[mod-security-packagers] Announcing ModSecurity release 3.0.11
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-packagers] Announcing ModSecurity release 3.0.11
|
From: Martin V. <Mar...@tr...> - 2023-12-07 14:48:01
|
ModSecurity is announcing the release of version 3.0.11. This version includes expirevar support as a new feature, and a mixture of enhancements and bug fixes. The official release announcement can be found at https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-version-3.0.11/ Security impacting issue - Add WRDE_NOCMD to wordexp call [Issue #3024 - @sahruldotid, @martinhsv] Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways. New feature - Add support for expirevar action [Issue #1803 , #3001 - @martinhsv] Enhancements and bug fixes - Fix: validateDTD compile fails if libxml2 not installed [Issue #3014, - @zangobot, @martinhsv] - Fix memory leak of validateDTD's dtd object [Issue #3008 - @martinhsv, @zimmerle] - Fix memory leaks in ValidateSchema [Issue #3005 - @martinhsv, @zimmerle] - Fix: lmdb regex match on non-null terminated string [Issue #2985 - @martinhsv] - Fix memory leaks in lmdb code (new'd strings) [Issue #2983 - @martinhsv] - Configure: add additional name to pcre2 pkg-config list [Issue #2939 - @agebhar1, @fzipi , @martinhsv] Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.11 Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc. Martin Vierula Senior Security Researcher - ModSecurity [cid:image001.png@01DA28EC.71DC0B10] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in threat detection and response.<https://www.trustwave.com/company/about-us/accolades/> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
