wrote: > Known Affected Software Configurations: > > ModSecurity v3.0.0 > ModSecurity v3.0.1 > ModSecurity v3.0.2 > ModSecurity v3.0.3 > ModSecurity v3.0.4 (patch for this version available) > > More Information and patch: https://coreruleset.org/20200914/cve-2020-15598/ Hi all, Ervin's updated package for v3.0.4 was just uploaded to Debian Sid and it's on its way to Debian. Also Ervin's patch for 3.0.3 will be released for Debian Stable, a.k.a. Buster, ASAP. Regards, Alberto (just signing and uploading packages) -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: ag...@in... | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 |
From: Christian F. <chr...@ne...> - 2020-09-14 09:52:48
|
Dear all, ModSecurity v3.0.x is affected by a Denial of Service vulnerability due to the global matching of regular expressions. The combination of a non-anchored regular expression and the ModSecurity “capture” action can be exploited via a specially crafted payload. While ModSecurity v2.x used to quit the execution of a regular expression after the first match. ModSecurity v3.0.x silently changed the behavior to global matching. This results in a DoS for existing non-anchored regexes in rules containing the “capture” action. It also fills the TX variable space beyond the documented limit of 10 instances. The defense is handicapped due to the absence of the SecRequestBodyNoFilesLimit directive. The vendor Trustwave Spiderlabs dropped this functionality for ModSecurity v3. The vendor did not publish a new release, but there is a patch that brings back the former behavior. CVSSv3: 7.5 HIGH https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1 Exploitability Metrics: * Attack Vector: Network * Attack Complexity: Low * Priviledges Required: None * User Interaction: None * Scope: Unchanged Impact Metrics: * Confidentiality Impact: None * Integrity Impact: None * Availability Impact: High Weakness Enumeration: CWE-400: Uncontrolled Resource Consumption Known Affected Software Configurations: ModSecurity v3.0.0 ModSecurity v3.0.1 ModSecurity v3.0.2 ModSecurity v3.0.3 ModSecurity v3.0.4 (patch for this version available) More Information and patch: https://coreruleset.org/20200914/cve-2020-15598/ Best regards, Christian Folini and Ervin Hegedüs on behalf of the CRS team -- OWASP ModSecurity Core Rule Set - https://coreruleset.org |
From: Felipe Z. <fe...@zi...> - 2020-01-13 18:19:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi It is a pleasure to announce the release of ModSecurity version 3.0.4 (libModSecurity). This version contains a number of improvements in different areas. These include cleanups, better practices for improved code readability, resilience and overall performance and security fixes. A huge refactoring was placed on the Regex engine, which is now more performant. The Logging was polished and hex-encoded strings are now pretty printed. An operator to detect Australian social security number was added. The audit log is now working with section H and better dealing with logs, nologs and auditlogs combinations. POTENTIAL SECURITY ISSUES: - - Cookie parser problems [@theMiddleBlue, @airween, @martinhsv] The list with the full changes can be found on the project CHANGES file, available here: - - https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.4/CHANGES The list of open issues is available on GitHub: - - https://github.com/SpiderLabs/ModSecurity/labels/3.x As with every new release, a milestone was created to host all the issues that will be fixed till we reach the given milestone. With that, we not only give the community the full transparency of the work that is being doing on ModSec, but also even more chances to participate. Milestones give the chance to anyone from the community to deduce when and what will be released. Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches and so on. Further details on the compilation process for ModSecurity v3, can be found on the project README: - https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation Complementary documentation for the connectors are available here: - nginx: https://github.com/SpiderLabs/ModSecurity-nginx/#compilation - Apache: https://github.com/SpiderLabs/ModSecurity-apache/#compilation IMPORTANT: ModSecurity version 2 will be available and maintained parallel to version 3. There is no ETA to deprecate the version 2.x. New features and major improvements will be implemented on version 3.x. Security or major bugs are planned to be back ported. Version 2 and version 3 has a completely independent development/release cycle. Br., Felipe "Zimmerle" Costa -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCXhxx8QAKCRDm37CM6LES dy8jAJ4l6Goa0qn+RyxwrFPa8Zjl9t8HagCeJeHULU8EsT2M2S0Ho6ROgOdQstM= =GeNp -----END PGP SIGNATURE----- |
From: Victor H. <VH...@tr...> - 2018-12-05 17:03:10
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 We are happy to announce ModSecurity version 2.9.3! As previously announced, libModSecurity has reached official stable stage and was released for almost an year now. Therefore, new features and major improvements will be implemented only on version 3.x. Security or *major* bugs are planned to be back ported. Still, in a effort to keep our commitment with the community, 2.9.3 still contains a number of improvements in different areas. These include, optimizations in the code, updating all dependencies, updating the embedded CRS version of the IIS build, clean ups, support for other architectures among other changes. In addition to these improvements, a few key issues were fixed including mpm-itk / mod_ruid2 compatibility which was a roadblock for some CPANEL ModSecurity users and many other improvements focused on improving performance, usability and code resilience. POTENTIAL SECURITY ISSUES: - Fix ip tree lookup on netmask content [@tinselcity] - - potential off by one in parse_arguments [@tinselcity] The complete list of changes is available on our change logs: - - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.3 The source and binaries (and the respective hashes/signatures) are available at: - - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.3 The documentation for this release is available at: - - https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual-%28v2.x%29 The list of open issues is available on GitHub: - - https://github.com/SpiderLabs/ModSecurity/labels/2.x As with every new release, a milestone was created to host all the issues that will be fixed till we reach the given milestone. With that, we not only give the community the full transparency of the work that is being doing on ModSec, but also even more chances to participate. Milestones give the chance to anyone from the community to deduce when and what will be released. For instance the 2.9.4 milestone is in progress even before 2.9.3 milestone is closed. Some of the active milestones from the ModSecurity project follows: - - milestone v2.9.3: https://github.com/SpiderLabs/ModSecurity/milestone/10 - - milestone v2.9.4: https://github.com/SpiderLabs/ModSecurity/milestone/14 Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches and so on. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEENVJvmdv3xZcwKAX5LzS6oLmekUFAlwIAmoACgkQ5LzS6oLm ekWTzQ//cIX68Y2HIBaR7nFvxsY199acxxKyJdoop3bVpJkZfBPUzgO7pUPGWPJj LF3FD8yKqnNJkI2iArJqGWBCa4b9UQi01JLLWiiOdTRWOtHfU8miVOIKFD7nTRGj DgNna1j8DEn8mrFcXyZctnhNfQu0Fp7sI2PLf5H4RyO58NpDyVxxquZwmLmc0ZQb LIAz0td/pNl3O2anJzIimXusQe9qba/qqxC/W7W5ZqEBrqIR/UJ9s7qDxMaReyQ4 MGBvxxjqg3GLNV43v5M9RtaBcYTf3hT55AyG78MHqK+sZop+UhLUL+m6HU1F7FN/ 4FvEfu/tq5ntHtCrh4xGk9JIbF4R7EdJEG9ruNbHZfKEPpJ5YNp2SScFRB/PQqAB EL7wTetkKLpQiGPFEV6+W6vKV8BjTJFakEzdOojcELqmza/KslHMIlZoqcdwN1ln iUxxeHW1txNWhfPvi8X1P6nxl10LaYTCHcUesHgjDvwhDgYX2FHYKwtALwVUgRVB oOZjiyLpuMqNHDUdOBCkUlFIAxQj3EZ2ujORBXmD+SXhy5Su+S59hrT/iju37NgK miwpbDNc1NwZQqoUSS+WG5W3TwqCCLzEcJIIwGqyW9K6HhM/Jyuadszvx5XzguyD sZNz9cOmlSeGENJ5PMrEgVXN4v00k1FRpsqjErSlN3BlCglqpzY= =F1hT -----END PGP SIGNATURE----- |
From: Ervin H. <ai...@gm...> - 2018-10-31 23:02:10
|
Hi Alberto, On Fri, Oct 19, 2018 at 10:39:00AM +0200, Alberto Gonzalez Iniesta wrote: > Hi, > > I'm happy to announce that the package for (lib)mod-security 3.x entered > Debian unstable this week. But some issues arose in the testing suite > with some/all of the architectures: > > - In most of them this test fails: > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 > :test-result: FAIL variable-ENV.json:Testing Variables :: ENV (2/3) > > - In some (i.e. s390) a bunch of ip matching rules tests fail [1] > > > You may see all the build logs here: > https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid > > Some help with these issues would be really apreciated. as we discussed previously, the make check (dh_auto_test) was fixed wth a temporary TERM environment. Meantime I've worked on package, and make a branch for it: https://github.com/airween/ModSecurity/tree/v3/debian I didn't found any modsecurity repository on Salsa, so I thought it would be better first commit only my repository. Please review it - the lintian only gives _one_ warning (nothing else!): P: modsecurity source: debian-watch-does-not-check-gpg-signature See the changelog for full list of modifications: https://github.com/airween/ModSecurity/blob/v3/debian/debian/changelog I think that the package isn't ready, there are several step to do to finish (eg: python library package - but as I see, the Python binding in this format is not so fine. I'll check it soon. Documentation also missing (doc/ directory contains only Makefile and a doxygen.conf). Regards, a. > Regards, > > Alberto > > > [1] > > ./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:1 > :test-result: PASS operator-ipMatchFromFile.json:Testing Operator :: @ipMatchFromFile - file not found > > ./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:2 > :test-result: FAIL operator-ipMatchFromFile.json:Testing Operator :: @ipMatchFromFile - https > > RUN: test/test-cases/secrules-language-tests/operators/ipMatch.json > =================================================================== > > :test-result: FAIL ipMatch 10.10.10.10 > :test-result: PASS ipMatch 10.10.10.11 > :test-result: FAIL ipMatch 10.10.10.11 > :test-result: PASS ipMatch 10.10.7.254 > :test-result: FAIL ipMatch 10.10.8.1 > :test-result: PASS ipMatch 10.10.16.1 > :test-result: FAIL ipMatch 10.10.15.254 > :test-result: FAIL ipMatch 192.168.1.254 > :test-result: PASS ipMatch 10.10.10.11 > :test-result: FAIL ipMatch 156.149.152.152 > :test-result: PASS ipMatch 10.10.10.11 > :test-result: FAIL ipMatch 10.0.0.11 > :test-result: FAIL ipMatch 10.10.10.11 > :test-result: FAIL ipMatch 10.10.10.11 > > > > > -- > Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico > mailto/sip: ag...@in... | en GNU/Linux y software libre > Encrypted mail preferred | http://inittab.com > > Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 > > > _______________________________________________ > mod-security-packagers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-packagers |
From: Ervin H. <ai...@gm...> - 2018-10-21 14:28:45
|
Hi all, On Fri, Oct 19, 2018 at 07:34:48PM +0200, Alberto Gonzalez Iniesta wrote: > Neither can I, that's why I asked for help :-) > Those errors are from build daemons. Logs: > > > > > https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid looks like I have the solution. Here is the build log: https://buildd.debian.org/status/fetch.php?pkg=modsecurity&arch=i386&ver=3.0.2-1&stamp=1539703808&raw=0 and here is the failed test: :test-result: FAIL variable-ENV.json:Testing Variables :: ENV (2/3) ./regression_tests .././test/test-cases/regression/variable-ENV.json:2 here is the 2nd test in that file: 82 "expected":{ 83 "debug_log":"Variable: ENV:TERM" 84 }, 85 "rules":[ 86 "SecRuleEngine On", 87 "SecRule ENV:TERM \"@contains test\" \"id:1,phase:3,pass,t:trim\"" 88 ] so the expected result is that the test shows the TERM environment variable. But looks like sbuild (which is the official build system of Debian) doesn't have ENV variable until the build flow. That's why Felipe any me could build and ran test cases successfully, but the build daemon can't. I've installed the sbuild on my unstable vm, and make this modification: 8,9d7 < export TERM=$(shell if [ -z $TERM ]; then echo "linux"; else echo $TERM; fi) < the new version of d/rules looks like this: ==%== #!/usr/bin/make -f DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) # move modsec-rules-check (lib debugging/testing tool) to libexec to avoid # an extra package while keeping the library package multiarch CONFIGURE_EXTRA_FLAGS += --bindir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH)/libexec export TERM=$(shell if [ -z $TERM ]; then echo "linux"; else echo $TERM; fi) %: dh $@ ... ==%== Note, that we could put a simple export TERM=linux line to rules, but if somebody wants to build the package for its own use, then it overwrites the TERM env, but this solution prevents that. May be there is an other elegant way to pass an ENV to dh (debhelper), but only this worked for me. Hope that it helps you :), regards, a. |
From: Ervin H. <ai...@gm...> - 2018-10-19 20:47:53
|
Hi folks, On Fri, Oct 19, 2018 at 07:34:48PM +0200, Alberto Gonzalez Iniesta wrote: > Neither can I, that's why I asked for help :-) > Those errors are from build daemons. Logs: > > > > > https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid just a quick notice: on this list, I just found logfile for i386: https://buildd.debian.org/status/fetch.php?pkg=modsecurity&arch=i386&ver=3.0.2-1&stamp=1539703808&raw=0 but there isn't logfile for amd64. May be there is an architectural difference, which triggers this error - I still can't reproduce on amd64, but the other 3 FAIL test occures with other method. I think that if I can found the reason for these bugs, we can fix it on i386 too. The 3 failed tests occure only in chroot, but all of them comes always. When I leave the chroot, but it's still mounted, I change dir to, and run test again, then I got also error, but for other test case: Test failed. From: test-cases/regression/operator-detectxss.json. Test name: Testing Operator :: @detectXSS. Reason: Debug log was not matching the expected results. Expecting: Added DetectXSS match TX.0: f\(f\(f Debug log: If I build the package out of chroot, all test has passed. I'll continue at weekend. Regards, a. |
From: Alberto G. I. <ag...@in...> - 2018-10-19 17:35:03
|
Neither can I, that's why I asked for help :-) Those errors are from build daemons. Logs: > > > https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid Cheers, Alberto On Fri, Oct 19, 2018 at 10:21:14AM -0300, Felipe Zimmerle wrote: > Hi, > > Good to hear that we are having those packages :) that should increase even > more the adoption of v3 :) Kudos!!!! > > Same as Ervin here, I am not able to reproduce the regression tests > failures. Do you mind to share the configuration/compilation logs? > > Br., > F. > > > On Fri, Oct 19, 2018 at 10:14 AM Ervin Hegedüs <ai...@gm...> wrote: > > > Hi Alberto, > > > > On Fri, Oct 19, 2018 at 10:39:00AM +0200, Alberto Gonzalez Iniesta wrote: > > > Hi, > > > > > > I'm happy to announce that the package for (lib)mod-security 3.x entered > > > Debian unstable this week. But some issues arose in the testing suite > > > with some/all of the architectures: > > > > > > - In most of them this test fails: > > > > > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 > > > :test-result: FAIL variable-ENV.json:Testing Variables :: ENV (2/3) > > > > > > - In some (i.e. s390) a bunch of ip matching rules tests fail [1] > > > > > > > > > You may see all the build logs here: > > > https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid > > > > > > Some help with these issues would be really apreciated. > > > > I've grabbed your source, here are some info: > > > > $ cat /etc/debian_version > > buster/sid > > > > Everything is up-to-date (I'm after an apt-get update, apt-get > > dist-upgrade). > > > > apt-get source modsecurity > > Reading package lists... Done > > Need to get 2798 kB of source archives. > > Get:1 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity > > 3.0.2-1 (dsc) [1967 B] > > Get:2 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity > > 3.0.2-1 (tar) [2793 kB] > > Get:3 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity > > 3.0.2-1 (diff) [2924 B] > > Fetched 2798 kB in 1s (2651 kB/s) > > dpkg-source: info: extracting modsecurity in modsecurity-3.0.2 > > dpkg-source: info: unpacking modsecurity_3.0.2.orig.tar.gz > > dpkg-source: info: unpacking modsecurity_3.0.2-1.debian.tar.xz > > > > cd modsecurity-3.0.2 > > > > debuild -us -uc > > ... > > make check-TESTS > > make[3]: Entering directory '/home/airween/debian/modsecurity-3.0.2' > > make[4]: Entering directory '/home/airween/debian/modsecurity-3.0.2' > > ( 3/ 0/ 3): > > test/test-cases/regression/action-ctl_request_body_access.json > > ( 3/ 0/ 3): > > test/test-cases/regression/action-ctl_request_body_processor.json > > ... > > ( 3/ 0/ 3): test/test-cases/regression/config-secremoterules.json > > > > ============================================================================ > > Testsuite summary for modsecurity 3.0 > > > > ============================================================================ > > # TOTAL: 4740 > > # PASS: 4740 > > # SKIP: 0 > > # XFAIL: 0 > > # FAIL: 0 > > # XPASS: 0 > > # ERROR: 0 > > ... > > ... > > Now running lintian modsecurity_3.0.2-1_amd64.changes ... > > Finished running lintian. > > > > And that's it. > > > > > > Check it by hand: > > > > cd test/ > > ./regression_tests .././test/test-cases/regression/variable-ENV.json > > ModSecurity 3.0.2 - tests > > (options are not available -- missing GetOpt) > > > > # File Name Test Name > > Passed? > > --- --------- --------- > > ------- > > 1 variable-ENV.json Testing Variables > > :: ENV (1/3) passed! > > 2 variable-ENV.json Testing Variables > > :: ENV (2/3) passed! > > 3 variable-ENV.json Testing Variables > > :: ENV (3/3) passed! > > > > Ran a total of: 3 regression tests - All tests passed. 0 skipped test(s). > > 0 disabled test(s). > > > > > > I've tried with pbuilder, here is the relevant part of the log: > > > > ( 3/ 0/ 3): test/test-cases/regression/variable-ENV.json > > ... > > ... > > RUN: test/test-cases/regression/variable-ENV.json > > ================================================= > > > > :test-result: PASS variable-ENV.json:Testing Variables :: ENV (1/3) > > > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 > > :test-result: PASS variable-ENV.json:Testing Variables :: ENV (2/3) > > > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:2 > > :test-result: PASS variable-ENV.json:Testing Variables :: ENV (3/3) > > > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:3 > > ... > > > > > > (but there are another failed tests with pbuilder: > > > > UN: test/test-cases/regression/config-secremoterules.json > > ========================================================== > > > > :test-result: FAIL config-secremoterules.json:Include remote rules > > > > ./regression_tests > > .././test/test-cases/regression/config-secremoterules.json:1 > > :test-result: FAIL config-secremoterules.json:Include remote rules - > > failed download (Abort) > > > > ./regression_tests > > .././test/test-cases/regression/config-secremoterules.json:2 > > :test-result: PASS config-secremoterules.json:Include remote rules - > > failed download (Warn) > > > > > > this occured I guess that I'm behind proxy, and didn't pass > > http_proxy env to pbuilder. > > > > > > > > ./regression_tests > > .././test/test-cases/regression/operator-ipMatchFromFile.json:2 > > :test-result: FAIL operator-ipMatchFromFile.json:Testing Operator :: > > @ipMatchFromFile - https > > > > ./regression_tests > > .././test/test-cases/regression/operator-ipMatchFromFile.json:3 > > > > also could occured by network problem) > > > > > > I can't reproduce your issue on amd64 arch. > > > > > > May be this can helps you, here is the output of ldd of compiled shared > > object > > which built in regular system (not with pbuilder) > > > > https://pastebin.com/svAjTek9 > > > > may be some library needs...? > > > > > > regards, > > > > > > a. > > > > > > > > _______________________________________________ > > mod-security-packagers mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-packagers > > > _______________________________________________ > mod-security-packagers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-packagers -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: ag...@in... | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 |
From: Felipe Z. <fe...@zi...> - 2018-10-19 14:56:35
|
Hi, Regardless of the dependencies, the test should not fail. There are three different possible result for a test case: Pass, Fail, Disable. The Disable is used when an optional resource was disabled. Either because it was manually disabled or because the build did not managed to find the need dependency. In the config.log we may be able to identify the optional libraries. I would recommend to build with all dependencies. The configure output should be somewhat similar to this: ModSecurity - v3.0.2-131-g8d8c8748 for Linux Mandatory dependencies + libInjection ....v3.0.2-131-g8d8c8748 + SecLang tests ....8d8c8748 Optional dependencies + GeoIP/MaxMind ....found * (MaxMind) v1.3.2 -lmaxminddb , -DWITH_MAXMIND * (GeoIP) v1.6.12 -lGeoIP , -I/usr/include/ + LibCURL ....found v7.61.1 -lcurl, -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL + YAJL ....found v2.1.0 -lyajl , -DWITH_YAJL -I/usr/include/yajl + LMDB ....disabled + LibXML2 ....found v2.9.8 -lxml2 -lz -llzma -licui18n -licuuc -licudata -lm -ldl, -I/usr/include/libxml2 -DWITH_LIBXML2 + SSDEEP ....found -lfuzzy -L/usr/lib/, -DWITH_SSDEEP -I/usr/include + LUA ....found v503 -llua5.3 -L/usr/lib/, -DWITH_LUA -I/usr/include Other Options + Test Utilities ....enabled + SecDebugLog ....enabled + afl fuzzer ....disabled + library examples ....enabled + Building parser ....disabled + Treating pm operations as critical section ....disabled I am afraid we may have a problem in our build scripts, due to a missing header or library. The script is may confuse by the time it educated guess the platform. Leading to run time issues in structures like the one used to map ips. But that is just a guess, i have to see the logs to tell for sure. Optional dependency list: lua, ssdeep, libxml2, yajl, libcurl, maxmind. Br., F. On Fri, Oct 19, 2018 at 11:26 AM Ervin Hegedüs <ai...@gm...> wrote: > Hi Felipe, > > On Fri, Oct 19, 2018 at 10:21:14AM -0300, Felipe Zimmerle wrote: > > Hi, > > > > Good to hear that we are having those packages :) that should increase > even > > more the adoption of v3 :) Kudos!!!! > > we're just going to have the package, I think it's a little bit > far, but even closer :) > > > Same as Ervin here, I am not able to reproduce the regression tests > > failures. Do you mind to share the configuration/compilation logs? > > which logs do you mean? pbuilder or "native" build logs? > > I'm afraid that the result misleads us (you and me), because (I > think) you also have a build environment with several installed > libraries, which aren't mandatory. > > That's in my build system (which is a simple LXC container) - I've > built modsecurity as several times :), with different ways... > > But the error comes only on Debian's build environment, where the > builder flow starts in a "clean" base system, and it installs the > necessary packages, what the developer/maintainer listed in > d/control.... I don't know yet, I'll check it out at this > weekend. > > > > Regards, > > > a. > > |
From: Ervin H. <ai...@gm...> - 2018-10-19 14:26:14
|
Hi Felipe, On Fri, Oct 19, 2018 at 10:21:14AM -0300, Felipe Zimmerle wrote: > Hi, > > Good to hear that we are having those packages :) that should increase even > more the adoption of v3 :) Kudos!!!! we're just going to have the package, I think it's a little bit far, but even closer :) > Same as Ervin here, I am not able to reproduce the regression tests > failures. Do you mind to share the configuration/compilation logs? which logs do you mean? pbuilder or "native" build logs? I'm afraid that the result misleads us (you and me), because (I think) you also have a build environment with several installed libraries, which aren't mandatory. That's in my build system (which is a simple LXC container) - I've built modsecurity as several times :), with different ways... But the error comes only on Debian's build environment, where the builder flow starts in a "clean" base system, and it installs the necessary packages, what the developer/maintainer listed in d/control.... I don't know yet, I'll check it out at this weekend. Regards, a. |
From: Felipe Z. <fe...@zi...> - 2018-10-19 13:51:35
|
Hi, Good to hear that we are having those packages :) that should increase even more the adoption of v3 :) Kudos!!!! Same as Ervin here, I am not able to reproduce the regression tests failures. Do you mind to share the configuration/compilation logs? Br., F. On Fri, Oct 19, 2018 at 10:14 AM Ervin Hegedüs <ai...@gm...> wrote: > Hi Alberto, > > On Fri, Oct 19, 2018 at 10:39:00AM +0200, Alberto Gonzalez Iniesta wrote: > > Hi, > > > > I'm happy to announce that the package for (lib)mod-security 3.x entered > > Debian unstable this week. But some issues arose in the testing suite > > with some/all of the architectures: > > > > - In most of them this test fails: > > > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 > > :test-result: FAIL variable-ENV.json:Testing Variables :: ENV (2/3) > > > > - In some (i.e. s390) a bunch of ip matching rules tests fail [1] > > > > > > You may see all the build logs here: > > https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid > > > > Some help with these issues would be really apreciated. > > I've grabbed your source, here are some info: > > $ cat /etc/debian_version > buster/sid > > Everything is up-to-date (I'm after an apt-get update, apt-get > dist-upgrade). > > apt-get source modsecurity > Reading package lists... Done > Need to get 2798 kB of source archives. > Get:1 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity > 3.0.2-1 (dsc) [1967 B] > Get:2 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity > 3.0.2-1 (tar) [2793 kB] > Get:3 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity > 3.0.2-1 (diff) [2924 B] > Fetched 2798 kB in 1s (2651 kB/s) > dpkg-source: info: extracting modsecurity in modsecurity-3.0.2 > dpkg-source: info: unpacking modsecurity_3.0.2.orig.tar.gz > dpkg-source: info: unpacking modsecurity_3.0.2-1.debian.tar.xz > > cd modsecurity-3.0.2 > > debuild -us -uc > ... > make check-TESTS > make[3]: Entering directory '/home/airween/debian/modsecurity-3.0.2' > make[4]: Entering directory '/home/airween/debian/modsecurity-3.0.2' > ( 3/ 0/ 3): > test/test-cases/regression/action-ctl_request_body_access.json > ( 3/ 0/ 3): > test/test-cases/regression/action-ctl_request_body_processor.json > ... > ( 3/ 0/ 3): test/test-cases/regression/config-secremoterules.json > > ============================================================================ > Testsuite summary for modsecurity 3.0 > > ============================================================================ > # TOTAL: 4740 > # PASS: 4740 > # SKIP: 0 > # XFAIL: 0 > # FAIL: 0 > # XPASS: 0 > # ERROR: 0 > ... > ... > Now running lintian modsecurity_3.0.2-1_amd64.changes ... > Finished running lintian. > > And that's it. > > > Check it by hand: > > cd test/ > ./regression_tests .././test/test-cases/regression/variable-ENV.json > ModSecurity 3.0.2 - tests > (options are not available -- missing GetOpt) > > # File Name Test Name > Passed? > --- --------- --------- > ------- > 1 variable-ENV.json Testing Variables > :: ENV (1/3) passed! > 2 variable-ENV.json Testing Variables > :: ENV (2/3) passed! > 3 variable-ENV.json Testing Variables > :: ENV (3/3) passed! > > Ran a total of: 3 regression tests - All tests passed. 0 skipped test(s). > 0 disabled test(s). > > > I've tried with pbuilder, here is the relevant part of the log: > > ( 3/ 0/ 3): test/test-cases/regression/variable-ENV.json > ... > ... > RUN: test/test-cases/regression/variable-ENV.json > ================================================= > > :test-result: PASS variable-ENV.json:Testing Variables :: ENV (1/3) > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 > :test-result: PASS variable-ENV.json:Testing Variables :: ENV (2/3) > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:2 > :test-result: PASS variable-ENV.json:Testing Variables :: ENV (3/3) > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:3 > ... > > > (but there are another failed tests with pbuilder: > > UN: test/test-cases/regression/config-secremoterules.json > ========================================================== > > :test-result: FAIL config-secremoterules.json:Include remote rules > > ./regression_tests > .././test/test-cases/regression/config-secremoterules.json:1 > :test-result: FAIL config-secremoterules.json:Include remote rules - > failed download (Abort) > > ./regression_tests > .././test/test-cases/regression/config-secremoterules.json:2 > :test-result: PASS config-secremoterules.json:Include remote rules - > failed download (Warn) > > > this occured I guess that I'm behind proxy, and didn't pass > http_proxy env to pbuilder. > > > > ./regression_tests > .././test/test-cases/regression/operator-ipMatchFromFile.json:2 > :test-result: FAIL operator-ipMatchFromFile.json:Testing Operator :: > @ipMatchFromFile - https > > ./regression_tests > .././test/test-cases/regression/operator-ipMatchFromFile.json:3 > > also could occured by network problem) > > > I can't reproduce your issue on amd64 arch. > > > May be this can helps you, here is the output of ldd of compiled shared > object > which built in regular system (not with pbuilder) > > https://pastebin.com/svAjTek9 > > may be some library needs...? > > > regards, > > > a. > > > > _______________________________________________ > mod-security-packagers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-packagers > |
From: Ervin H. <ai...@gm...> - 2018-10-19 13:14:35
|
Hi Alberto, On Fri, Oct 19, 2018 at 10:39:00AM +0200, Alberto Gonzalez Iniesta wrote: > Hi, > > I'm happy to announce that the package for (lib)mod-security 3.x entered > Debian unstable this week. But some issues arose in the testing suite > with some/all of the architectures: > > - In most of them this test fails: > > ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 > :test-result: FAIL variable-ENV.json:Testing Variables :: ENV (2/3) > > - In some (i.e. s390) a bunch of ip matching rules tests fail [1] > > > You may see all the build logs here: > https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid > > Some help with these issues would be really apreciated. I've grabbed your source, here are some info: $ cat /etc/debian_version buster/sid Everything is up-to-date (I'm after an apt-get update, apt-get dist-upgrade). apt-get source modsecurity Reading package lists... Done Need to get 2798 kB of source archives. Get:1 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity 3.0.2-1 (dsc) [1967 B] Get:2 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity 3.0.2-1 (tar) [2793 kB] Get:3 http://cdn-fastly.deb.debian.org/debian sid/main modsecurity 3.0.2-1 (diff) [2924 B] Fetched 2798 kB in 1s (2651 kB/s) dpkg-source: info: extracting modsecurity in modsecurity-3.0.2 dpkg-source: info: unpacking modsecurity_3.0.2.orig.tar.gz dpkg-source: info: unpacking modsecurity_3.0.2-1.debian.tar.xz cd modsecurity-3.0.2 debuild -us -uc ... make check-TESTS make[3]: Entering directory '/home/airween/debian/modsecurity-3.0.2' make[4]: Entering directory '/home/airween/debian/modsecurity-3.0.2' ( 3/ 0/ 3): test/test-cases/regression/action-ctl_request_body_access.json ( 3/ 0/ 3): test/test-cases/regression/action-ctl_request_body_processor.json ... ( 3/ 0/ 3): test/test-cases/regression/config-secremoterules.json ============================================================================ Testsuite summary for modsecurity 3.0 ============================================================================ # TOTAL: 4740 # PASS: 4740 # SKIP: 0 # XFAIL: 0 # FAIL: 0 # XPASS: 0 # ERROR: 0 ... ... Now running lintian modsecurity_3.0.2-1_amd64.changes ... Finished running lintian. And that's it. Check it by hand: cd test/ ./regression_tests .././test/test-cases/regression/variable-ENV.json ModSecurity 3.0.2 - tests (options are not available -- missing GetOpt) # File Name Test Name Passed? --- --------- --------- ------- 1 variable-ENV.json Testing Variables :: ENV (1/3) passed! 2 variable-ENV.json Testing Variables :: ENV (2/3) passed! 3 variable-ENV.json Testing Variables :: ENV (3/3) passed! Ran a total of: 3 regression tests - All tests passed. 0 skipped test(s). 0 disabled test(s). I've tried with pbuilder, here is the relevant part of the log: ( 3/ 0/ 3): test/test-cases/regression/variable-ENV.json ... ... RUN: test/test-cases/regression/variable-ENV.json ================================================= :test-result: PASS variable-ENV.json:Testing Variables :: ENV (1/3) ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 :test-result: PASS variable-ENV.json:Testing Variables :: ENV (2/3) ./regression_tests .././test/test-cases/regression/variable-ENV.json:2 :test-result: PASS variable-ENV.json:Testing Variables :: ENV (3/3) ./regression_tests .././test/test-cases/regression/variable-ENV.json:3 ... (but there are another failed tests with pbuilder: UN: test/test-cases/regression/config-secremoterules.json ========================================================== :test-result: FAIL config-secremoterules.json:Include remote rules ./regression_tests .././test/test-cases/regression/config-secremoterules.json:1 :test-result: FAIL config-secremoterules.json:Include remote rules - failed download (Abort) ./regression_tests .././test/test-cases/regression/config-secremoterules.json:2 :test-result: PASS config-secremoterules.json:Include remote rules - failed download (Warn) this occured I guess that I'm behind proxy, and didn't pass http_proxy env to pbuilder. ./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:2 :test-result: FAIL operator-ipMatchFromFile.json:Testing Operator :: @ipMatchFromFile - https ./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:3 also could occured by network problem) I can't reproduce your issue on amd64 arch. May be this can helps you, here is the output of ldd of compiled shared object which built in regular system (not with pbuilder) https://pastebin.com/svAjTek9 may be some library needs...? regards, a. |
From: Alberto G. I. <ag...@in...> - 2018-10-19 08:57:14
|
Hi, I'm happy to announce that the package for (lib)mod-security 3.x entered Debian unstable this week. But some issues arose in the testing suite with some/all of the architectures: - In most of them this test fails: ./regression_tests .././test/test-cases/regression/variable-ENV.json:1 :test-result: FAIL variable-ENV.json:Testing Variables :: ENV (2/3) - In some (i.e. s390) a bunch of ip matching rules tests fail [1] You may see all the build logs here: https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid Some help with these issues would be really apreciated. Regards, Alberto [1] ./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:1 :test-result: PASS operator-ipMatchFromFile.json:Testing Operator :: @ipMatchFromFile - file not found ./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:2 :test-result: FAIL operator-ipMatchFromFile.json:Testing Operator :: @ipMatchFromFile - https RUN: test/test-cases/secrules-language-tests/operators/ipMatch.json =================================================================== :test-result: FAIL ipMatch 10.10.10.10 :test-result: PASS ipMatch 10.10.10.11 :test-result: FAIL ipMatch 10.10.10.11 :test-result: PASS ipMatch 10.10.7.254 :test-result: FAIL ipMatch 10.10.8.1 :test-result: PASS ipMatch 10.10.16.1 :test-result: FAIL ipMatch 10.10.15.254 :test-result: FAIL ipMatch 192.168.1.254 :test-result: PASS ipMatch 10.10.10.11 :test-result: FAIL ipMatch 156.149.152.152 :test-result: PASS ipMatch 10.10.10.11 :test-result: FAIL ipMatch 10.0.0.11 :test-result: FAIL ipMatch 10.10.10.11 :test-result: FAIL ipMatch 10.10.10.11 -- Alberto Gonzalez Iniesta | Formación, consultoría y soporte técnico mailto/sip: ag...@in... | en GNU/Linux y software libre Encrypted mail preferred | http://inittab.com Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D 4BF2 009B 3375 6B9A AA55 |
From: Felipe C. <FC...@tr...> - 2017-07-19 14:09:23
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am very proud to announce ModSecurity version 2.9.2. In 2.9.2 we have some new features and bug fixes as well as two _security issues_ fixed. This release, like all releases of 2.9 family, is a combined release for all bindings/versions that we support: Apache, Nginx, and IIS. Although Nginx users preferably wants to use libModSecurity [1] with the ModSecurity-nginx connector [2]. This is the last release of 2.9.2 family which is likely to have new features as this version is being slowly deprecated in favor of ModSecurity version 3. In this release we’ve got two security issues fixed: - Allan Boll reported an uninitialized variable that may lead to a crash on Windows platform. - Brian Adeloye reported an infinite loop on the version of libInjection used on ModSecurity 2.9.1. Thanks for Allan Boll, and Brian Adeloye for the security reports ;) The complete list of changes is available on our change logs: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2 The source and binaries (and the respective hashes/signatures) are available at: - - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2 Thanks to everybody who participate with bug reports, comments and code, including: @victorhora, @defanator, @client9, @bjdijk, @hideaki, @parthasarathi204, Daniel Stelter-Gliese, @LukeP21, @mturk, Coty Sutherland, Robert Bost, Marc Stern, @bazzadp, Sander Hoentjen, Robert Paprocki, @Rendername, @emphazer, Chaim Sanders, Thomas Deutschmann, Michael Kjeldsen, Armin Abfalterer, Robert Culyer, Ephraim Vider, @charlymps, Christian Folini, Alexey Sintsov. [1] https://github.com/SpiderLabs/ModSecurity/tree/v3/master [2] http://www.github.com/SpiderLabs/ModSecurity-nginx/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAllufKgACgkQ5t+wjOixEndelgCghnMYdBQ26AXeRjmc1c8zNTbX EE0AoJRqbAgSVJAjQus479ZopLKzNkJn =oONS -----END PGP SIGNATURE----- |