Thread: [Mod-security-developers] ModSecurity version 2.9.0-RC1 released
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
mod-security-developers
|
From: Felipe C. <FC...@tr...> - 2014-11-18 13:34:17
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I am proud to announce our first release candidate for version 2.9.0. The 2.9.0-RC1 contains fixes and new features. The documentation is available in our wikipage: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual The source and binaries (and the respective hashes) are available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1 SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098 SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360 SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7 We would like to thank you all that helped out making this release: comments, bug reports, and pull requests. The most important changes are listed bellow: New features ============ * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served files as parameter. * `SecRemoteRules' directive - allows you to specify a HTTPS served file that may contain rules in the SecRule format to be loaded into your ModSecurity instance. * `SecRemoteRulesFailAction' directive - allows you to control whenever the user wants to Abort or just Warn when there is a problem while downloading rules specified with the directive: `SecRemoteRules'. * `fuzzyHash' operator - allows to match contents using fuzzy hashes. * `FILES_TMP_CONTENT' collection - make available the content of uploaded files. * InsecureNoCheckCert - option to validate or not a chain of SSL certificates on mlogc connections. Bug fixes ========= * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. [Issue #676 - Kris Kater and ModSecurity team] * Fixed signature on "status call": ModSecurity is now using the original server signature. [Issues #702 - Linas and ModSecurity team] * YAJL version is printed while ModSecurity initialization. [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda] * Fixed subnet representation using slash notation on the @ipMatch operator. [Issue #706 - Walter Hop and ModSecurity team] * Limited the length of a status call. [Issue #714 - 'cpanelkurt' and ModSecurity team] * Added the missing -P option to nginx regression tests. [Issue #720 - Paul Yang] * Fixed automake scripts to do not use features which will be deprecated in the upcoming releases of automake. [Issue #760 - ModSecurity team] * apr-utils's LDFALGS is now considered while building ModSecurity. [Issue #782 - Daniel J. Luke] * IIS installer is not considering IIS 6 as compatible anymore. [Issue #790 - ModSecurity team] * Fixed yajl build script: now looking for the correct header file. [Issue #804 - 'rpfilomeno' and ModSecurity team] * mlgoc is now forced to use TLS 1.x. [Issue #806 - Josh Amishav-Zlatin and ModSecurity team] Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - https://gpgtools.org iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+ m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+ =80Ng -----END PGP SIGNATURE----- ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Walter H. <mo...@sp...> - 2014-11-18 21:29:14
|
Thanks for the work! 2.9.0-RC1 built without problems on FreeBSD 10.x (well, some clang warnings if anybody’s interested) and it passes ‘make test’ and our internal regression test, however I have problems running run-regression-tests.pl (which was also the case in last version). If there are FreeBSD users on the lists, I would invite you to try the preliminary 2.9.0.r1 version of the FreeBSD port. It would be especially interesting if you are running ARM/sparc. If you are starting from a clean install that has no Apache or ports tree, do this first: # pkg install apache24 git # portsnap fetch extract # echo 'DEFAULT_VERSIONS=apache=2.4' >> /etc/make.conf # echo 'apache24_enable=YES' >> /etc/rc.conf # apachectl start Get the 2.9.0.r1 version of the port and install it: # git clone -b 2.9.0 https://github.com/lifeforms/mod_security.git # cd mod_security # make install When done, this should display configuration hints and the location of a README file with more info. Follow the instructions on your terminal, or just do this: # echo 'LoadModule security2_module libexec/apache24/mod_security2.so' >> /usr/local/etc/apache24/httpd.conf # echo 'Include etc/modsecurity/*.conf' >> /usr/local/etc/apache24/httpd.conf # apachectl restart # tail /var/log/httpd-error.log You should see ModSecurity startup messages there. The above also works for Apache 2.2; just replace all '4' characters in this message with '2’. Comments on the README are appreciated. I plan to add a port option that will automatically install a recent branch of the CRS, but that will likely be for a different update. Cheers, WH > On 18 Nov 2014, at 14:34, Felipe Costa <FC...@tr...> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I am proud to announce our first release candidate for version 2.9.0. > The 2.9.0-RC1 contains fixes and new features. > > The documentation is available in our wikipage: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual > > The source and binaries (and the respective hashes) are available at: > https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1 > > SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098 > SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360 > SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7 > > We would like to thank you all that helped out making this release: comments, > bug reports, and pull requests. > > The most important changes are listed bellow: > > New features > ============ > > * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served > files as parameter. > * `SecRemoteRules' directive - allows you to specify a HTTPS served file that > may contain rules in the SecRule format to be loaded into your ModSecurity > instance. > * `SecRemoteRulesFailAction' directive - allows you to control whenever the > user wants to Abort or just Warn when there is a problem while downloading > rules specified with the directive: `SecRemoteRules'. > * `fuzzyHash' operator - allows to match contents using fuzzy hashes. > * `FILES_TMP_CONTENT' collection - make available the content of uploaded > files. > * InsecureNoCheckCert - option to validate or not a chain of SSL certificates > on mlogc connections. > > > Bug fixes > ========= > > * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. > [Issue #676 - Kris Kater and ModSecurity team] > * Fixed signature on "status call": ModSecurity is now using the original > server signature. > [Issues #702 - Linas and ModSecurity team] > * YAJL version is printed while ModSecurity initialization. > [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda] > * Fixed subnet representation using slash notation on the @ipMatch operator. > [Issue #706 - Walter Hop and ModSecurity team] > * Limited the length of a status call. > [Issue #714 - 'cpanelkurt' and ModSecurity team] > * Added the missing -P option to nginx regression tests. > [Issue #720 - Paul Yang] > * Fixed automake scripts to do not use features which will be deprecated in the > upcoming releases of automake. > [Issue #760 - ModSecurity team] > * apr-utils's LDFALGS is now considered while building ModSecurity. > [Issue #782 - Daniel J. Luke] > * IIS installer is not considering IIS 6 as compatible anymore. > [Issue #790 - ModSecurity team] > * Fixed yajl build script: now looking for the correct header file. > [Issue #804 - 'rpfilomeno' and ModSecurity team] > * mlgoc is now forced to use TLS 1.x. > [Issue #806 - Josh Amishav-Zlatin and ModSecurity team] > > > Br., > Felipe "Zimmerle" Costa > Security Researcher, SpiderLabs > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - https://gpgtools.org > > iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+ > m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+ > =80Ng > -----END PGP SIGNATURE----- > > ________________________________ > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-packagers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-packagers -- Walter Hop | PGP key: https://lifeforms.nl/pgp |
|
From: Felipe C. <FC...@tr...> - 2014-11-19 17:48:36
|
Hi Walter, Thanks for the package and thanks for test. Your feedback is very important. Comments bellow. > > From: Walter Hop <mo...@sp...> > Date: Terça-feira, novembro 18, 2014 18:29 > >2.9.0-RC1 built without problems on FreeBSD 10.x (well, some clang >warnings if >anybody¹s interested) and it passes Œmake test¹ and our internal >regression >test, however I have problems running run-regression-tests.pl ><http://scanmail.trustwave.com/?c=4062&d=sLrr1PDx6RxJZUGpkDISQKKOx2vXScoRl >-mWI6bBWA&s=5&u=http%3a%2f%2frun-regression-tests%2epl> >(which was also the case in last version). > Yes, we want to reduce the number of warnings to "0". We have an issue on GitHub to track our progress: https://github.com/SpiderLabs/ModSecurity/issues/631 The issue has a reference to a Google Spreadsheet that contains some numbers. As you can see I need to update those values. What kind of problems did you faced while running `run-regression-tests.pl'? I know that `run-regression-tests.pl' is current very limited, it may not adapt well on different Apache compilations options. If I recall correctly I had installed Apache with +mpm (or similar) on our FreeBSDs buildbots. The logs of ModSecurity buildbots are available here: FreeBSD 9: - http://www.modsecurity.org/developers/buildbot/builders/freebsd9%20-%20Apac he/builds/39/steps/regression%20test/logs/stdio FreeBSD 10: - http://www.modsecurity.org/developers/buildbot/builders/freebsd10%20-%20Apa che/builds/39/steps/regression%20test/logs/stdio > >If there are FreeBSD users on the lists, I would invite you to try the >preliminary 2.9.0.r1 version of the FreeBSD port. It would be especially >interesting if you are running ARM/sparc. > We don't have a sparc yet on our BuildBots I wish to have one in a near future. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Rainer J. <rai...@ki...> - 2014-11-18 21:49:17
|
Thanks for producing the RC and sharing. Building it without curl support we get the expected NOTE: curl library is only required for building mlogc output from the configure script, but then the build fails because of the new remote rules support. File msc_remote_rules.h unconditionally needs curl/curl.h. I'd say curl is a bit huge and the remote rule support not in the main stream use, so having the curl dependency only as an option currently would be good. To not introduce a new mandatory dependency, you should define WITH_REMOTE_RULES_SUPPORT only if curl was found by configure. Regards, Rainer Am 18.11.2014 um 14:34 schrieb Felipe Costa: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I am proud to announce our first release candidate for version 2.9.0. > The 2.9.0-RC1 contains fixes and new features. > > The documentation is available in our wikipage: > https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual > > The source and binaries (and the respective hashes) are available at: > https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1 > > SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098 > SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360 > SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7 > > We would like to thank you all that helped out making this release: comments, > bug reports, and pull requests. > > The most important changes are listed bellow: > > New features > ============ > > * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served > files as parameter. > * `SecRemoteRules' directive - allows you to specify a HTTPS served file that > may contain rules in the SecRule format to be loaded into your ModSecurity > instance. > * `SecRemoteRulesFailAction' directive - allows you to control whenever the > user wants to Abort or just Warn when there is a problem while downloading > rules specified with the directive: `SecRemoteRules'. > * `fuzzyHash' operator - allows to match contents using fuzzy hashes. > * `FILES_TMP_CONTENT' collection - make available the content of uploaded > files. > * InsecureNoCheckCert - option to validate or not a chain of SSL certificates > on mlogc connections. > > > Bug fixes > ========= > > * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. > [Issue #676 - Kris Kater and ModSecurity team] > * Fixed signature on "status call": ModSecurity is now using the original > server signature. > [Issues #702 - Linas and ModSecurity team] > * YAJL version is printed while ModSecurity initialization. > [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda] > * Fixed subnet representation using slash notation on the @ipMatch operator. > [Issue #706 - Walter Hop and ModSecurity team] > * Limited the length of a status call. > [Issue #714 - 'cpanelkurt' and ModSecurity team] > * Added the missing -P option to nginx regression tests. > [Issue #720 - Paul Yang] > * Fixed automake scripts to do not use features which will be deprecated in the > upcoming releases of automake. > [Issue #760 - ModSecurity team] > * apr-utils's LDFALGS is now considered while building ModSecurity. > [Issue #782 - Daniel J. Luke] > * IIS installer is not considering IIS 6 as compatible anymore. > [Issue #790 - ModSecurity team] > * Fixed yajl build script: now looking for the correct header file. > [Issue #804 - 'rpfilomeno' and ModSecurity team] > * mlgoc is now forced to use TLS 1.x. > [Issue #806 - Josh Amishav-Zlatin and ModSecurity team] > > > Br., > Felipe "Zimmerle" Costa > Security Researcher, SpiderLabs > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - https://gpgtools.org > > iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+ > m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+ > =80Ng > -----END PGP SIGNATURE----- > > ________________________________ > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php |
|
From: Rainer J. <rai...@ki...> - 2014-11-18 22:00:56
|
Addition: you should also move the line #ifdef WITH_REMOTE_RULES_SUPPORT in msc_remote_rules.c higher up in the file. Currently it would still include (and need) all header files and only then the if block would disable all code. But the curl.h might not be there, so include and compilation fails. Moving of the if line directly after #include "msc_remote_rules.h" fixes this. Then there are two more curl dependencies: - in apache2/re_operators.c in function msre_op_pmFromFile_param_init if the file name for pmFromFile is an https URL - in apache2/msc_util.c in function ip_tree_from_uri if the file name for ipmatchFromFile is an https URL IMHO both features should be disabled (replaced by an error message during runtime) if curl is not found. Thanks and regards, Rainer Am 18.11.2014 um 22:29 schrieb Rainer Jung: > Thanks for producing the RC and sharing. > > Building it without curl support we get the expected > > NOTE: curl library is only required for building mlogc > > output from the configure script, but then the build fails because of > the new remote rules support. File msc_remote_rules.h unconditionally > needs curl/curl.h. > > I'd say curl is a bit huge and the remote rule support not in the main > stream use, so having the curl dependency only as an option currently > would be good. > > To not introduce a new mandatory dependency, you should define > WITH_REMOTE_RULES_SUPPORT only if curl was found by configure. > > Regards, > > Rainer > > Am 18.11.2014 um 14:34 schrieb Felipe Costa: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> I am proud to announce our first release candidate for version 2.9.0. >> The 2.9.0-RC1 contains fixes and new features. >> >> The documentation is available in our wikipage: >> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual >> >> The source and binaries (and the respective hashes) are available at: >> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1 >> >> SHA256(modsecurity-2.9.0-RC1.tar.gz)= >> 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098 >> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= >> 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360 >> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= >> 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7 >> >> We would like to thank you all that helped out making this release: >> comments, >> bug reports, and pull requests. >> >> The most important changes are listed bellow: >> >> New features >> ============ >> >> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS >> served >> files as parameter. >> * `SecRemoteRules' directive - allows you to specify a HTTPS served >> file that >> may contain rules in the SecRule format to be loaded into your >> ModSecurity >> instance. >> * `SecRemoteRulesFailAction' directive - allows you to control >> whenever the >> user wants to Abort or just Warn when there is a problem while >> downloading >> rules specified with the directive: `SecRemoteRules'. >> * `fuzzyHash' operator - allows to match contents using fuzzy hashes. >> * `FILES_TMP_CONTENT' collection - make available the content of uploaded >> files. >> * InsecureNoCheckCert - option to validate or not a chain of SSL >> certificates >> on mlogc connections. >> >> >> Bug fixes >> ========= >> >> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. >> [Issue #676 - Kris Kater and ModSecurity team] >> * Fixed signature on "status call": ModSecurity is now using the original >> server signature. >> [Issues #702 - Linas and ModSecurity team] >> * YAJL version is printed while ModSecurity initialization. >> [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda] >> * Fixed subnet representation using slash notation on the @ipMatch >> operator. >> [Issue #706 - Walter Hop and ModSecurity team] >> * Limited the length of a status call. >> [Issue #714 - 'cpanelkurt' and ModSecurity team] >> * Added the missing -P option to nginx regression tests. >> [Issue #720 - Paul Yang] >> * Fixed automake scripts to do not use features which will be >> deprecated in the >> upcoming releases of automake. >> [Issue #760 - ModSecurity team] >> * apr-utils's LDFALGS is now considered while building ModSecurity. >> [Issue #782 - Daniel J. Luke] >> * IIS installer is not considering IIS 6 as compatible anymore. >> [Issue #790 - ModSecurity team] >> * Fixed yajl build script: now looking for the correct header file. >> [Issue #804 - 'rpfilomeno' and ModSecurity team] >> * mlgoc is now forced to use TLS 1.x. >> [Issue #806 - Josh Amishav-Zlatin and ModSecurity team] >> >> >> Br., >> Felipe "Zimmerle" Costa >> Security Researcher, SpiderLabs >> >> Trustwave | SMART SECURITY ON DEMAND >> www.trustwave.com <http://www.trustwave.com/> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1 >> Comment: GPGTools - https://gpgtools.org >> >> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+ >> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+ >> =80Ng >> -----END PGP SIGNATURE----- >> >> ________________________________ >> >> This transmission may contain information that is privileged, >> confidential, and/or exempt from disclosure under applicable law. If >> you are not the intended recipient, you are hereby notified that any >> disclosure, copying, distribution, or use of the information contained >> herein (including any reliance thereon) is strictly prohibited. If you >> received this transmission in error, please immediately contact the >> sender and destroy the material in its entirety, whether in electronic >> or hard copy format. >> >> ------------------------------------------------------------------------------ >> >> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >> from Actuate! Instantly Supercharge Your Business Reports and Dashboards >> with Interactivity, Sharing, Native Excel Exports, App Integration & more >> Get technology previously reserved for billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> mod-security-developers mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-developers >> ModSecurity Services from Trustwave's SpiderLabs: >> https://www.trustwave.com/spiderLabs.php |
|
From: Felipe C. <FC...@tr...> - 2014-11-19 18:08:23
|
Hi Rainer, Thank you for test the release candidate. You are right. There is no need to force our users to have Curl installed. Curl dependecy will be mandatory only to the functionalities: SecRemoteRules, "remote resources", and mlogc. If Curl is not found in the system those functionalities will be disabled. I will make the necessary modifications. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On 11/18/14 7:00 PM, "Rainer Jung" <rai...@ki...> wrote: >Addition: you should also move the line > >#ifdef WITH_REMOTE_RULES_SUPPORT > >in msc_remote_rules.c higher up in the file. Currently it would still >include (and need) all header files and only then the if block would >disable all code. But the curl.h might not be there, so include and >compilation fails. Moving of the if line directly after > >#include "msc_remote_rules.h" > >fixes this. > >Then there are two more curl dependencies: > >- in apache2/re_operators.c in function msre_op_pmFromFile_param_init if >the file name for pmFromFile is an https URL > >- in apache2/msc_util.c in function ip_tree_from_uri if the file name >for ipmatchFromFile is an https URL > >IMHO both features should be disabled (replaced by an error message >during runtime) if curl is not found. > >Thanks and regards, > >Rainer > >Am 18.11.2014 um 22:29 schrieb Rainer Jung: >> Thanks for producing the RC and sharing. >> >> Building it without curl support we get the expected >> >> NOTE: curl library is only required for building mlogc >> >> output from the configure script, but then the build fails because of >> the new remote rules support. File msc_remote_rules.h unconditionally >> needs curl/curl.h. >> >> I'd say curl is a bit huge and the remote rule support not in the main >> stream use, so having the curl dependency only as an option currently >> would be good. >> >> To not introduce a new mandatory dependency, you should define >> WITH_REMOTE_RULES_SUPPORT only if curl was found by configure. >> >> Regards, >> >> Rainer >> >> Am 18.11.2014 um 14:34 schrieb Felipe Costa: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hi, >>> >>> I am proud to announce our first release candidate for version 2.9.0. >>> The 2.9.0-RC1 contains fixes and new features. >>> >>> The documentation is available in our wikipage: >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vD_zHetZzA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2 >>>fwiki%2fReference-Manual >>> >>> The source and binaries (and the respective hashes) are available at: >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDb2G-8MkA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2 >>>freleases%2ftag%2fv2%2e9%2e0-rc1 >>> >>> SHA256(modsecurity-2.9.0-RC1.tar.gz)= >>> 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098 >>> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= >>> 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360 >>> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= >>> 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7 >>> >>> We would like to thank you all that helped out making this release: >>> comments, >>> bug reports, and pull requests. >>> >>> The most important changes are listed bellow: >>> >>> New features >>> ============ >>> >>> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS >>> served >>> files as parameter. >>> * `SecRemoteRules' directive - allows you to specify a HTTPS served >>> file that >>> may contain rules in the SecRule format to be loaded into your >>> ModSecurity >>> instance. >>> * `SecRemoteRulesFailAction' directive - allows you to control >>> whenever the >>> user wants to Abort or just Warn when there is a problem while >>> downloading >>> rules specified with the directive: `SecRemoteRules'. >>> * `fuzzyHash' operator - allows to match contents using fuzzy hashes. >>> * `FILES_TMP_CONTENT' collection - make available the content of >>>uploaded >>> files. >>> * InsecureNoCheckCert - option to validate or not a chain of SSL >>> certificates >>> on mlogc connections. >>> >>> >>> Bug fixes >>> ========= >>> >>> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. >>> [Issue #676 - Kris Kater and ModSecurity team] >>> * Fixed signature on "status call": ModSecurity is now using the >>>original >>> server signature. >>> [Issues #702 - Linas and ModSecurity team] >>> * YAJL version is printed while ModSecurity initialization. >>> [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda] >>> * Fixed subnet representation using slash notation on the @ipMatch >>> operator. >>> [Issue #706 - Walter Hop and ModSecurity team] >>> * Limited the length of a status call. >>> [Issue #714 - 'cpanelkurt' and ModSecurity team] >>> * Added the missing -P option to nginx regression tests. >>> [Issue #720 - Paul Yang] >>> * Fixed automake scripts to do not use features which will be >>> deprecated in the >>> upcoming releases of automake. >>> [Issue #760 - ModSecurity team] >>> * apr-utils's LDFALGS is now considered while building ModSecurity. >>> [Issue #782 - Daniel J. Luke] >>> * IIS installer is not considering IIS 6 as compatible anymore. >>> [Issue #790 - ModSecurity team] >>> * Fixed yajl build script: now looking for the correct header file. >>> [Issue #804 - 'rpfilomeno' and ModSecurity team] >>> * mlgoc is now forced to use TLS 1.x. >>> [Issue #806 - Josh Amishav-Zlatin and ModSecurity team] >>> >>> >>> Br., >>> Felipe "Zimmerle" Costa >>> Security Researcher, SpiderLabs >>> >>> Trustwave | SMART SECURITY ON DEMAND >>> www.trustwave.com <http://www.trustwave.com/> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1 >>> Comment: GPGTools - >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDb2R7gImQ&s=5&u=https%3a%2f%2fgpgtools%2eorg >>> >>> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+ >>> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+ >>> =80Ng >>> -----END PGP SIGNATURE----- >>> >>> ________________________________ >>> >>> This transmission may contain information that is privileged, >>> confidential, and/or exempt from disclosure under applicable law. If >>> you are not the intended recipient, you are hereby notified that any >>> disclosure, copying, distribution, or use of the information contained >>> herein (including any reliance thereon) is strictly prohibited. If you >>> received this transmission in error, please immediately contact the >>> sender and destroy the material in its entirety, whether in electronic >>> or hard copy format. >>> >>> >>>------------------------------------------------------------------------ >>>------ >>> >>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >>> from Actuate! Instantly Supercharge Your Business Reports and >>>Dashboards >>> with Interactivity, Sharing, Native Excel Exports, App Integration & >>>more >>> Get technology previously reserved for billion-dollar corporations, >>>FREE >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDSlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2f >>>clk%3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk >>> >>> _______________________________________________ >>> mod-security-developers mailing list >>> mod...@li... >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flisti >>>nfo%2fmod-security-developers >>> ModSecurity Services from Trustwave's SpiderLabs: >>> https://www.trustwave.com/spiderLabs.php > >-------------------------------------------------------------------------- >---- >Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >from Actuate! Instantly Supercharge Your Business Reports and Dashboards >with Interactivity, Sharing, Native Excel Exports, App Integration & more >Get technology previously reserved for billion-dollar corporations, FREE >http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD >SlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk% >3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk >_______________________________________________ >mod-security-developers mailing list >mod...@li... >http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD >ahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo% >2fmod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
|
From: Felipe C. <FC...@tr...> - 2014-12-15 20:17:38
|
Hi Rainer, Thanks for your feedback. Curl is no longer mandatory on our master tree. We have created `#ifdefs' with three different definitions: - WITH_CURL: Enables the download of remote resources (including remote rules). - WITH_REMOTE_RULES: Enables the SecRemoteRules directive, notice that it depends on WITH_CURL. - WITH_CRYPTO: Support for encryption on SecRemoteRules directive (Needs apr/apu compiled with crypto support). All those variables should be automatically set by autotools, making our build to work even without Curl. Of course, if you don't have Curl(-dev) during the build time, the "remote resources" will not be available. Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On 11/18/14 7:00 PM, "Rainer Jung" <rai...@ki...> wrote: >Addition: you should also move the line > >#ifdef WITH_REMOTE_RULES_SUPPORT > >in msc_remote_rules.c higher up in the file. Currently it would still >include (and need) all header files and only then the if block would >disable all code. But the curl.h might not be there, so include and >compilation fails. Moving of the if line directly after > >#include "msc_remote_rules.h" > >fixes this. > >Then there are two more curl dependencies: > >- in apache2/re_operators.c in function msre_op_pmFromFile_param_init if >the file name for pmFromFile is an https URL > >- in apache2/msc_util.c in function ip_tree_from_uri if the file name >for ipmatchFromFile is an https URL > >IMHO both features should be disabled (replaced by an error message >during runtime) if curl is not found. > >Thanks and regards, > >Rainer > >Am 18.11.2014 um 22:29 schrieb Rainer Jung: >> Thanks for producing the RC and sharing. >> >> Building it without curl support we get the expected >> >> NOTE: curl library is only required for building mlogc >> >> output from the configure script, but then the build fails because of >> the new remote rules support. File msc_remote_rules.h unconditionally >> needs curl/curl.h. >> >> I'd say curl is a bit huge and the remote rule support not in the main >> stream use, so having the curl dependency only as an option currently >> would be good. >> >> To not introduce a new mandatory dependency, you should define >> WITH_REMOTE_RULES_SUPPORT only if curl was found by configure. >> >> Regards, >> >> Rainer >> >> Am 18.11.2014 um 14:34 schrieb Felipe Costa: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hi, >>> >>> I am proud to announce our first release candidate for version 2.9.0. >>> The 2.9.0-RC1 contains fixes and new features. >>> >>> The documentation is available in our wikipage: >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vD_zHetZzA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2 >>>fwiki%2fReference-Manual >>> >>> The source and binaries (and the respective hashes) are available at: >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDb2G-8MkA&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2 >>>freleases%2ftag%2fv2%2e9%2e0-rc1 >>> >>> SHA256(modsecurity-2.9.0-RC1.tar.gz)= >>> 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098 >>> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= >>> 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360 >>> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= >>> 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7 >>> >>> We would like to thank you all that helped out making this release: >>> comments, >>> bug reports, and pull requests. >>> >>> The most important changes are listed bellow: >>> >>> New features >>> ============ >>> >>> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS >>> served >>> files as parameter. >>> * `SecRemoteRules' directive - allows you to specify a HTTPS served >>> file that >>> may contain rules in the SecRule format to be loaded into your >>> ModSecurity >>> instance. >>> * `SecRemoteRulesFailAction' directive - allows you to control >>> whenever the >>> user wants to Abort or just Warn when there is a problem while >>> downloading >>> rules specified with the directive: `SecRemoteRules'. >>> * `fuzzyHash' operator - allows to match contents using fuzzy hashes. >>> * `FILES_TMP_CONTENT' collection - make available the content of >>>uploaded >>> files. >>> * InsecureNoCheckCert - option to validate or not a chain of SSL >>> certificates >>> on mlogc connections. >>> >>> >>> Bug fixes >>> ========= >>> >>> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. >>> [Issue #676 - Kris Kater and ModSecurity team] >>> * Fixed signature on "status call": ModSecurity is now using the >>>original >>> server signature. >>> [Issues #702 - Linas and ModSecurity team] >>> * YAJL version is printed while ModSecurity initialization. >>> [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda] >>> * Fixed subnet representation using slash notation on the @ipMatch >>> operator. >>> [Issue #706 - Walter Hop and ModSecurity team] >>> * Limited the length of a status call. >>> [Issue #714 - 'cpanelkurt' and ModSecurity team] >>> * Added the missing -P option to nginx regression tests. >>> [Issue #720 - Paul Yang] >>> * Fixed automake scripts to do not use features which will be >>> deprecated in the >>> upcoming releases of automake. >>> [Issue #760 - ModSecurity team] >>> * apr-utils's LDFALGS is now considered while building ModSecurity. >>> [Issue #782 - Daniel J. Luke] >>> * IIS installer is not considering IIS 6 as compatible anymore. >>> [Issue #790 - ModSecurity team] >>> * Fixed yajl build script: now looking for the correct header file. >>> [Issue #804 - 'rpfilomeno' and ModSecurity team] >>> * mlgoc is now forced to use TLS 1.x. >>> [Issue #806 - Josh Amishav-Zlatin and ModSecurity team] >>> >>> >>> Br., >>> Felipe "Zimmerle" Costa >>> Security Researcher, SpiderLabs >>> >>> Trustwave | SMART SECURITY ON DEMAND >>> www.trustwave.com <http://www.trustwave.com/> >>> >>> -----BEGIN PGP SIGNATURE----- >>> Version: GnuPG v1 >>> Comment: GPGTools - >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDb2R7gImQ&s=5&u=https%3a%2f%2fgpgtools%2eorg >>> >>> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+ >>> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+ >>> =80Ng >>> -----END PGP SIGNATURE----- >>> >>> ________________________________ >>> >>> This transmission may contain information that is privileged, >>> confidential, and/or exempt from disclosure under applicable law. If >>> you are not the intended recipient, you are hereby notified that any >>> disclosure, copying, distribution, or use of the information contained >>> herein (including any reliance thereon) is strictly prohibited. If you >>> received this transmission in error, please immediately contact the >>> sender and destroy the material in its entirety, whether in electronic >>> or hard copy format. >>> >>> >>>------------------------------------------------------------------------ >>>------ >>> >>> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >>> from Actuate! Instantly Supercharge Your Business Reports and >>>Dashboards >>> with Interactivity, Sharing, Native Excel Exports, App Integration & >>>more >>> Get technology previously reserved for billion-dollar corporations, >>>FREE >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDSlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2f >>>clk%3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk >>> >>> _______________________________________________ >>> mod-security-developers mailing list >>> mod...@li... >>> >>>http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55 >>>vDahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flisti >>>nfo%2fmod-security-developers >>> ModSecurity Services from Trustwave's SpiderLabs: >>> https://www.trustwave.com/spiderLabs.php > >-------------------------------------------------------------------------- >---- >Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server >from Actuate! Instantly Supercharge Your Business Reports and Dashboards >with Interactivity, Sharing, Native Excel Exports, App Integration & more >Get technology previously reserved for billion-dollar corporations, FREE >http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD >SlR7kAyA&s=5&u=http%3a%2f%2fpubads%2eg%2edoubleclick%2enet%2fgampad%2fclk% >3fid%3d157005751%26iu%3d%2f4140%2fostg%2eclktrk >_______________________________________________ >mod-security-developers mailing list >mod...@li... >http://scanmail.trustwave.com/?c=4062&d=s8Hr1APWoFLpzfgNjgdh9FNfwJOpYf55vD >ahR74PzA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo% >2fmod-security-developers >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X