Re: [Mod-security-developers] 2.9.0-RC1 test results
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] 2.9.0-RC1 test results
|
From: Felipe C. <FC...@tr...> - 2014-12-15 19:24:36
|
Hi Walter, Comments below... > > Okay, on to the problems I've found. All tests were on FreeBSD 10.0-p12 > with stack smashing protection, amd64, Apache 2.4.10 prefork, OpenSSL > 1.0.1j, clang 3.3. > > > 1) High prio: Remote resources fail with segfaults and other problems in > @pmFromFile, @ipMatchFromFile and SecRemoteRules. > > https://gist.github.com/lifeforms/102f66246de8bd33a2ca > 1.a) Crash Fixed. That was a consequence of mod_ssl utilization. Now we are doing the OpenSSL Initialization globally, instead of a initialization and cleanup for every request. 1.b) Nonexisting files Fixed. Now the HTTP error code is being taken into consideration. > > 2) High prio: Undiagnosed persistent crash. > > https://gist.github.com/lifeforms/4356643edfe8f39c2991 > After upgrade the box, Walter was not able to reproduce the problem. > > 3) Medium prio: httpd crash on every request when using Lua 5.2. Working > fine with Lua 5.1. > > > https://gist.github.com/lifeforms/3ecc60c67012a053d060 > That is something that also happens with oldest versions of ModSecurity. We have an issue opened regarding that (https://github.com/SpiderLabs/ModSecurity/issues/762), actually it is more about make the installer smart enough to check the Lua versions, however, I believe that we have to support the newest version as well, thus, I have just opened this new issue: https://github.com/SpiderLabs/ModSecurity/issues/814 > > 4) Low prio: Apache log messages not prefixed with name. (Also present >in earlier version) > > https://gist.github.com/lifeforms/4b41ae6464073ced39f5 > "ModSecurity:" prefix was added. > > Since I don't know if it's a useful workflow to create github issues, >I¹ve put the long > descriptions in gists for now, but of course I can submit them wherever >you like. > That was just fine. Thank you again for your work. Very valuable report. The fixes are already on top of our master, there will be a -RC2 soon. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
