[mod-security-users] ModSecurity version 3.0.0-rc1 announcement

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It is a great pleasure the announce the first official release candidate for
ModSecurity version 3.

For those who are not familiar with ModSecurity version 3 yet, the version 3
was an `re-architecturization' of ModSecurity version 2. The goal was to turn
ModSecurity into a library, that could be used seamlessly: Regardless of web
server or platform. The motivations for ModSecurity version 3 was summarized
in details here: [1]

This release candidate marks the end of the first development cycle of
ModSecurity version 3. It is now considerable stable to work with both:
Trustwave Commercial Rules [2] and OWASP CRS [3].

Notice that differently from version 2, ModSecurity v3 does not target any
specific web server or web server version. The version 3 is about a library.
The connectors are the ones responsible to create this link between the web
server and libModSecurity. Each web server should have its own connector.
Currently we support the Nginx connector and there is a Apache connector
available for test (not yet released).

IMPORTANT: ModSecurity version 2 will be available and maintained parallel
to version 3. There is not EAT to deprecate the version 2.x. Version 2 and
version 3 has a completely independent development/release cycle.

This release does not contains a changelog as it aims to implement the core
capabilities and most widely used functionalities of version 2, with a
different architecture. 

Thanks to everybody who helped in this process: reporting issues, making
comments and suggestions, sending patches and so on.

Further information about this release is available here: [4].

* A word about stability

ModSecurity version 3 is new and it may not be vastly tested as version 2,
however, the testability of version 3 had a very good improvement on the top of
version 2. Further details on our QA can be checked here: Fuzzing ModSecurity
version 3 as part of the QA [5]

* Are you having an issue? We will be glad to fix it!

If you find something out of order, make sure you open an issue on GitHub, it
will be a pleasure to help you. Direct contributions in the form of pull
requests for fixes or new features are always also greatly appreciated.

* Compilation

Further details on the compilation process for ModSecurity v3, can be found on
the project README:
 - https://github.com/SpiderLabs/ModSecurity/tree/v3/master#compilation

Complementary documentation for the connectors are available here:
 - nginx: https://github.com/SpiderLabs/ModSecurity-nginx/#compilation
 - Apache: https://github.com/SpiderLabs/ModSecurity-apache/#compilation

* libModSecurity training (AppSec USA)

If you want to hangout and talk about ModSecurity, meet Victor and Felipe on
APPSec USA, we will be there for the entire event. Not to mention that there
will be a hands on training [6] using ModSecurity version 3 and nginx.

[1] https://www.trustwave.com/Resources/SpiderLabs-Blog/An-Overview-of-the-Upcoming-libModSecurity/
[2] https://modsecurity.org/commercial-rules.html
[3] https://github.com/SpiderLabs/owasp-modsecurity-crs
[4] https://github.com/SpiderLabs/ModSecurity/wiki/ModSecurity-version-3-RC1
[5] https://www.trustwave.com/Resources/SpiderLabs-Blog/ModSecurity-version-3--Fuzzing-as-part-of-the-QA
[6] https://appsecusa2017.sched.com/event/B2VV

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iF0EARECAB0WIQQZDvrMoen6RmqOzZzm37CM6LESdwUCWaQFIQAKCRDm37CM6LES
dwHUAJ9APAGlY2HIOo0iHsmpbwwW90u/hACfdCFWOLfCxVb5blO0yMrMsgxbLp8=
=T/Pj
-----END PGP SIGNATURE-----