[mod-security-packagers] ModSecurity 2.5.10-dev1 Released

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hello all,

I have released the first development release of ModSecurity 2.5.10 for 
testing.  This release primarily fixes some build issues with 2.5.9 as 
well as some mlogc issues.  Additionally, this release includes a 
development release of the Core Rule Set (CRS) v2.0 for testing (I'll 
let Ryan Barnett explain more on that in a later note, but please be 
sure to read the README and CHANGELOG for the rules before applying them).

Please test the release out on your development/test systems and let the 
list know if there are any issues.

You can download the release from SourceForge:

http://sourceforge.net/projects/mod-security/files/

Bugs fixed (see the roadmap):

https://www.modsecurity.org/tracker/browse/MODSEC

Changes:

  * Allow mlogc to periodically flush memory pools.
  * Using nolog,auditlog will now log the "Message:" line to the
    auditlog, but nothing to the error log.  Prior versions dropped the
    "Message:" line from both logs.  To do this now, just use "nolog" or
    "nolog,noauditlog".
  * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
    issues with some libcurl versions.
  * Fixed mlogc issue seen on big endian machines where content type
    could be listed as zero.
  * Removed extra newline from audit log message line when logging XML
    errors. This was causing problems parsing audit logs.
  * Fixed @pm/@pmFromFile case insensitivity.
  * Truncate long parameters in log message for "Match of ... against ...
    required" messages.
  * Correctly resolve chained rule actions in logs.
  * Cleanup some code for portability.
  * AIX does not support hidden visibility with xlc compiler.
  * Allow specifying EXTRA_CFLAGS during configure to override gcc
    specific values for non-gcc compilers.
  * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
  * Handle a newer geo database more gracefully, avoiding a potential
    crash for new countries that ModSecurity is not yet aware.
  * Allow checking &GEO "@eq 0" for a failed @geoLookup.
  * Fixed mlogc global mutex locking issue and added more debugging
    output.
  * Cleaned up build dependencies and configure options.

-- 
Brian Rectanus
Breach Security