[mod-security-packagers] Announcing ModSecurity release 3.0.7
Brought to you by:
victorhora,
zimmerletw
From: Martin V. <Mar...@tr...> - 2022-05-30 23:53:11
|
ModSecurity is pleased to announce the release of version 3.0.7 (libModSecurity). This version contains a mixture of new features and bug fixes. New Features - Support PCRE2 [Issue #2668 - @martinhsv] PCRE2 is now available as an option in libModSecurity. Initially, this functionality will mostly be of interest to those already wishing to use a version of nginx that both supports PCRE2 and uses it by default. Some notes on version compatibility between ModSecurity, ModSecurity-nginx, and nginx are available at #2719 . - Support SecRequestBodyNoFilesLimit [Issue #2670 - @airween , @martinhsv] The SecRequestBodyNoFilesLimit configuration directive was already present in modsecurity.conf-recommended but was not functional. The value specified via this directive is now respected by the processing, so users may wish to review the current value of their setting when upgrading to v3.0.7. - Add ctl:auditEngine action support [Issue #2606 - @alekravch, @martinhsv] Support for the ctl:auditEngine action has been added with functionality comparable to v2: it allows a transaction-level override of the value normally specified by the SecAuditEngine configuration directive. Bug fixes - Move PCRE2 match block from member variable [@martinhsv] - Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended [Issue #2738 - @jleproust, @martinhsv] - Fix memory leak when concurrent log includes REMOTE_USER [Issue #2727 - @liudongmiao] - Fix LMDB initialization issues [Issue #2688 - @ziollek @martinhsv] - Fix initcol error message wording [Issue #2732 - @877509395, @martinhsv] - Tolerate other parameters after boundary in multipart C-T [Issue #1900 - @martinhsv] - Add DebugLog message for bad pattern in rx operator [Issue #2723 - @martinhsv] - Fix misuses of LMDB API [Issue #2601, #2602 - @hyc] - Fix duplication typo in code comment [Issue #2677 - @gleydsonsoares] - Fix multiMatch msg, etc, population in audit log [Issue #2573 - @Sachin-M-Desai , @martinhsv ] - Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc. [Issue #2627, #2648 - @lontchianicet , @victorserbu2709 , @martinhsv] - Adjust confusing variable name in setRequestBody method [Issue #2635 - @Mesar-Ali , @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed [Issue #2352 - @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended [Issue #2647 - @theMiddleBlue , @airween , @877509395 , @martinhsv] Additional information on the release, including the source and binaries (and hashes/signatures) is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.7 The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Security Researcher - ModSecurity [cid:image001.png@01D8745C.9EFD6710] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |