[mod-security-packagers] Announcing ModSecurity releases 2.9.5 and 3.0.6
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-packagers] Announcing ModSecurity releases 2.9.5 and 3.0.6
|
From: Martin V. <Mar...@tr...> - 2021-11-23 01:12:37
|
ModSecurity is announcing the release of versions 2.9.5 and 3.0.6. Each of these releases contains only one notable change when compared with their respective predecessors.
A researcher identified a scenario where JSON-formatted HTTP request bodies with very large parsing depth could be used to enable a DoS attack. Both the v2 and v3 branches have been updated to address the issue by providing a configurable limit on the maximum parsing depth.
The change entries in the releases are as follows:
v3.0.6:
Security issue
- Support configurable limit on depth of JSON parsing (possible DoS issue)
[@theMiddleBlue, @martinhsv]
v2.9.5:
Security issue
- Support configurable limit on depth of JSON parsing (possible DoS issue)
[@theMiddleBlue, @airween, @dune73, @martinhsv]
A blog post with additional detail is expected to be posted at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ within a day. A new issue is also planned for https://github.com/SpiderLabs/ModSecurity/issues to provide a summary.
Links to the github releases, which includes the change list and source (and related hashes and signatures) are:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.6
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.5
Releases of ModSecurity 2.9.x are normally accompanied by IIS assets, however these are not yet available and are expected to be published separately in a few days.
Martin Vierula
Security Researcher - ModSecurity
[cid:image001.png@01D7DFD9.F8AD1930]
www.trustwave.com<http://www.trustwave.com/>
Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/>
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
|
