[mod-security-packagers] Announcing ModSecurity release 3.0.10
Brought to you by:
victorhora,
zimmerletw
From: Martin V. <Mar...@tr...> - 2023-07-25 22:01:12
|
ModSecurity is pleased to announce the release of version 3.0.10. This version contains a mixture of enhancements and bug fixes. The official release announcement will appear shortly at https://www.trustwave.com/en-us/resources/security-resources/software-updates/ There is also a separate blog post describing issue #2934 in more detail at https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/ Security impacting issue - Fix: worst-case time in implementation of four transformations [Issue #2934 - @martinhsv] Poor worst-case performance in the transformations removeWhitespace, removeNull, replaceNull and removeCommentsChar could enable malicious individuals to cause some DoS effects. This item has been assigned CVE-2023-38285. Enhancements and bug fixes - Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED [Issue #2901 - @airween] - Make MULTIPART_PART_HEADERS accessible to lua [Issue #2916 - @martinhsv] - Fix: Lua scripts cannot read whole collection at once [Issue #2900 - @udi-aharon, @airween, @martinhsv] - Fix: quoted Include config with wildcard [Issue #2905 - @wiseelf, @airween, @martinhsv] - Support isolated PCRE match limits [Issue #2736 - @brandonpayton, @martinhsv] - Fix: meta actions not applied if multiMatch in first rule of chain [Issue #2867, #2868 - @mlevogiannis, @martinhsv] - Fix: audit log may omit tags when multiMatch [Issue #2866 - @mlevogiannis] - Exclude CRLF from MULTIPART_PART_HEADER value [Issue #2870 - @airween, @martinhsv] - Configure: use AS_ECHO_N instead echo -n [Issue #2894 - @liudongmiao, @martinhsv] - Adjust position of memset from 2890 [Issue #2891 -@mirkodziadzka-avi, @martinhsv] Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10 Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01D9BF1F.D6206940] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |