Re: [Mod-security-developers] [mod-security-packagers] ModSecurity version 2.9.1-rc1 announcement

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

OOC, do we have a timeline for when the final non-RC 2.9.1 will be released?

On Thu, Feb 11, 2016 at 4:00 AM, Felipe Costa <FC...@tr...> wrote:

> Hi Walter,
>
> Thanks for testing the release candidate. I will investigate this issue.
>
> Br.,
>
> *Felipe “Zimmerle” Costa   *
>
> Security Researcher, Lead Developer ModSecurity.
>
>
>
> *Trustwave* | SMART SECURITY ON DEMAND
>
> www.trustwave.com
>
>
> From: Walter Hop <mo...@sp...>
> Reply-To: "mod...@li..." <
> mod...@li...>
> Date: Wednesday, February 10, 2016 at 7:00 PM
> To: "mod...@li..." <
> mod...@li...>
> Subject: Re: [Mod-security-developers] [mod-security-packagers]
> ModSecurity version 2.9.1-rc1 announcement
>
> Hi Felipe,
>
> Thanks for the work on this release!
> My regression tests on FreeBSD are good, JSON logging works, Lua
> 5.1/5.2/5.3 works.
> I plan to remove the hard dependency on Lua 5.1 in our port.
>
> The only thing I found so far in the RC is that the audit log is a bit
> dirty with extra Apache-Error log lines. I created an issue for this:
> https://github.com/SpiderLabs/ModSecurity/issues/1073
> <http://scanmail.trustwave.com/?c=4062&d=jbO71gdwAetcb6IAI0EZpNARBiQ_X980aZKvVhWNow&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fissues%2f1073>
>
> I’ll give it a spin on some staging servers.
>
> Br.!
> WH
>
>
> On 03 Feb 2016, at 18:17, Felipe Costa <FC...@tr...> wrote:
>
> Signed PGP part
> Hi,
>
> It is a pleasure to announce the first release candidate for ModSecurity
> version 2.9.1. The version 2.9.1-RC1 contains fixes and new features.
> The new features list includes audit logs in JSON format.
>
> I would like to thank you all, that participate in the construction of
> this release. A special thanks to the ones who sent patches and the ones
> who participated on the community meetings, which helped to increase the
> quality of our releases. Thank you.
>
> The documentation of the new features is already available on our wiki
> page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
> <http://scanmail.trustwave.com/?c=4062&d=jbO71gdwAetcb6IAI0EZpNARBiQ_X980ac6qVUPYpQ&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2fwiki%2fReference-Manual>
>
> The source and binaries (and the respective hashes) are available at:
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1-RC1
> <http://scanmail.trustwave.com/?c=4062&d=jbO71gdwAetcb6IAI0EZpNARBiQ_X980aZWvB0GO8g&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2freleases%2ftag%2fv2%2e9%2e1-RC1>
>
> The most important changes are listed bellow:
>
> * New features
>
> - Added support to generate audit logs in JSON format.
>    [Issue #914, #897, #656 - Robert Paprocki]
> - Extended Lua support to include version 5.3
>    [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
> - mlogc: Allows user to choose between TLS versions (TLSProtocol option
>    introduced).
>    [Issue #881 - Ishwor Gurung]
> - Allows mod_proxy's "nocanon" behavior to be specified in proxy actions.
>    [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]
>
> * Bug fixes
>
> - Creating AuditLog serial file (or parallel index) respecting the
>    permission configured with SecAuditLogFileMode. Previously, it was
>    used only to save the transactions while in parallel mode.
>    [Issue #852 - @littlecho and ModSecurity team]
> - Checking for hashing injection response, to report in case of failure.
>    [Issue #1041 - ModSecurity team]
> - Stop buffering when the request is larger than SecRequestBodyLimit
>    in ProcessPartial mode
>    [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
> - Refactoring conditional #if/#defs directives.
>    [Issue #996 - Wesley M and ModSecurity team]
> - mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
>    files with Apache 2.4
>    [Issue #775 - Elia Pinto]
> - Understands IIS 10 as compatible on Windows installer.
>    [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
> - Fix apache logging limitation by using correct Apache call.
>    [Issue #840 - Christian Folini]
> - Fix apr_crypto.h check on 32-bit Linux platform
>    [Issue #882, #883 - Kurt Newman]
> - Fix variable resolution duration (Content of the DURATION variable).
>    [Issue #662 - Andrew Elble]
> - Fix crash while adding empty keys to persistent collections.
>    [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
> - Remove misguided call to srand()
>    [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
> - Fix compilation problem while ssdeep is installed in non-standard
>    location.
>    [Issue #872 - Kurt Newman]
> - Fix invalid storage reference by apr_psprintf at msc_crypt.c
>    [Issue #609 - Jeff Trawick]
>
> * Known issues
>
> - Instabilities of nginx add-on are still expected. Please use the "nginx
>    refactoring" branch and stay tuned for the ModSecurity version 3.
>
> Br.,
> Felipe "Zimmerle" Costa
> Lead Developer for ModSecurity
> Security Researcher, SpiderLabs
>
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
>
>
> --
> Walter Hop | PGP key: https://lifeforms.nl/pgp
> <http://scanmail.trustwave.com/?c=4062&d=jbO71gdwAetcb6IAI0EZpNARBiQ_X980acH4BxWK9g&s=5&u=https%3a%2f%2flifeforms%2enl%2fpgp>
>
>
> ------------------------------
>
> This transmission may contain information that is privileged,
> confidential, and/or exempt from disclosure under applicable law. If you
> are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, or use of the information contained
> herein (including any reliance thereon) is strictly prohibited. If you
> received this transmission in error, please immediately contact the sender
> and destroy the material in its entirety, whether in electronic or hard
> copy format.
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>