[mod-security-packagers] ModSecurity 2.5.9 (and 2.5.8) now available
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <Bri...@br...> - 2009-03-12 07:47:43
|
ModSecurity 2.5.9 is now available. The 2.5.8 release was delayed until the 2.5.9 version was ready due to a vulnerability disclosed after 2.5.8 code freeze. For this reason, the 2.5.8 release should be disregarded in favor of 2.5.9. Please note that the I changed to my alternative key for signing these releases as the previous key I used for signing expired. This key is available from most PGP/GPG key servers. The 2.5.9 release fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart requests as well as a potential DoS vulnerability discovered in the PDF XSS protection engine (fixed in 2.5.8). Additionally, 2.5.9 cleans up the build process and adds a few features, including atomic updates of persistent counters and macro expansion of the append/prepend actions. It is highly recommended to upgrade to this 2.5.9 release. Please see the blog post for more information on the vulnerabilities fixed in this release: http://blog.modsecurity.org/2009/03/modsecurity-vulnerabilities-fixed.html Packages can be downloaded via modsecurity.org as always. The complete change log is below... 2.5.9 ----- * Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by "Internet Security Auditors" (isecauditors.com). * Added ability to specify the config script directly using --with-apr and --with-apu. * Updated copyright year to 2009. * Added macro expansion for append/prepend action. * Fixed race condition in concurrent updates of persistent counters. Updates are now atomic. * Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable. 2.5.8 ----- * Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat. * Removed an invalid "Internal error: Issuing "%s" for unspecified error." message that was logged when denying with nolog/noauditlog set and causing the request to be audited. thanks, -B -- Brian Rectanus Breach Security |