mod-security-packagers

[mod-security-packagers] Availability of ModSecurity 2.7.5 Stable Release

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.7.5 Stable Release.The stability of this release is good,
includes many bug fixes and some new features.

Specially libjection was updated and many issues, false positives, false
negatives were fixed. NGINX compilation issue and a crash after reload were
fixed. We added some small improvement like severity now accepts string.
Please see the release notes included into CHANGES file. For known problems
and more information about bug fixes, please see the online ModSecurity
Jira. Please report any bug to
mod...@li....

Thanks

Breno Silva

Re: [mod-security-packagers] ModSecurity v2.7.x for Debian

[Breno S. <bre...@gm...>]

Hello Alberto,

We changed some stuffs in the 2.7.x build system to deal with the use of
different libraries versions specially for 64bit platforms. I don't see any
issue removing -rpath for debian packages.

Thanks

Breno


On Mon, Jul 1, 2013 at 1:24 PM, Alberto Gonzalez Iniesta <ag...@in...>wrote:

> On Sat, Jun 29, 2013 at 08:01:43PM +0200, Alberto Gonzalez Iniesta wrote:
> > On Sat, Jun 29, 2013 at 04:57:09PM +0000, Ryan Barnett wrote:
> > > Anyone know when there will be a ModSecurity v2.7.x package for Debian?
> > >
> >
> > Probably next week, in sid (unstable), and a couple of weeks later (due
> > to Debian rules) in Wheezy backports. If nothing keeps me from doing it
> > (as it has been happening lately).
> >
>
> I'm preparing the 2.7.4 package for Debian and got the following error
> from lintian[1]:
> E: libapache2-modsecurity: binary-or-shlib-defines-rpath
> usr/lib/apache2/modules/mod_security2.so /-lpcre
>
> This wiki page [2] explains why lintian/Debian consider this bad.
>
> Previous modsecurity versions did not have this issue. I may remove the
> rpath from the library or hack the libtool script to avoid it, but
> before doing it I was wondering if this change is due to some
> requirement or if changing this would break modsecurity in some way.
>
> Thanks,
>
> Alberto
>
>
> [1] Lintian checks Debian packages for bugs and Debian polity
> violations.
> [2] http://wiki.debian.org/RpathIssue
>
> --
> Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
> agi@(inittab.org|debian.org)| en GNU/Linux y software libre
> Encrypted mail preferred    | http://inittab.com
>
> Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
>
> Build for Windows Store.
>
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> mod-security-packagers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-packagers
>

Re: [mod-security-packagers] ModSecurity v2.7.x for Debian

[Alberto G. I. <ag...@in...>]

On Sat, Jun 29, 2013 at 08:01:43PM +0200, Alberto Gonzalez Iniesta wrote:
> On Sat, Jun 29, 2013 at 04:57:09PM +0000, Ryan Barnett wrote:
> > Anyone know when there will be a ModSecurity v2.7.x package for Debian?
> > 
> 
> Probably next week, in sid (unstable), and a couple of weeks later (due
> to Debian rules) in Wheezy backports. If nothing keeps me from doing it
> (as it has been happening lately).
> 

I'm preparing the 2.7.4 package for Debian and got the following error
from lintian[1]:
E: libapache2-modsecurity: binary-or-shlib-defines-rpath
usr/lib/apache2/modules/mod_security2.so /-lpcre

This wiki page [2] explains why lintian/Debian consider this bad.

Previous modsecurity versions did not have this issue. I may remove the
rpath from the library or hack the libtool script to avoid it, but
before doing it I was wondering if this change is due to some
requirement or if changing this would break modsecurity in some way.

Thanks,

Alberto


[1] Lintian checks Debian packages for bugs and Debian polity
violations.
[2] http://wiki.debian.org/RpathIssue

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

Re: [mod-security-packagers] ModSecurity v2.7.x for Debian

[Alberto G. I. <ag...@in...>]

On Sat, Jun 29, 2013 at 04:57:09PM +0000, Ryan Barnett wrote:
> Anyone know when there will be a ModSecurity v2.7.x package for Debian?
> 

Probably next week, in sid (unstable), and a couple of weeks later (due
to Debian rules) in Wheezy backports. If nothing keeps me from doing it
(as it has been happening lately).

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

[mod-security-packagers] ModSecurity v2.7.x for Debian

[Ryan B. <RBa...@tr...>]

Anyone know when there will be a ModSecurity v2.7.x package for Debian?

--
Ryan Barnett
Lead Security Researcher
Trustwave - SpiderLabs

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Availability of ModSecurity 2.7.4 Stable Release

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.7.4 Stable Release.The stability of this release is good,
includes many bug fixes and some new features.

NGINX module version is now STABLE. We added support to libinjection as a
new operator @detectSQLi. There is a security issue fixed with this
release, please check CVE-2013-2765 for more information.

Please see the release notes included into CHANGES file. For known problems
and more information about bug fixes, please see the online ModSecurity
Jira. Please report any bug to mod...@li...
.

Thanks

Breno Silva

Re: [mod-security-packagers] [mod-security-users] Availability of ModSecurity 2.7.3 Stable Release

[Ryan B. <RBa...@tr...>]

Important note – as mentioned below, this release includes a security fix for a libxml2 external entity execution attack - http://secunia.com/advisories/52847/

It is highly recommended that you upgrade.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

From: Breno Silva <bre...@gm...<mailto:bre...@gm...>>
Date: Friday, March 29, 2013 12:55 PM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>, mod-security-developers <mod...@li...<mailto:mod...@li...>>, <mod...@li...<mailto:mod...@li...>>
Subject: [mod-security-users] Availability of ModSecurity 2.7.3 Stable Release

The ModSecurity Development Team is pleased to announce the availability of ModSecurity 2.7.3 Stable Release.The stability of this release is good and includes many bug fixes.

Many issues and missing features for NGINX module were fixed. NGINX module version is now RC. We have fixed some minor issues for IIS.

We also added some important new features, the ability to load some specific directives into .htaccess files and the SecXmlExternalEntity security feature that will disable by default the possibility to load xml external entities. We recommend all users use this version.

Please see the release notes included into CHANGES file. For known problems and more information about bug fixes, please see the online ModSecurity Jira. Please report any bug to mod...@li...<mailto:mod...@li...>.

Thanks

Breno Silva

------------------------------------------------------------------------------ Own the Future-Intel(R) Level Up Game Demo Contest 2013 Rise to greatness in Intel's independent game demo contest. Compete for recognition, cash, and the chance to get your game on Steam. $5K grand prize plus 10 genre and skill prizes. Submit your demo by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2_______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Availability of ModSecurity 2.7.3 Stable Release

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.7.3 Stable Release.The stability of this release is good and
includes many bug fixes.

Many issues and missing features for NGINX module were fixed. NGINX module
version is now RC. We have fixed some minor issues for IIS.

We also added some important new features, the ability to load some
specific directives into .htaccess files and the SecXmlExternalEntity
security feature that will disable by default the possibility to load xml
external entities. We recommend all users use this version.

Please see the release notes included into CHANGES file. For known problems
and more information about bug fixes, please see the online ModSecurity
Jira. Please report any bug to mod...@li...
.

Thanks

Breno Silva

Re: [mod-security-packagers] ModSecurity v2.7.2 in CentOS Repos

[Johnny H. <jo...@ce...>]

On 01/30/2013 09:24 AM, Ryan Barnett wrote:
> Can someone update the CentOS repos with the ModSecurity v2.7.2 so
> that it can be installed via Yum?  Looks like v2.6.8 is the latest.
>

The CentOS repository with mod_security is:

http://people.centos.org/hughesjr/mod_security/

It has now be updated to:

CentOS-6:
ModSecurity: 2.7.2
ModSecurity_CRS:  2.2.7

CentOS-5:
ModSecurity: 2.6.8
ModSecurity_CRS:  2.2.7

Note:  The 2.7.x branch of ModSecurity seems to contain a requirement
for libxml2 >= 2.6.29 and the version in CentOS-5 is 2.6.26 ...
therefore, CentOS-5 will have to stay with the 2.6.x branch of ModSecurity.

Thanks,
Johnny Hughes

Re: [mod-security-packagers] ModSecurity v2.7.2 in CentOS Repos

[Johnny H. <jo...@ce...>]

On 02/11/2013 01:02 PM, Ryan Barnett wrote:
> Anyone on this list handle CentOS repos?
>
> From: Ryan Barnett <rba...@tr...
> <mailto:rba...@tr...>>
> Date: Wednesday, January 30, 2013 10:24 AM
> To: "mod...@li...
> <mailto:mod...@li...>"
> <mod...@li...
> <mailto:mod...@li...>>
> Subject: ModSecurity v2.7.2 in CentOS Repos
>
>     Can someone update the CentOS repos with the ModSecurity v2.7.2 so
>     that it can be installed via Yum?  Looks like v2.6.8 is the latest.
>
>     Thanks.
>
>     -- 
>     Ryan Barnett
>     Trustwave SpiderLabs
>     ModSecurity Project Leader
>     OWASP ModSecurity CRS Project Leader
>

Ryan,

It seems that version 2.7.2 of mod_security requires libxml of at least
2.6.29

I get this when trying to build on CentOS-5 ...

checking if libxml2 is at least v2.6.29... no, 2.6.26
configure: error: NOTE: libxml2 library must be at least 2.6.29
error: Bad exit status from /var/tmp/rpm-tmp.83162 (%build)

Is it possible to use with libxml 2.6.26?  (I can patch the files to
allow it, but will it work?)

If not, I guess 2.6.x will be the last tree that works on CentOS-5.

Thanks,
Johnny Hughes

Re: [mod-security-packagers] ModSecurity v2.7.2 in CentOS Repos

[Johnny H. <jo...@ce...>]

I do and I will get this done today.

On 02/11/2013 01:02 PM, Ryan Barnett wrote:
> Anyone on this list handle CentOS repos?
>
> From: Ryan Barnett <rba...@tr...
> <mailto:rba...@tr...>>
> Date: Wednesday, January 30, 2013 10:24 AM
> To: "mod...@li...
> <mailto:mod...@li...>"
> <mod...@li...
> <mailto:mod...@li...>>
> Subject: ModSecurity v2.7.2 in CentOS Repos
>
>     Can someone update the CentOS repos with the ModSecurity v2.7.2 so
>     that it can be installed via Yum?  Looks like v2.6.8 is the latest.
>
>     Thanks.
>
>     -- 
>     Ryan Barnett
>     Trustwave SpiderLabs
>     ModSecurity Project Leader
>     OWASP ModSecurity CRS Project Leader
>

Re: [mod-security-packagers] ModSecurity v2.7.2 in CentOS Repos

[Ryan B. <RBa...@tr...>]

Anyone on this list handle CentOS repos?

From: Ryan Barnett <rba...@tr...<mailto:rba...@tr...>>
Date: Wednesday, January 30, 2013 10:24 AM
To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>>
Subject: ModSecurity v2.7.2 in CentOS Repos

Can someone update the CentOS repos with the ModSecurity v2.7.2 so that it can be installed via Yum?  Looks like v2.6.8 is the latest.

Thanks.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] ModSecurity v2.7.2 in CentOS Repos

[Ryan B. <RBa...@tr...>]

Can someone update the CentOS repos with the ModSecurity v2.7.2 so that it can be installed via Yum?  Looks like v2.6.8 is the latest.

Thanks.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Availability of ModSecurity 2.7.2 Stable Release

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.7.2 Stable Release.
The stability of this release is good and includes many bug fixes.

We have fixed some build system issues and also set IIS version as stable.
We also included some fixes for NGINX version and remove the
ModSecurityPass command.
Some fixes were included, specially into cpf_verify and ipmatchf operators.
Please see the release notes included into CHANGES file.

For known problems and more information about bug fixes, please see the
online ModSecurity Jira. Please report any bug to
mod...@li....

Thanks

Breno Silva

[mod-security-packagers] Availability of ModSecurity 2.7.1 Stable Release

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.7.1 Stable Release.The stability of this release is good and
includes many bug fixes.

We recommend people upgrade to 2.7 series since it has a log of bug fixes
and one security issue related to multipart payloads.
In this version we renamed the directives and options related to HMAC
feature for better understanding of the technology.
Please see the release notes included into CHANGES file.

For known problems and more information about bug fixes, please see the
online ModSecurity Jira. Please report any bug to
mod...@li....

Thanks

Breno Silva

[mod-security-packagers] Migration to Github

[Breno S. P. <BP...@tr...>]

Hello community!

During the last week we migrated the ModSecurity project to Github. Right now the code, the documentation and packages for download are already there!

Github place : https://github.com/SpiderLabs/ModSecurity

For those of you that want to contribute with patches, we wrote some instructions here:
http://www.modsecurity.org/developers/

Please continue opening tickets for bugs, improvements and new features into ModSecurity Jira (http://www.modsecurity.org/tracker)

Thank you very much!

Breno Silva


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Availability of ModSecurity 2.7.0

[Breno S. <bre...@gm...>]

Availability of ModSecurity 2.7.0

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.7.0 Stable Release.The stability of this release is good and
includes many new features and bug fixes.
Highlights include:

    * Internationalization (I18N) Support
    * HMAC Token Injection to prevent data manipulation
    * PCRE JIT Support to speed up regular expression operators
    * Caching Lua VMs to speed up multiple scripts
    * Ability to add exceptions based on TAG and MSG data
    * Per-rule Performance information in audit log

Please see the release notes included into CHANGES file. For known problems
and more information about bug fixes, please see the online ModSecurity
Jira. Please report any bug to mod...@li....


Thanks

Breno Silva

[mod-security-packagers] Availability of ModSecurity 2.6.8

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the availability of
ModSecurity 2.6.8 Release.

The stability of this release is good and includes some bug fixes.
Please see the release notes included into
CHANGES<http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.6.x/CHANGES>file.
For known problems and more information about bug fixes, please see the
online ModSecurity Jira <https://www.modsecurity.org/tracker/>.
Please report any bug to
mod...@li...<http://lists.sourceforge.net/lists/listinfo/mod-security-developers>
.

Thanks

Breno Silva

[mod-security-packagers] Availability of ModSecurity 2.7.0-RC3 Release Candidate

[Breno S. <bre...@gm...>]

The ModSecurity Development Team is pleased to announce the
availability of ModSecurity
7.0-rc3 Release<http://www.modsecurity.org/download/modsecurity-apache_2.7.0-rc2.tar.gz>.
The stability of this release is good and include bug fixed and new
features. I think the most important one it to be able to handle
Internationalization (I18N) and thus properly handle various data encodings
including Unicode and UTF-8 in order to prevent not only evasion issues but
also to minimize false positives Please check our blog for more
information<http://blog.spiderlabs.com/2012/08/waf-normalization-and-i18n.html>
.
We also merged the Ngnix and IIS code from experimental branch.The IIS code
should be stable now but Ngnix is still in experimental status. This should
be the last -rc extra version until the stable.
Please see the release notes included into
CHANGES<http://mod-security.svn.sourceforge.net/viewvc/mod-security/m2/branches/2.7.x/CHANGES>file.
For known problems and more information about bug fixes, please see
the online ModSecurity Jira <https://www.modsecurity.org/tracker/>. Please
report any bug to
mod...@li...<http://lists.sourceforge.net/lists/listinfo/mod-security-developers>
.


Thanks

Breno Silva

[mod-security-packagers] Using the Mail-list

[Ryan B. <RBa...@tr...>]

Greetings everyone,
As most of you are already aware, we have a number of community members who are in charge of OS Repos (such as CentOS, Debian, etc…) and actively take the ModSecurity source code for stables releases and then compile it for their OS platforms.  I can not stress the importance of this effort.  Based on past ModSecurity User Surveys, more than 50% of the user obtain ModSecurity by using their OS package manager software.  It is for this reason that we need to ensure that we (the ModSecurity team) work with you all as package managers for your respective OS to get the latest and greatest versions into your repos in a timely manner.

To that end, we will make sure to announce on this mail-list whenever we release a new version of ModSecurity.  If there is anything else that we can do to help make this process easier or if you have any recommendations for this process, please speak up!

Thanks again for all of your help.

--
Ryan Barnett
Trustwave SpiderLabs
ModSecurity Project Leader
OWASP ModSecurity CRS Project Leader

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

[mod-security-packagers] Stepping Down From the ModSecurity Team

[Brian R. <bre...@gm...>]

All,

I wanted to let everyone know that today is my last day working for
Breach Security/Trustwave and  I am stepping down from my role in
ModSecurity.  Trustwave's Spider Labs will be continuing the
ModSecurity project.  Please see my blog...

http://blog.modsecurity.org/2010/07/modsecurity-has-a-new-home.html

It has been fantastic working with everyone in the community and I
look forward to continuing, just with a different role.

-B

[mod-security-packagers] ModSecurity 2.5.12 Released

[Brian R. <Bri...@br...>]

Hello all,

ModSecurity 2.5.12 has been released.  This release fixes several
important issues to help prevent a detection bypass and denial of
service attacks against ModSecurity.  Many thanks to the Sogeti/ESEC R&D
team for sending us the results of their code review.  In addition, this
release fixes quite a few small but notable bugs and includes the latest
Core Ruleset (v2.0.5).

It is highly recommended that you upgrade to ModSecurity 2.5.12, but
there are some changes you need to watch out for.

Notable changes which may impact an upgrade:

* PCRE match limits are substantially lowered by default.  If you have
custom rules that are resulting in "PCRE limits exceeded", then you may
have to adjust SecPcreMatchLimit* directives or modify your regex.  You
can also revert to the default by building with
"--disable-pcre-match-limit" and "--disable-pcre-match-limit-recursion"
configure options (not recommended, though).

* PCRE "studying" is now on by default (Use the --disable-pcre-study
configure option to turn it off).  This allows for extra checks when
compiling a regex for optimization.  Normally this is a good thing, but
it may slow down a restart/reload on large rulesets.

* A new form of processing flags has been introduced.  ModSecurity
processing flags may indicate an issue or inconsistency when processing
a transaction.  These flags have been placed in the TX collection so
that they maintain backwards compatibility.  Each of these flags are
prefixed with "MSC_".  If you are using this prefix, then you may have
false positives and will need to change to another prefix.  Currently
there is just one flag, TX:MSC_PCRE_LIMITS_EXCEEDED, being used.  See
the documentation on the TX and SecPcreMatchLimit* directives for more
information.

* ModSecurity will now (by default) not process more than 100 file
uploads.  This can be overridden via SecUploadFileLimit.  You are
encouraged to *lower* the limit if you do not allow mass uploads of
files on your site.

* The @pmFromFile operator will now trim whitespace from both sides of
the phrase (line) when reading in the list of phrases.  If you have used
whitespace as a left or right boundary in custom rules, then you will
need to replace the boundary with non-whitespace character.


As always, downloads are available from modsecurity.org.


CHANGES:

04 Feb 2010 - 2.5.12
--------------------

 * Fixed SecUploadFileMode to set the correct mode.

 * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.

 * Added additional file info definitions introduced in APR 0.9.5 so that
   build will work with older APRs (IBM HTTP Server v6).

 * Added SecUploadFileLimit to limit the number of uploaded file parts that
   will be processed in a multipart POST.  The default is 100.

 * Fixed path normalization to better handle backreferences that extend
   above root directories.  Reported by Sogeti/ESEC R&D.

 * Trim whitespace around phrases used with @pmFromFile and allow
   for both LF and CRLF terminated lines.

 * Allow for more robust parsing for multipart header folding.  Reported
   by Sogeti/ESEC R&D.

 * Fixed failure to match internally set TX variables with regex
   (TX:/.../) syntax.

 * Fixed failure to log full internal TX variable names and populate
   MATCHED_VAR* vars.

 * Enabled PCRE "studying" by default.  This is now a configure-time option.

 * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
   aide in REDoS type attacks.  A rule that goes over the limits will set
   TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
   of ModSecurity (2.6.x) will move these flags to a dedicated collection.

 * Reduced default PCRE match limits reducing impact of REDoS on poorly
   written regex rules.  Reported by Sogeti/ESEC R&D.

 * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.

 * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

 * Update copyright to 2010.

 * Reserved 700,000-799,999 IDs for Ivan Ristic.

 * Fixed SecAction not working when CONNECT request method is used
   (MODSEC-110). [Ivan Ristic]

 * Do not escape quotes in macro resolution and only escape NUL in setenv
   values.


-- 
Brian Rectanus
Breach Security

[mod-security-packagers] ModSecurity 2.5.11 Released

[Brian R. <Bri...@br...>]

ModSecurity 2.5.11 has been released and is now available.

This release fixes a multipart parsing issue that has the potential to 
allow bypassing the rules engine.  This bypass can be avoided via some 
simple rules, however.  Other changes include a rules update (CRS 2.0.3) 
and some minor cleanup in build, mlogc, persistence and the output 
filter ordering.

By using non-standard (but accepted by some platforms) quoting, 
ModSecurity may be fooled into thinking some parameters are uploaded 
files.  A working exmple was presented at POC2009.  To mitigate this, 
the following rules (also included in the latest CRS v2.0.3, included 
with ModSecurity 2.5.11) are recommended until you can update to 
ModSecurity 2.5.11:

# Identify multipart/form-data name evasion attempts
SecRule FILES "['\";=]" \
   "phase:2,deny,log,t:none,\
    msg:'Attempted multipart/form-data bypass'"
SecRule FILES_NAMES "['\";=]" \
   "phase:2,deny,log,t:none,\
    msg:'Attempted multipart/form-data bypass'"

Downloads and docs from modsecurity.org as usual.


04 Nov 2009 - 2.5.11
--------------------

  * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
    set true if any invalid quoting is found during multipart parsing.

  * Fixed parsing quoted strings in multipart Content-Disposition
    headers.  Discovered by Stefan Esser.

  * Cleanup persistence database locking code.

  * Added warning during configure if libcurl is found linked against
    gnutls for SSL.  The openssl lib is recommended as gnutls has
    proven to cause issues with mutexes and may crash.

  * Cleanup some mlogc (over)logging.

  * Do not log output filter errors in the error log.

  * Moved output filter to run before other stock filters (mod_deflate,
    mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
    in the response.  Patch originally submitted by Ivan Ristic.

-- 
Brian Rectanus
Breach Security

Re: [mod-security-packagers] [mod-security-users] ModSecurity 2.5.10 Released

[Brian R. <Bri...@br...>]

yersinia wrote:
> On Sun, Sep 27, 2009 at 12:51 AM, Alberto Gonzalez Iniesta
> <ag...@in... <mailto:ag...@in...>> wrote:
>
>     On Sat, Sep 26, 2009 at 11:10:11AM +0200, yersinia wrote:
>      > On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus
>     <bre...@gm... <mailto:bre...@gm...>> wrote:
>      >
>      > > ModSecurity has always required Lua 5.1.x.  Perhaps this version is
>      > > finding 5.0 by mistake instead of ignoring it?  The --without-lua
>      > > configure option should help you.  I'll look at adding a
>     version check
>      > > to the next release.
>      > >
>      > > Could be useful for ModSecurity, in order to improve the
>     portability, put
>      > in the tarball the corrected versions of lua, or pcre, .. and
>     decide to
>      > configure time (or with a switch to configure) whether to include the
>      > private version or link to the one on the system? this is what
>     rpm does for
>      > years. Are you interested in this development ? I have some
>     experience with
>      > autofu and portability issue, some perhaps i can help in trying but i
>      > preferer to ask first.
>      > Thanks
>
>     I don't think that's a good idea. Having different versions of
>     lua/foobar around your system. The documentation should state which
>     software you need, and which versions are required, to build
>     Modsecurity. Creating a huge tarball with all the build dependencies is
>     plain ugly and will lead to confusions.
>
> Could increase the work of the developer, but also make it more free in
> its choices, but largely simplify the end luser experience and extend
> the platforms on which a product works. This is my experience, that
> might not be worth much, and that of the maintainer of this project
> http://rpm5.org/cvs/fileview?f=rpm/INSTALL&v=2.125
> <http://rpm5.org/cvs/fileview?f=rpm/INSTALL&v=2.125>
> http://rpm5.org/cvs/chngview?cn=13173
>
> But YMMV, as everyone else.
>
> Elia

Lua is not required, so I don't want to package it.  The docs clearly 
state Lua 5.1.x and that it is optional 
(http://modsecurity.org/documentation/modsecurity-apache/2.5.10/modsecurity2-apache-reference.html#installation). 
  Also, as Alberto stated, I don't think any of the people putting 
ModSecurity into a distribution will want it either (they will build 
with the distribution's version).

On top of that, I just don't think it very wise to distribute another 
libs's source as that means it becomes my responsibility to have to keep 
it up-to-date and I don't need the extra work.  Nor do I want to have to 
release another ModSecurity package just because there is a flaw in one 
of the bundled libs.

-B

-- 
Brian Rectanus
Breach Security

Re: [mod-security-packagers] [mod-security-users] ModSecurity 2.5.10 Released

[Alberto G. I. <ag...@in...>]

On Sat, Sep 26, 2009 at 11:10:11AM +0200, yersinia wrote:
> On Fri, Sep 25, 2009 at 9:29 PM, Brian Rectanus <bre...@gm...> wrote:
> 
> > ModSecurity has always required Lua 5.1.x.  Perhaps this version is
> > finding 5.0 by mistake instead of ignoring it?  The --without-lua
> > configure option should help you.  I'll look at adding a version check
> > to the next release.
> >
> > Could be useful for ModSecurity, in order to improve the portability, put
> in the tarball the corrected versions of lua, or pcre, .. and decide to
> configure time (or with a switch to configure) whether to include the
> private version or link to the one on the system? this is what rpm does for
> years. Are you interested in this development ? I have some experience with
> autofu and portability issue, some perhaps i can help in trying but i
> preferer to ask first.
> Thanks

I don't think that's a good idea. Having different versions of
lua/foobar around your system. The documentation should state which
software you need, and which versions are required, to build
Modsecurity. Creating a huge tarball with all the build dependencies is
plain ugly and will lead to confusions.

My 2c.

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
agi@(inittab.org|debian.org)| en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 9782 04E7 2B75 405C F5E9  0C81 C514 AF8E 4BA4 01C3