[mod-security-users] [ANNOUNCE] mod_security 1.8.6 released

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Mod_security 1.8.6 has been released. It is available for immediate
download from:

   http://www.modsecurity.org/download/

This maintenance release relaxes several minor problems discovered
in 1.8.5. A minor improvement was made to make detection-only
deployment of mod_security easier. Please see the changes below
for more details.

About mod_security
------------------
Mod_security is an Apache module whose purpose is to protect
vulnerable applications and reject human or automated attacks.
It is an open source intrusion detection and prevention system
for Apache. In addition to request filtering, it also creates Web
application audit logs. Requests are filtered using regular
expressions. Some of the things possible are:

 * Apply filters against any part of the request (URI,
   headers, either GET or POST)
 * Apply filters against individual parameters
 * Reject SQL injection attacks
 * Reject Cross site scripting attacks

With few general rules mod_security can protect from both
known and unknown vulnerabilities.

Changes (v1.8.6)
----------------

  * Made changes to accommodate those who only want to operate
    in detection mode. Validation checks (e.g. byte range) are
    now performed only at the beginning of request processing (by
    mod_security, not Apache). At the same time I have expanded
    the validation checks to include request headers as well. Which
    means all request data will be validated. Normalisation (e.g.
    URL decoding, and other anti-evasion actions) is still performed
    for every variable in a rule, as usual.

    There is one constraint to have in mind for detection-only
    deployments, though. Non-fatal default action (e.g. "log,pass"
    is not allowed in the initialization phase. All validation
    problems will result in request rejected. Therefore the only
    way to operate in a fully transparent detection mode is to turn
    off implicit validation options (URL decoding, Unicode, byte
    range, cookie format validation).

  * BUG Fixed the broken "skip" action.

  * BUG Fixed a problem with file interception (when either file
    storage or approval is enabled) that used to occur with IE.

  * BUG I introduced a new bug to 1.8.5 while fixing a bug from
    1.8.4. Uploading a file larger than the memory buffer would
    cause the approval phase to be skipped altogether (Apache 2
    only). Fixed.

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]