[Mod-security-developers] ModSecurity version 2.9.0-RC1 released

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our first release candidate for version 2.9.0.
The 2.9.0-RC1 contains fixes and new features.

The documentation is available in our wikipage:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1

SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7

We would like to thank you all that helped out making this release: comments,
bug reports, and pull requests.

The most important changes are listed bellow:

New features
============

* `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
   files as parameter.
* `SecRemoteRules' directive - allows you to specify a HTTPS served file that
  may contain rules in the SecRule format to be loaded into your ModSecurity
  instance.
* `SecRemoteRulesFailAction' directive - allows you to control whenever the
  user wants to Abort or just Warn when there is a problem while downloading
  rules specified with the directive: `SecRemoteRules'.
* `fuzzyHash' operator - allows to match contents using fuzzy hashes.
* `FILES_TMP_CONTENT' collection - make available the content of uploaded
  files.
* InsecureNoCheckCert - option to validate or not a chain of SSL certificates
  on mlogc connections.

Bug fixes
=========

* ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
  [Issue #676 - Kris Kater and ModSecurity team]
* Fixed signature on "status call": ModSecurity is now using the original
  server signature.
  [Issues #702 - Linas and ModSecurity team]
* YAJL version is printed while ModSecurity initialization.
  [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
* Fixed subnet representation using slash notation on the @ipMatch operator.
  [Issue #706 - Walter Hop and ModSecurity team]
* Limited the length of a status call.
  [Issue #714 - 'cpanelkurt' and ModSecurity team]
* Added the missing -P option to nginx regression tests.
  [Issue #720 - Paul Yang]
* Fixed automake scripts to do not use features which will be deprecated in the
  upcoming releases of automake.
  [Issue #760 - ModSecurity team]
* apr-utils's LDFALGS is now considered while building ModSecurity.
  [Issue #782 - Daniel J. Luke]
* IIS installer is not considering IIS 6 as compatible anymore.
  [Issue #790 - ModSecurity team]
* Fixed yajl build script: now looking for the correct header file.
  [Issue #804 - 'rpfilomeno' and ModSecurity team]
* mlgoc is now forced to use TLS 1.x.
  [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
=80Ng
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.