8 May 18:44
ModSecurity 2.5.4 Released
From: Brian Rectanus <Brian.Rectanus <at> breach.com>
Subject: ModSecurity 2.5.4 Released
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 16:48:13 GMT
Subject: ModSecurity 2.5.4 Released
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 16:48:13 GMT
Hello all, ModSecurity 2.5.4 was released. This fixes a problem with transformation caching in ModSecurity 2.5 through version 2.5.3. Transformation Caching Issue Details: If you are using a transformation in SecDefaultAction and t:none in a rule, then there is the potential for the rule to use the wrong cached value (the default transformation value), possibly resulting in a false negative (no match). The Core Rules v1.6 do not require a default transformation, but there is a potential for a false negative if a default transformation is defined. Upgrading to 2.5.4 is encouraged, however, workarounds are available until an upgrade is possible. Workarounds for Transformation Caching Issue in 2.5.0-2.5.3: 1) (recommended) Disable transformation caching until you can upgrade to 2.5.4 with: SecCacheTransformations Off 2) Remove any default transformations in SecDefaultAction if other rules are not depending on them. Packages can be downloaded from modsecurity.org as always. -B -- -- Brian Rectanus Breach Security ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed