[mod-security-users] OWASP ModSecurity Core Rule Set v3.2.0-RC3
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] OWASP ModSecurity Core Rule Set v3.2.0-RC3
|
From: Walter H. <mo...@sp...> - 2019-09-19 16:08:14
|
Dear all, The OWASP ModSecurity Core Rule Set team is proud to announce the general availability of release candidate 3 for the upcoming CRS v3.2.0. The new release is available at: * https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0-rc3.zip * https://github.com/SpiderLabs/owasp-modsecurity-crs/archive/v3.2.0-rc3.tar.gz Changes in RC3 compared to RC2 are: * Add .swp to default restricted_extensions (Andrea Menin) * Avoid php leak false positive with WOFF files (Manuel Spartan) * Java: change tag from COMMAND_INJECTION to JAVA_INJECTION (Manuel Spartan) * 941380: fix anomaly score variable (Franziska Bühler) * 942510, 942511: fix anomaly score variable (Walter Hop) * As per the ref manual, it is compressWhitespace (Federico G. Schwindt) * Tests: fix failing regression tests (Ervin Hegedus) * Tests: fix YAML 1.2 compliance with "true" (Federico G. Schwindt) * INSTALL: advise to use release zips, remove upgrade.py, update Nginx (Walter Hop) This release represents a very big step forward in terms of both capabilities and protections including: * Improved compatibility with ModSecurity 3.x * Improved CRS docker container that is fully configureable at creation * Expanded Java RCE blacklist * Expanded unix shell RCE blacklist * Improved PHP RCE detection * New javascript/Node.js RCE detection * Expanded LFI blacklists * Added XenForo rule exclusion profile * Fixes for many false positives and bypasses * Detection of more security scanners * Regexp performance improvements, preventing ReDoS in most cases Please see the CHANGES document with around 160 entries for a detailed list of new features and improvements. https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2.0-rc3/CHANGES Our desire is to see the Core Rule Set project used as a baseline security feature, effectively protecting from OWASP TOP 10 risks with few side effects. As such we attempt to cut down on false positives as much as possible in the default install. The release candidates offer an opportunity for individuals to provide feedback and to report any issue they face with this release. We will then try and fix them for the upcoming full release. Please use the CRS GitHub (https://github.com/SpiderLabs/owasp-modsecurity-crs), our Slack channel (#coreruleset on owasp.slack.com), or the Core Rule Set mailing list to tell us about your experiences, including false positives or other issues with this release candidate. Our current timeline is to make the final release on September 24. We look forward to hearing your feedback! Sincerely, Walter Hop Release manager, on behalf of the Core Rule Set development team |
