|
From: Walter H. <mo...@sp...> - 2016-02-10 22:00:24
|
Hi Felipe, Thanks for the work on this release! My regression tests on FreeBSD are good, JSON logging works, Lua 5.1/5.2/5.3 works. I plan to remove the hard dependency on Lua 5.1 in our port. The only thing I found so far in the RC is that the audit log is a bit dirty with extra Apache-Error log lines. I created an issue for this: https://github.com/SpiderLabs/ModSecurity/issues/1073 I’ll give it a spin on some staging servers. Br.! WH > On 03 Feb 2016, at 18:17, Felipe Costa <FC...@tr...> wrote: > > Signed PGP part > Hi, > > It is a pleasure to announce the first release candidate for ModSecurity > version 2.9.1. The version 2.9.1-RC1 contains fixes and new features. > The new features list includes audit logs in JSON format. > > I would like to thank you all, that participate in the construction of > this release. A special thanks to the ones who sent patches and the ones > who participated on the community meetings, which helped to increase the > quality of our releases. Thank you. > > The documentation of the new features is already available on our wiki > page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual > > The source and binaries (and the respective hashes) are available at: > https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1-RC1 > > The most important changes are listed bellow: > > * New features > > - Added support to generate audit logs in JSON format. > [Issue #914, #897, #656 - Robert Paprocki] > - Extended Lua support to include version 5.3 > [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team] > - mlogc: Allows user to choose between TLS versions (TLSProtocol option > introduced). > [Issue #881 - Ishwor Gurung] > - Allows mod_proxy's "nocanon" behavior to be specified in proxy actions. > [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team] > > * Bug fixes > > - Creating AuditLog serial file (or parallel index) respecting the > permission configured with SecAuditLogFileMode. Previously, it was > used only to save the transactions while in parallel mode. > [Issue #852 - @littlecho and ModSecurity team] > - Checking for hashing injection response, to report in case of failure. > [Issue #1041 - ModSecurity team] > - Stop buffering when the request is larger than SecRequestBodyLimit > in ProcessPartial mode > [Issue #709, #705, #728 - Justin Gerace and ModSecurity team] > - Refactoring conditional #if/#defs directives. > [Issue #996 - Wesley M and ModSecurity team] > - mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir > files with Apache 2.4 > [Issue #775 - Elia Pinto] > - Understands IIS 10 as compatible on Windows installer. > [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team] > - Fix apache logging limitation by using correct Apache call. > [Issue #840 - Christian Folini] > - Fix apr_crypto.h check on 32-bit Linux platform > [Issue #882, #883 - Kurt Newman] > - Fix variable resolution duration (Content of the DURATION variable). > [Issue #662 - Andrew Elble] > - Fix crash while adding empty keys to persistent collections. > [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team] > - Remove misguided call to srand() > [Issues #778, #781 and #836 - Michael Bunk, @gilperon] > - Fix compilation problem while ssdeep is installed in non-standard > location. > [Issue #872 - Kurt Newman] > - Fix invalid storage reference by apr_psprintf at msc_crypt.c > [Issue #609 - Jeff Trawick] > > * Known issues > > - Instabilities of nginx add-on are still expected. Please use the "nginx > refactoring" branch and stay tuned for the ModSecurity version 3. > > Br., > Felipe "Zimmerle" Costa > Lead Developer for ModSecurity > Security Researcher, SpiderLabs > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > -- Walter Hop | PGP key: https://lifeforms.nl/pgp |
