mod-security-packagers

[mod-security-packagers] ModSecurity 3.x (almost) enters Debian

[Alberto G. I. <ag...@in...>]

Hi,

I'm happy to announce that the package for (lib)mod-security 3.x entered
Debian unstable this week. But some issues arose in the testing suite
with some/all of the architectures:

- In most of them this test fails:

./regression_tests .././test/test-cases/regression/variable-ENV.json:1
:test-result: FAIL variable-ENV.json:Testing Variables :: ENV (2/3)

- In some (i.e. s390) a bunch of ip matching rules tests fail [1]


You may see all the build logs here:
https://buildd.debian.org/status/package.php?p=modsecurity&suite=sid

Some help with these issues would be really apreciated.

Regards,

Alberto


[1]

./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:1
:test-result: PASS operator-ipMatchFromFile.json:Testing Operator :: @ipMatchFromFile - file not found

./regression_tests .././test/test-cases/regression/operator-ipMatchFromFile.json:2
:test-result: FAIL operator-ipMatchFromFile.json:Testing Operator :: @ipMatchFromFile - https

RUN: test/test-cases/secrules-language-tests/operators/ipMatch.json
===================================================================

:test-result: FAIL ipMatch 10.10.10.10
:test-result: PASS ipMatch 10.10.10.11
:test-result: FAIL ipMatch 10.10.10.11
:test-result: PASS ipMatch 10.10.7.254
:test-result: FAIL ipMatch 10.10.8.1
:test-result: PASS ipMatch 10.10.16.1
:test-result: FAIL ipMatch 10.10.15.254
:test-result: FAIL ipMatch 192.168.1.254
:test-result: PASS ipMatch 10.10.10.11
:test-result: FAIL ipMatch 156.149.152.152
:test-result: PASS ipMatch 10.10.10.11
:test-result: FAIL ipMatch 10.0.0.11
:test-result: FAIL ipMatch 10.10.10.11
:test-result: FAIL ipMatch 10.10.10.11




-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: ag...@in... | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

[mod-security-packagers] Announcement: ModSecurity version 2.9.2

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I am very proud to announce ModSecurity version 2.9.2. In 2.9.2 we have
some new features and bug fixes as well as two _security issues_ fixed.

This release, like all releases of 2.9 family, is a combined release
for all bindings/versions that we support: Apache, Nginx, and IIS.
Although Nginx users preferably wants to use libModSecurity [1] with
the ModSecurity-nginx connector [2].

This is the last release of 2.9.2 family which is likely to have new
features as this version is being slowly deprecated in favor of
ModSecurity version 3.

In this release we’ve got two security issues fixed:

 - Allan Boll reported an uninitialized variable that may lead to a
   crash on Windows platform.
 - Brian Adeloye reported an infinite loop on the version of
   libInjection used on ModSecurity 2.9.1.

Thanks for Allan Boll, and Brian Adeloye for the security reports ;)

The complete list of changes is available on our change logs:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2

The source and binaries (and the respective hashes/signatures) are
available at:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.2


Thanks to everybody who participate with bug reports, comments and code,
including:
  @victorhora, @defanator, @client9, @bjdijk, @hideaki, @parthasarathi204,
  Daniel Stelter-Gliese, @LukeP21, @mturk, Coty Sutherland, Robert Bost,
  Marc Stern, @bazzadp, Sander Hoentjen, Robert Paprocki, @Rendername,
  @emphazer, Chaim Sanders, Thomas Deutschmann, Michael Kjeldsen,
  Armin Abfalterer, Robert Culyer, Ephraim Vider, @charlymps,
  Christian Folini, Alexey Sintsov.


[1] https://github.com/SpiderLabs/ModSecurity/tree/v3/master
[2] http://www.github.com/SpiderLabs/ModSecurity-nginx/


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAllufKgACgkQ5t+wjOixEndelgCghnMYdBQ26AXeRjmc1c8zNTbX
EE0AoJRqbAgSVJAjQus479ZopLKzNkJn
=oONS
-----END PGP SIGNATURE-----

[mod-security-packagers] ModSecurity version 2.9.1 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

It is a pleasure to announce the release of ModSecurity version 2.9.1.
This version does not differ in anything from its release candidate.

For the differences between the version 2.9.0 and 2.9.1, please check
the release notes of the version 2.9.1-rc1:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1-rc1

The documentation for this release is available at:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The version 2.9.1 can be downloaded straight from GitHub:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1

Thanks to all members of the community who participated and helped
in the construction of this release.

* Known issues

- - Depending upon your Apache configuration you may have two "client"
  entries on the logs. The extended description of this issue can be
  found at: #840.

Br.,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlbghCkACgkQ5t+wjOixEnerwgCggNJnVOoG9NSk4FVYfE3TZeZ1
SdcAoJRYmWHvwOQrmFZo0iYiPH5t0ysO
=wvl+
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] ModSecurity version 2.9.1-rc1 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

It is a pleasure to announce the first release candidate for ModSecurity
version 2.9.1. The version 2.9.1-RC1 contains fixes and new features.
The new features list includes audit logs in JSON format.

I would like to thank you all, that participate in the construction of
this release. A special thanks to the ones who sent patches and the ones
who participated on the community meetings, which helped to increase the
quality of our releases. Thank you.

The documentation of the new features is already available on our wiki
page: https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.1-RC1

The most important changes are listed bellow:

* New features

 - Added support to generate audit logs in JSON format.
   [Issue #914, #897, #656 - Robert Paprocki]
 - Extended Lua support to include version 5.3
   [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
 - mlogc: Allows user to choose between TLS versions (TLSProtocol option
   introduced).
   [Issue #881 - Ishwor Gurung]
 - Allows mod_proxy's "nocanon" behavior to be specified in proxy actions.
   [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]

* Bug fixes

 - Creating AuditLog serial file (or parallel index) respecting the
   permission configured with SecAuditLogFileMode. Previously, it was
   used only to save the transactions while in parallel mode.
   [Issue #852 - @littlecho and ModSecurity team]
 - Checking for hashing injection response, to report in case of failure.
   [Issue #1041 - ModSecurity team]
 - Stop buffering when the request is larger than SecRequestBodyLimit
   in ProcessPartial mode
   [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
 - Refactoring conditional #if/#defs directives.
   [Issue #996 - Wesley M and ModSecurity team]
 - mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
   files with Apache 2.4
   [Issue #775 - Elia Pinto]
 - Understands IIS 10 as compatible on Windows installer.
   [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
 - Fix apache logging limitation by using correct Apache call.
   [Issue #840 - Christian Folini]
 - Fix apr_crypto.h check on 32-bit Linux platform
   [Issue #882, #883 - Kurt Newman]
 - Fix variable resolution duration (Content of the DURATION variable).
   [Issue #662 - Andrew Elble]
 - Fix crash while adding empty keys to persistent collections.
   [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
 - Remove misguided call to srand()
   [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
 - Fix compilation problem while ssdeep is installed in non-standard
   location.
   [Issue #872 - Kurt Newman]
 - Fix invalid storage reference by apr_psprintf at msc_crypt.c
   [Issue #609 - Jeff Trawick]

* Known issues

 - Instabilities of nginx add-on are still expected. Please use the "nginx
   refactoring" branch and stay tuned for the ModSecurity version 3.

Br.,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlayNO4ACgkQ5t+wjOixEneGyQCeJtAPhLk9EXRg7/GviovZQ2i5
bwMAn3SSrlzFC+g3zdlOU4Yug3kiRpAp
=Prxb
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] [Slightly OT] Updated mod_security packages for RHEL/CentOS 6 and 7

[Athmane M. <ath...@gm...>]

Hi,

As you may know, mod_security packages on RHEL/CentOS 6 and 7 are
slightly old (or stable if you like);

So I have setup a repo [1] that tracks Fedora rawhide (aka devel)
packages which are more up-to-date (currently 2.9.0), I usually update
it after pushing the packages to Rawhide.

[1] https://copr.fedoraproject.org/coprs/athmane/mod_security/

Best regards

--  Athmane

[mod-security-packagers] ModSecurity version 2.9.0 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our release for the version 2.9.0.
This version 2.9.0 contains fixes.

Complete list of changes from 2.8.0 to 2.9.0 is available here:
- - https://github.com/SpiderLabs/ModSecurity/releases

The source and binaries (and the respective hashes) are available at:
- - https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0

SHA256(modsecurity-2.9.0.tar.gz)= e2bbf789966c1f80094d88d9085a81bde082b2054f8e38e0db571ca49208f434
SHA256(ModSecurityIIS_2.9.0-32b.msi)= 3e7fc5e48c43738352935a2cc58dcd9272ed9e6d8ef4f6d57609183bcc443a57
SHA256(ModSecurityIIS_2.9.0-64b.msi)= cda1abf2c2e6f58b4dd33f4a16ab84c8b861663957dbdc2cf8ad7a4df1ad6645

We would like to thank you all that helped to test the release candidate
one and two, a really great job. Thanks!

The most important change from v2.9.0-RC2 to v2.9.0:


* Fix apr_crypto.h include, now checking if apr_crypto.h is available by
  checking the definition WITH_APU_CRYPTO.
  [martinjina and ModSecurity team]


Br,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlTdKE0ACgkQ5t+wjOixEneqRACfVzlUqLp47iwr5rCIeInsnSs9
TYIAn1o6ITjGI8oR1mxBeVSsOc25u5Jd
=/agZ
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement

[Walter H. <mo...@sp...>]

Hi Felipe,

I haven’t found any regressions so far although I haven’t put it in production yet. So that date looks good!

It would be very much appreciated if you could briefly look at my thread "RESPONSE_BODY matching fails with gzip encoding on Ubuntu” on -users list, although this problem also occurs on 2.7.7. It might be a bug, if so, it would be nice to catch it in time.

Cheers!
WH


> On 05 Jan 2015, at 19:23, Felipe Costa <FC...@tr...> wrote:
> 
> Hi Walter,
> 
> Thank you for your feedback!! Best wishes in 2015.
> 
> Waiting for your OK before release 2.9.0. My guess is that 19 of January
> is a good date for 2.9.0 release.
> 
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> 
> 
> 
> 
> From: Walter Hop [mo...@sp...]
> 
> Sent: Monday, December 29, 2014 7:32 PM
> 
> To: mod...@li...
> 
> Cc: mod...@li...
> 
> Subject: Re: [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> I gave the RC2 some quality time. It looks very good so far!
> 
> 
> 
> 
> 
> Fixed issues I’ve had with -RC1:
> 
> 
> 
> - Failures in @pmFromFile, @ipMatchFromFile and SecRemoteRules: works OK now!
> 
> - @fuzzyHash rule doesn't fire: works OK now! This problem was likely due to bugs in the old ssdeep version (FreeBSD bug #195720). ssdeep was updated to 2.12 on Dec 13rd, so the timing is perfect.
> 
> - Persistent crashes in acmp_btree_find: seems to have been a FreeBSD 10.0 issue with all versions, works OK on FreeBSD 9.3 and 10.1. FreeBSD 10.0 will go out of support in February anyway.
> 
> - httpd crash on every request when using Lua 5.2: Assuming Lua 5.2 is not supported fully for now (Github issue #814). I will just depend on Lua 5.1. This is not an urgent problem, as lua51/lua52 packages can coexist peacefully.
> 
> 
> 
> 
> One small unfixed issue remains:
> 
> - Apache log module prefix: not fixed, note that it still says '[:notice]', but this is a small issue at worst. [Mon Dec 29 21:44:18.001193 2014] [:notice] [pid 56448] ModSecurity for Apache/2.9.0-RC2 (http://www.modsecurity.org/)
> configured.
> 
> 
> 
> 
> 
> I will try the RC2 on some internal systems over the next week (including some Debian), so it’s possible some other stuff will turn up, but it’s feeling very stable so far!
> 
> 
> 
> 
> Thanks for the hard work and the fixes, and best wishes for 2015 :)
> 
> 
> 
> 
> WH
> 
> 
> 
> 
> 
> 
> 
> 
> On 16 Dec 2014, at 01:35, Felipe Costa <FC...@tr...> wrote:
> 
> 
> 
> 
> 
> I am proud to announce our second release candidate for version 2.9.0.
> 
> 
> The 2.9.0-RC2 contains fixes and improvements.
> 
> 
> 
> 
> 
> 
> The source and binaries (and the respective hashes) are available at:
> 
> 
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2
> 
> 
> 
> 
> 
> 
> SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993
> 
> 
> SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6
> 
> 
> SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd
> 
> 
> 
> 
> 
> 
> 
> 
> --
> Walter Hop | PGP key: https://lifeforms.nl/pgp
> 
> 
> 
> 
> 
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

Re: [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement

[Felipe C. <FC...@tr...>]

Hi Walter,

Thank you for your feedback!! Best wishes in 2015.

Waiting for your OK before release 2.9.0. My guess is that 19 of January
is a good date for 2.9.0 release.


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>





From: Walter Hop [mo...@sp...]

Sent: Monday, December 29, 2014 7:32 PM

To: mod...@li...

Cc: mod...@li...

Subject: Re: [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement











I gave the RC2 some quality time. It looks very good so far!





Fixed issues I’ve had with -RC1:



- Failures in @pmFromFile, @ipMatchFromFile and SecRemoteRules: works OK now!

- @fuzzyHash rule doesn't fire: works OK now! This problem was likely due to bugs in the old ssdeep version (FreeBSD bug #195720). ssdeep was updated to 2.12 on Dec 13rd, so the timing is perfect.

- Persistent crashes in acmp_btree_find: seems to have been a FreeBSD 10.0 issue with all versions, works OK on FreeBSD 9.3 and 10.1. FreeBSD 10.0 will go out of support in February anyway.

- httpd crash on every request when using Lua 5.2: Assuming Lua 5.2 is not supported fully for now (Github issue #814). I will just depend on Lua 5.1. This is not an urgent problem, as lua51/lua52 packages can coexist peacefully.




One small unfixed issue remains:

- Apache log module prefix: not fixed, note that it still says '[:notice]', but this is a small issue at worst. [Mon Dec 29 21:44:18.001193 2014] [:notice] [pid 56448] ModSecurity for Apache/2.9.0-RC2 (http://www.modsecurity.org/)
 configured.





I will try the RC2 on some internal systems over the next week (including some Debian), so it’s possible some other stuff will turn up, but it’s feeling very stable so far!




Thanks for the hard work and the fixes, and best wishes for 2015 :)




WH








On 16 Dec 2014, at 01:35, Felipe Costa <FC...@tr...> wrote:





I am proud to announce our second release candidate for version 2.9.0.


The 2.9.0-RC2 contains fixes and improvements.






The source and binaries (and the respective hashes) are available at:


https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2






SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993


SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6


SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd








--
Walter Hop | PGP key: https://lifeforms.nl/pgp






________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement

[Walter H. <mo...@sp...>]

I gave the RC2 some quality time. It looks very good so far!

Fixed issues I’ve had with -RC1:
- Failures in @pmFromFile, @ipMatchFromFile and SecRemoteRules: works OK now!
- @fuzzyHash rule doesn't fire: works OK now! This problem was likely due to bugs in the old ssdeep version (FreeBSD bug #195720). ssdeep was updated to 2.12 on Dec 13rd, so the timing is perfect.
- Persistent crashes in acmp_btree_find: seems to have been a FreeBSD 10.0 issue with all versions, works OK on FreeBSD 9.3 and 10.1. FreeBSD 10.0 will go out of support in February anyway.
- httpd crash on every request when using Lua 5.2: Assuming Lua 5.2 is not supported fully for now (Github issue #814). I will just depend on Lua 5.1. This is not an urgent problem, as lua51/lua52 packages can coexist peacefully.

One small unfixed issue remains:
- Apache log module prefix: not fixed, note that it still says '[:notice]', but this is a small issue at worst. [Mon Dec 29 21:44:18.001193 2014] [:notice] [pid 56448] ModSecurity for Apache/2.9.0-RC2 (http://www.modsecurity.org/) configured.

I will try the RC2 on some internal systems over the next week (including some Debian), so it’s possible some other stuff will turn up, but it’s feeling very stable so far!

Thanks for the hard work and the fixes, and best wishes for 2015 :)

WH


> On 16 Dec 2014, at 01:35, Felipe Costa <FC...@tr...> wrote:
> 
> I am proud to announce our second release candidate for version 2.9.0.
> The 2.9.0-RC2 contains fixes and improvements.
> 
> The source and binaries (and the respective hashes) are available at:
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2 <https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2>
> 
> SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993
> SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6
> SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

[mod-security-packagers] ModSecurity version 2.9.0-RC2 announcement

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our second release candidate for version 2.9.0.
The 2.9.0-RC2 contains fixes and improvements.

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc2

SHA256(modsecurity-2.9.0-RC2.tar.gz)= 62bfb04d459a8308bb6850102c9d8f0cca250207749ce5b9465344dda2419993
SHA256(ModSecurityIIS_2.9.0-RC2-32b.msi)= 364a55d2ff6981479694184eaec26404f294ac2131e8494ff478ae5e1aee33d6
SHA256(ModSecurityIIS_2.9.0-RC2-64b.msi)= c5c90fb5eae5d819f641989bcfb2b4230506fb4bb8065034ef0684b8694585dd

We would like to thank you all that helped to test the release candidate one,
you guys did a great job. Thanks!

The most important changes are listed bellow:

Bug fixes and improvements
==========================

* OpenSSL dependency was removed on MS Windows builds. ModSecurity is now using
  Curl with WinSSL.
  [Gregg Smith, Steffen and ModSecurity team]
* ModSecurity now informs about external resources loaded/failed while
  reloading Apache.
  [ModSecurity team]
* Adds missing 'ModSecurity:' prefix in some warnings messages.
  [Walter Hop and ModSecurity team]
* External resources download is now more verbose. Holding the message to be
  displayed when Apache is ready to write on the error_log.
  [ModSecurity team]
* Remote resources loading process is now failing in case of HTTP error.
  [Walter Hop and ModSecurity team]
* Fixed start up crash on Apache with mod_ssl configured. Crash was happening
  during the download of remote resources.
  [Christian Folini, Walter Hop and ModSecurity team]
* Curl is not a mandatory dependency to ModSecurity core anymore.
  [Rainer Jung and ModSecurity team]


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/> <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org<https://gpgtools.org/>

iEYEARECAAYFAlSPfQEACgkQ5t+wjOixEndhywCfeGQf+U7AyV4l/aqfD4cPRjg8
GiQAn186SW3FqpHo4BUxC+mdVkWY7eNk
=59mJ
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [mod-security-packagers] ModSecurity version 2.9.0-RC1 released

[Felipe C. <FC...@tr...>]

Hi Walter,

Thanks for the package and thanks for test.
Your feedback is very important.

Comments bellow.

>
> From:  Walter Hop <mo...@sp...>
> Date:  Terça-feira, novembro 18, 2014 18:29
>
>2.9.0-RC1 built without problems on FreeBSD 10.x (well, some clang
>warnings if
>anybody¹s interested) and it passes Œmake test¹ and our internal
>regression
>test, however I have problems running run-regression-tests.pl
><http://scanmail.trustwave.com/?c=4062&d=sLrr1PDx6RxJZUGpkDISQKKOx2vXScoRl
>-mWI6bBWA&s=5&u=http%3a%2f%2frun-regression-tests%2epl>
>(which was also the case in last version).
>

Yes, we want to reduce the number of warnings to "0". We have an issue on
GitHub
to track our progress:
https://github.com/SpiderLabs/ModSecurity/issues/631

The issue has a reference to a Google Spreadsheet that contains some
numbers. As you can see I need to update those values.

What kind of problems did you faced while running
`run-regression-tests.pl'?

I know that `run-regression-tests.pl' is current very limited, it may not
adapt
well on different Apache compilations options. If I recall correctly I had
installed Apache with +mpm (or similar) on our FreeBSDs buildbots.

The logs of ModSecurity buildbots are available here:
FreeBSD 9:
 -
http://www.modsecurity.org/developers/buildbot/builders/freebsd9%20-%20Apac
he/builds/39/steps/regression%20test/logs/stdio
FreeBSD 10:
 -
http://www.modsecurity.org/developers/buildbot/builders/freebsd10%20-%20Apa
che/builds/39/steps/regression%20test/logs/stdio

>
>If there are FreeBSD users on the lists, I would invite you to try the
>preliminary 2.9.0.r1 version of the FreeBSD port. It would be especially
>interesting if you are running ARM/sparc.
>

We don't have a sparc yet on our BuildBots I wish to have one in a near
future.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>




________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [mod-security-packagers] ModSecurity version 2.9.0-RC1 released

[Walter H. <mo...@sp...>]

Thanks for the work!

2.9.0-RC1 built without problems on FreeBSD 10.x (well, some clang warnings if anybody’s interested) and it passes ‘make test’ and our internal regression test, however I have problems running run-regression-tests.pl (which was also the case in last version).

If there are FreeBSD users on the lists, I would invite you to try the preliminary 2.9.0.r1 version of the FreeBSD port. It would be especially interesting if you are running ARM/sparc.

If you are starting from a clean install that has no Apache or ports tree, do this first:
# pkg install apache24 git
# portsnap fetch extract
# echo 'DEFAULT_VERSIONS=apache=2.4' >> /etc/make.conf
# echo 'apache24_enable=YES' >> /etc/rc.conf
# apachectl start

Get the 2.9.0.r1 version of the port and install it:
# git clone -b 2.9.0 https://github.com/lifeforms/mod_security.git
# cd mod_security
# make install

When done, this should display configuration hints and the location of a README file with more info. Follow the instructions on your terminal, or just do this:
# echo 'LoadModule security2_module libexec/apache24/mod_security2.so' >> /usr/local/etc/apache24/httpd.conf
# echo 'Include etc/modsecurity/*.conf' >> /usr/local/etc/apache24/httpd.conf
# apachectl restart
# tail /var/log/httpd-error.log

You should see ModSecurity startup messages there.

The above also works for Apache 2.2; just replace all '4' characters in this message with '2’.

Comments on the README are appreciated.

I plan to add a port option that will automatically install a recent branch of the CRS, but that will likely be for a different update.

Cheers,
WH


> On 18 Nov 2014, at 14:34, Felipe Costa <FC...@tr...> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi,
> 
> I am proud to announce our first release candidate for version 2.9.0.
> The 2.9.0-RC1 contains fixes and new features.
> 
> The documentation is available in our wikipage:
> https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual
> 
> The source and binaries (and the respective hashes) are available at:
> https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1
> 
> SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
> SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
> SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7
> 
> We would like to thank you all that helped out making this release: comments,
> bug reports, and pull requests.
> 
> The most important changes are listed bellow:
> 
> New features
> ============
> 
> * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
>   files as parameter.
> * `SecRemoteRules' directive - allows you to specify a HTTPS served file that
>  may contain rules in the SecRule format to be loaded into your ModSecurity
>  instance.
> * `SecRemoteRulesFailAction' directive - allows you to control whenever the
>  user wants to Abort or just Warn when there is a problem while downloading
>  rules specified with the directive: `SecRemoteRules'.
> * `fuzzyHash' operator - allows to match contents using fuzzy hashes.
> * `FILES_TMP_CONTENT' collection - make available the content of uploaded
>  files.
> * InsecureNoCheckCert - option to validate or not a chain of SSL certificates
>  on mlogc connections.
> 
> 
> Bug fixes
> =========
> 
> * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
>  [Issue #676 - Kris Kater and ModSecurity team]
> * Fixed signature on "status call": ModSecurity is now using the original
>  server signature.
>  [Issues #702 - Linas and ModSecurity team]
> * YAJL version is printed while ModSecurity initialization.
>  [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
> * Fixed subnet representation using slash notation on the @ipMatch operator.
>  [Issue #706 - Walter Hop and ModSecurity team]
> * Limited the length of a status call.
>  [Issue #714 - 'cpanelkurt' and ModSecurity team]
> * Added the missing -P option to nginx regression tests.
>  [Issue #720 - Paul Yang]
> * Fixed automake scripts to do not use features which will be deprecated in the
>  upcoming releases of automake.
>  [Issue #760 - ModSecurity team]
> * apr-utils's LDFALGS is now considered while building ModSecurity.
>  [Issue #782 - Daniel J. Luke]
> * IIS installer is not considering IIS 6 as compatible anymore.
>  [Issue #790 - ModSecurity team]
> * Fixed yajl build script: now looking for the correct header file.
>  [Issue #804 - 'rpfilomeno' and ModSecurity team]
> * mlgoc is now forced to use TLS 1.x.
>  [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
> 
> 
> Br.,
> Felipe "Zimmerle" Costa
> Security Researcher, SpiderLabs
> 
> Trustwave | SMART SECURITY ON DEMAND
> www.trustwave.com <http://www.trustwave.com/>
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - https://gpgtools.org
> 
> iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
> m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
> =80Ng
> -----END PGP SIGNATURE-----
> 
> ________________________________
> 
> This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
> 
> ------------------------------------------------------------------------------
> Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
> from Actuate! Instantly Supercharge Your Business Reports and Dashboards
> with Interactivity, Sharing, Native Excel Exports, App Integration & more
> Get technology previously reserved for billion-dollar corporations, FREE
> http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
> _______________________________________________
> mod-security-packagers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-packagers

-- 
Walter Hop | PGP key: https://lifeforms.nl/pgp

[mod-security-packagers] ModSecurity version 2.9.0-RC1 released

[Felipe C. <FC...@tr...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I am proud to announce our first release candidate for version 2.9.0.
The 2.9.0-RC1 contains fixes and new features.

The documentation is available in our wikipage:
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual

The source and binaries (and the respective hashes) are available at:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.0-rc1

SHA256(modsecurity-2.9.0-RC1.tar.gz)= 1a061e09bc7e3218a80bc2004b7e87c8f3a382323b09633e060c16bea5e23098
SHA256(ModSecurityIIS_2.9.0-RC1-32b.msi)= 68cd286612ca7026442ec3c409f33a2eaca428d9bb7a297d23a19043f5c31360
SHA256(ModSecurityIIS_2.9.0-RC1-64b.msi)= 948ffeda98684c569c22da95d600aca7998f20a85c9345a56086e1a85c1d8ab7

We would like to thank you all that helped out making this release: comments,
bug reports, and pull requests.

The most important changes are listed bellow:

New features
============

* `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
   files as parameter.
* `SecRemoteRules' directive - allows you to specify a HTTPS served file that
  may contain rules in the SecRule format to be loaded into your ModSecurity
  instance.
* `SecRemoteRulesFailAction' directive - allows you to control whenever the
  user wants to Abort or just Warn when there is a problem while downloading
  rules specified with the directive: `SecRemoteRules'.
* `fuzzyHash' operator - allows to match contents using fuzzy hashes.
* `FILES_TMP_CONTENT' collection - make available the content of uploaded
  files.
* InsecureNoCheckCert - option to validate or not a chain of SSL certificates
  on mlogc connections.


Bug fixes
=========

* ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
  [Issue #676 - Kris Kater and ModSecurity team]
* Fixed signature on "status call": ModSecurity is now using the original
  server signature.
  [Issues #702 - Linas and ModSecurity team]
* YAJL version is printed while ModSecurity initialization.
  [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
* Fixed subnet representation using slash notation on the @ipMatch operator.
  [Issue #706 - Walter Hop and ModSecurity team]
* Limited the length of a status call.
  [Issue #714 - 'cpanelkurt' and ModSecurity team]
* Added the missing -P option to nginx regression tests.
  [Issue #720 - Paul Yang]
* Fixed automake scripts to do not use features which will be deprecated in the
  upcoming releases of automake.
  [Issue #760 - ModSecurity team]
* apr-utils's LDFALGS is now considered while building ModSecurity.
  [Issue #782 - Daniel J. Luke]
* IIS installer is not considering IIS 6 as compatible anymore.
  [Issue #790 - ModSecurity team]
* Fixed yajl build script: now looking for the correct header file.
  [Issue #804 - 'rpfilomeno' and ModSecurity team]
* mlgoc is now forced to use TLS 1.x.
  [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - https://gpgtools.org

iEYEARECAAYFAlRrRO0ACgkQ5t+wjOixEneDsQCfdQO7tsVdlBJB4bKQkRFzvpP+
m8EAn2ToUijuHIKpOm9yWdcwsuZ5yBW+
=80Ng
-----END PGP SIGNATURE-----

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Important: mlogc and SSLv3

[Felipe C. <FC...@tr...>]

Hi,

For those whom are using or distributing mlogc, please apply this patch:

https://gist.github.com/zimmerle/31eae2612c3719c5d1b1

This patch may be necessary, depending on your setup, to allow mlogc to
connects to TLS1.2 servers. Before this patch it was trying SSLv3. This
patch is already applied to our git repository.

Use SSLv3 is not a good idea as explained in the CVE-2014-3566 [1].

Notice that mlogc uses libcurl which will disable SSLv3 support as of:
7.39.0 [2].

If you didn't disabled the SSLv3 support in your web server, which mlogc
is connecting to, it is also a good idea.


[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
[2] http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>



________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Announcing ModSecurity v2.8.0

[Felipe C. <FC...@tr...>]

Hi,

It is a pleasure to announce ModSecurity v2.8.0. Besides the bug fixes and improvements, it comes with five important new features:

  *   JSON request body parser.
  *   SecConnReadStateLimit and SecConnWriteStateLimit directives.
  *   FULL_REQUEST and FULL_REQUEST_LENGTH variables.
  *   @detectXSS operator.
  *   ModSecurity status reporting.
  *   Append and prepend are now supported on nginx (Ref: #635<https://github.com/SpiderLabs/ModSecurity/issues/635>).
  *   SecServerSignature is now available on nginx (Ref: #637<https://github.com/SpiderLabs/ModSecurity/issues/637>).

Complete list of modifications: https://github.com/SpiderLabs/ModSecurity/releases

Further information on the release: http://blog.spiderlabs.com/2014/04/announcing-modsecurity-v280.html

Note: we are also modifying the name of our release tarball. We were labeling our release by: "modsecurity-apache_X.Y.Z.tar.gz", since we started to support Nginx, this name became outdated. Now we are labeling it as  "modsecurity-X.Y.Z.tar.gz". For those who are automagically generating packages, it won't be a problem, the old naming policy will be preserved on the modsecurity.org<http://modsecurity.org/> server.

As in the last release, this release will be stored in two different servers: modsecurity.org<http://modsecurity.org/> and GitHub. Hashes are provided for the tarball integrity verification. The release tags are also GPG-Signed.

Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs
m: +55 81 8706.5547

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

Re: [mod-security-packagers] CVE-2013-5705 - Chunked string case sensitive issue

[Athmane M. <ath...@gm...>]

On Thu, Apr 03, 2014 at 08:38:34PM +0000, Felipe Costa wrote:
> Hi,
> 
> Marin Holst Swende (@mhswende) reported a security issue in ModSecurity related to way that it recognize a chunked transfer encoding.
> ModSecurity was just detecting a chunked transfer if it was informed in lower case, apparently Apache is more permissive. The rfc2616 describes the chunk encode.
> 
> A fix was made by Breno Silva, and it was distributed altogether with other improvements on 2.7.6. However, the patch to older versions was not available to that list until now, we sorry for that.
> 
> The patch is available at:
> http://www.modsecurity.org/fix-CVE-2013-570.patch
> 
> Signature of the patch:
> http://www.modsecurity.org/fix-CVE-2013-570.patch.asc
> 
> This patch is suitable to versions 2.7.2 until 2.7.6. If you have a live package that is providing a ModSecurity version older than 2.7.2, please let me know. Just to confirm 2.7.6 and newer don't need the patch.
> 

The patch from commit f8d441cd is also applicable for 2.6.8, in my case
I still package 2.6.8 for EPEL5 (+ backported patches from 2.7.x), because 
RHEL/CentOS 5.x is stuck with an old version of libxml2, I believe it could be 
the same for other distro with long release cycle.


Thanks.

-- Athmane

[mod-security-packagers] CVE-2013-5705 - Chunked string case sensitive issue

[Felipe C. <FC...@tr...>]

Hi,

Marin Holst Swende (@mhswende) reported a security issue in ModSecurity related to way that it recognize a chunked transfer encoding.
ModSecurity was just detecting a chunked transfer if it was informed in lower case, apparently Apache is more permissive. The rfc2616 describes the chunk encode.

A fix was made by Breno Silva, and it was distributed altogether with other improvements on 2.7.6. However, the patch to older versions was not available to that list until now, we sorry for that.

The patch is available at:
http://www.modsecurity.org/fix-CVE-2013-570.patch

Signature of the patch:
http://www.modsecurity.org/fix-CVE-2013-570.patch.asc

This patch is suitable to versions 2.7.2 until 2.7.6. If you have a live package that is providing a ModSecurity version older than 2.7.2, please let me know. Just to confirm 2.7.6 and newer don't need the patch.

Thanks,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>







________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] ModSecurity v2.8.0-RC1

[Felipe C. <FC...@tr...>]

Hi,

It is a pleasure to announce that ModSecurity version 2.8.0-RC1 is now ready!

This release candidate contains new features, bug fixes and improvements. The new features are:

  *   JSON Parser is no longer under tests. Now it is part of our mainline.
  *   Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
  *   New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
  *   ModSecurity status is now part of our mainline.
  *   New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
  *   Append and prepend are now supported on nginx (Ref: #635<https://github.com/SpiderLabs/ModSecurity/issues/635>).
  *   SecServerSignature is now available on nginx (Ref: #637<https://github.com/SpiderLabs/ModSecurity/issues/637>).

Check out the full list of changes straight from GitHub:
https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.8.0-rc1


Besides the listed changes we are also modifying the name of our release tarball. We were labeling our release by: "modsecurity-apache_X.Y.Z.tar.gz", since we started to support Nginx, this name became outdated. Now we are labeling it as  "modsecurity-X.Y.Z.tar.gz". For those who are automagically generating packages, it won't be a problem, the old naming policy will be preserved on the modsecurity.org<http://modsecurity.org> server.

As in the last release, this will be stored in two different servers: modsecurity.org<http://modsecurity.org> and GitHub. Hashes will be provided for the tarball integrity verification. The release tags are also GPG-Signed.


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Fwd: CentOS EPEL 6 ModSecurity Version

[Athmane M. <ath...@gm...>]

Sorry I replied off-list , here's a copy of the email sent to Ryan

---------- Forwarded message ----------
From: Athmane Madjoudj <at...@fe...>
Date: Wed, Mar 12, 2014 at 8:28 AM
Subject: Re: [mod-security-packagers] CentOS EPEL 6 ModSecurity Version
To: Ryan Barnett <RBa...@tr...>


On Tue, Mar 11, 2014 at 11:47:28PM +0000, Ryan Barnett wrote:
> Is anyone on this list handling the CentOS EPEL6 mod_security package?
 The most recent one there is this -
>
http://pkgs.org/centos-6/epel-x86_64/mod_security-2.7.3-2.el6.x86_64.rpm.html
>
> Wondering when it will be upgraded to the latest (v2.7.7).
>

Hi

I'm mod_security/mod_security_crs package maintainer, the master branch
of mod_security package already has 2.7.7. [1]

The current EPEL policy does not recommend doing major update, instead
the maintainer backports the required security patches to the current
version.
(this policy is very similar to Debian's)

If a user want a newer version, they can fill an RFC bug in
bugzilla [2]

[1] bit.ly/1cwotGA

[2] https://bugzilla.redhat.com/


Thanks.

-- Athmane

Re: [mod-security-packagers] CentOS EPEL 6 ModSecurity Version

[Athmane M. <at...@fe...>]

Sorry I replied off-list , here's a copy of the email sent to Ryan

On Tue, Mar 11, 2014 at 11:47:28PM +0000, Ryan Barnett wrote:
> Is anyone on this list handling the CentOS EPEL6 mod_security package?  The most recent one there is this -
> http://pkgs.org/centos-6/epel-x86_64/mod_security-2.7.3-2.el6.x86_64.rpm.html
> 
> Wondering when it will be upgraded to the latest (v2.7.7).

Hi,

I'm mod_security/mod_security_crs package maintainer, the master branch
of mod_security package already has 2.7.7. [1]

The current EPEL policy does not recommend doing major update, instead
the maintainer backports the required security patches to the current
version. (this policy is very similar to Debian's)

If a user want a newer version, they can fill an RFC bug in bugzilla [2]

[1] bit.ly/1cwotGA

[2] https://bugzilla.redhat.com/


Thanks.

-- Athmane

[mod-security-packagers] CentOS EPEL 6 ModSecurity Version

[Ryan B. <RBa...@tr...>]

Is anyone on this list handling the CentOS EPEL6 mod_security package?  The most recent one there is this -
http://pkgs.org/centos-6/epel-x86_64/mod_security-2.7.3-2.el6.x86_64.rpm.html

Wondering when it will be upgraded to the latest (v2.7.7).

Ryan Barnett
Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] ModSecurity Release 2.7.7

[Felipe C. <FC...@tr...>]

Hi,

ModSecurity Release 2.7.7 is ready. It contains small fixes to allow an easy integration to packaging generation and build automation. Tarball were renamed to fit the same structure of older releases and configure scripts were placed back as part of the Tarball. For further information on the changes check the release notes<https://github.com/SpiderLabs/ModSecurity/releases>. For issues, please check the Issues on GitHub<https://github.com/SpiderLabs/ModSecurity/issues?direction=desc&sort=created&state=open>.

Archives also available at:

  *   Apache/Nginx:
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz.sha256
  *   IIS
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-32b.msi
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-32b.msi.sha256
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-64b.msi
     *   https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7-64b.msi.sha256


Thanks,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Preparing for release 2.7.7

[Felipe C. <FC...@tr...>]

Hi,

Due to recent problems that people are facing to generate packages out of 2.7.6 we are working on 2.7.7.
If you find out any other issue that was not reported yet, please report on Github: https://github.com/SpiderLabs/ModSecurity/issues


Thanks,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity, SpiderLabs
m: +55 81 8706.5547

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] ModSecurity release 2.7.6

[Felipe C. <FC...@tr...>]

Hi,

We are pleased to announce ModSecurity release 2.7.6. Besides the bug fixes this release also includes modification on the build system that counts on QA mechanisms such as coding style checker and static analysis. All ports and all platforms had some changes that may reduce the possibility of errors while trying to compile the project. Regression tests and unit tests are now more independent of platform or utilities versions. There is a new installer for MS Windows. Libinjection was updated. For further information on the changes, please check the release notes. For more information about the fixed bugs or to report a new one, have a look at our Issues on GitHub.<https://github.com/SpiderLabs/ModSecurity/issues>

It is also a pleasure to announce that we now have a Buildbot to help us to control the quality of our code/releases. For each build, the Buildbots are building the code,  checking coding style and doing a static analysis. Unit tests and regression tests are also performed. Compilation warnings are been monitored on our different ports/platforms. To follow up our builds, have a visit at: http://www.modsecurity.org/developers/buildbot

All releases that were archived as Branches on our git are now archived as Tags, not appearing on the Branch list anymore, but still available under Tags. New features now will be placed under specific branches, for continuous testing until the stability is ensured and then merge at branch master to be released.

Thanks,
Felipe "Zimmerle" Costa
Lead Developer for ModSecurity, SpiderLabs
m: +55 81 8706.5547

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Welcome Felipe Costa as the new lead Dev for ModSecurity

[Ryan B. <RBa...@tr...>]

I wanted to send a note to the mail-lists to let everyone know that we have a new lead DEV for ModSecurity here in Trustwave SpiderLabs Research – Felipe Costa.  Felipe is taking over for Breno Silva Pinto who has left Trustwave to pursue other opportunities.  Breno did an outstanding job leading ModSecurity Dev for 3 years and we wish him luck in his new career.  Hopefully Breno will still have some time to contribute to the project in the future.

We are excited to have Felipe on the team as he has extensive background in open source project development.

Welcome aboard Felipe!

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.