[mod-security-users] ModSecurity 2.9.6 and 3.0.8 released
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] ModSecurity 2.9.6 and 3.0.8 released
|
From: Christian F. <chr...@ne...> - 2022-09-09 08:18:01
|
Dear all, Trustwave Spiderlabs has released ModSecurity 2.9.6 and ModSecurity / libModSecurity 3.0.8. https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-versions-308-and-296/ They did not announce this in this mailinglist, though, and they also confirmed they have no intention to do so. Reading through the release notes does not really make it clear this is a security release. Being familiar with all the weaknesses in question, I assure you this is grave. Please update your servers. Please note that the modsecurity recommended rules that pick the request body processor will also have to be updated. A very convenient change in this release is that single quotes in double-quoted multipart file upload filenames will no longer trigger a body processor error. French and Italian users will welcome this in particular. The OWASP ModSecurity Core Rule Set team has made sure these changes make it into the stable Debian release and will be picked up by other distributions from there. (This is fairly political since distros tend to refuse updates unless there is a CVE involved.) OWASP CRS will also issue a security update to the 3.2.x and v3.2.x release line to complement the changes in the engine. We tried to be really fast after the ModSecurity release but being late is better than a broken release and we are still testing. Expect these releases next week. I am running a ModSecurity / CRS webcast next Tuesday, 2pm CET. You can sign up here: https://www.meetup.com/meetup-group-ungjkskv/events/287901911/ I will cover (some of) the weaknesses in this ModSecurity update in this first edition of this new format. Tune in when you want to understand what this is all about. Best regards, Christian -- No one is born hating another person because of the colour of his skin, or his background, or his religion. People must learn to hate, and if they can learn to hate, they can be taught to love, for love comes more naturally to the human heart than its opposite. -- Nelson Mandela |
