[mod-security-packagers] Announcing ModSecurity releases 2.9.6 and 3.0.8
Brought to you by:
victorhora,
zimmerletw
From: Martin V. <Mar...@tr...> - 2022-09-08 21:41:49
|
ModSecurity is announcing the release of versions 2.9.6 and 3.0.8. Each of these releases contains a mixture of new features and bug fixes. Additional information regarding 'New features and security impacting issues' is expected to be posted at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/ beginning within a day or so. v2.9.6: New features and security impacting issues - Adjust parser activation rules in modsecurity.conf-recommended [Issue #2799 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2797 - @terjanq, @martinhsv] Bug fixes - Limit rsub null termination to where necessary [Issue #2794 - @marcstern, @martinhsv] - IIS: Update dependencies for next planned release [@martinhsv] - XML parser cleanup: NULL duplicate pointer [Issue #2760 - @martinhsv] - Properly cleanup XML parser contexts upon completion [Issue #2239 - @argenet] - Fix memory leak in streams [Issue #2208 - @marcstern, @vloup, @JamesColeman-LW] - Fix: negative usec on log line when data type long is 32b [Issue #2753 - @ABrauer-CPT, @martinhsv] - mlogc log-line parsing fails due to enhanced timestamp [Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv] - Allow no-key, single-value JSON body [Issue #2735 - @marcstern, @martinhsv] - Set SecStatusEngine Off in modsecurity.conf-recommended [Issue #2717 - @un99known99, @martinhsv] - Fix memory leak that occurs on JSON parsing error [Issue #2236 @argenet, @vloup, @martinhsv] - Multipart names/filenames may include single quote if double-quote enclosed [Issue #2352 @martinhsv] - Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv] v3.0.8: New features and security impacting issues - Adjust parser activation rules in modsecurity.conf-recommended [Issue #2796 - @terjanq, @martinhsv] - Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [Issue #2795 - @terjanq, @martinhsv] Bug fixes - Prevent LMDB related segfault [Issue #2755, #2761 - @dvershinin] - Fix msc_transaction_cleanup function comment typo [Issue #2788 - @lookat23] - Fix: MULTIPART_INVALID_PART connected to wrong internal variable [Issue #2785 - @martinhsv] - Restore Unique_id to include random portion after timestamp [Issue #2752, #2758 - @datkps11, @martinhsv] Links to the github releases, which includes the change list and source (and related hashes and signatures) are: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.8 https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.6 Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01D8C3A7.F7720870] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |