8 May 21:44
Re: ModSecurity 2.5.4 Released
From: Brian Rectanus <Brian.Rectanus <at> breach.com>
Subject: Re: ModSecurity 2.5.4 Released
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 19:44:29 GMT
Subject: Re: ModSecurity 2.5.4 Released
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2008-05-08 19:44:29 GMT
Brian Rectanus wrote: > Hello all, > > ModSecurity 2.5.4 was released. This fixes a problem with > transformation caching in ModSecurity 2.5 through version 2.5.3. > > Transformation Caching Issue Details: > > If you are using a transformation in SecDefaultAction and t:none in a > rule, then there is the potential for the rule to use the wrong cached > value (the default transformation value), possibly resulting in a false > negative (no match). The Core Rules v1.6 do not require a default > transformation, but there is a potential for a false negative if a > default transformation is defined. Upgrading to 2.5.4 is encouraged, > however, workarounds are available until an upgrade is possible. > > Workarounds for Transformation Caching Issue in 2.5.0-2.5.3: > > 1) (recommended) Disable transformation caching until you can upgrade to > 2.5.4 with: > > SecCacheTransformations Off > > 2) Remove any default transformations in SecDefaultAction if other rules > are not depending on them. > > Packages can be downloaded from modsecurity.org as always. > > -B > I just wanted to clarify that the workarounds were *either* 1 *or* 2 and both are not required. thanks, -B -- -- Brian Rectanus Breach Security ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
RSS Feed