Dear all,
Trustwave Spiderlabs has released ModSecurity 2.9.6 and ModSecurity /
libModSecurity 3.0.8.
https://www.trustwave.com/en-us/resources/security-resources/software-updates/announcing-modsecurity-versions-308-and-296/
They did not announce this in this mailinglist, though, and they also
confirmed they have no intention to do so.
Reading through the release notes does not really make it clear this is
a security release. Being familiar with all the weaknesses in question,
I assure you this is grave. Please update your servers.
Please note that the modsecurity recommended rules that pick the request
body processor will also have to be updated.
A very convenient change in this release is that single quotes in
double-quoted multipart file upload filenames will no longer trigger a
body processor error. French and Italian users will welcome this in
particular.
The OWASP ModSecurity Core Rule Set team has made sure these changes make it
into the stable Debian release and will be picked up by other distributions
from there. (This is fairly political since distros tend to refuse updates
unless there is a CVE involved.)
OWASP CRS will also issue a security update to the 3.2.x and v3.2.x release
line to complement the changes in the engine. We tried to be really fast after
the ModSecurity release but being late is better than a broken release and
we are still testing. Expect these releases next week.
I am running a ModSecurity / CRS webcast next Tuesday, 2pm CET.
You can sign up here:
https://www.meetup.com/meetup-group-ungjkskv/events/287901911/
I will cover (some of) the weaknesses in this ModSecurity update in this
first edition of this new format. Tune in when you want to understand
what this is all about.
Best regards,
Christian
--
No one is born hating another person because of the colour of
his skin, or his background, or his religion. People must learn to hate,
and if they can learn to hate, they can be taught to love, for love
comes more naturally to the human heart than its opposite.
-- Nelson Mandela
|
