6 Feb 02:25
ModSecurity 2.5.12 Released
Brian Rectanus <Brian.Rectanus <at> breach.com>
2010-02-06 01:25:59 GMT
2010-02-06 01:25:59 GMT
Hello all, ModSecurity 2.5.12 has been released. This release fixes several important issues to help prevent a detection bypass and denial of service attacks against ModSecurity. Many thanks to the Sogeti/ESEC R&D team for sending us the results of their code review. In addition, this release fixes quite a few small but notable bugs and includes the latest Core Ruleset (v2.0.5). It is highly recommended that you upgrade to ModSecurity 2.5.12, but there are some changes you need to watch out for. Notable changes which may impact an upgrade: * PCRE match limits are substantially lowered by default. If you have custom rules that are resulting in "PCRE limits exceeded", then you may have to adjust SecPcreMatchLimit* directives or modify your regex. You can also revert to the default by building with "--disable-pcre-match-limit" and "--disable-pcre-match-limit-recursion" configure options (not recommended, though). * PCRE "studying" is now on by default (Use the --disable-pcre-study configure option to turn it off). This allows for extra checks when compiling a regex for optimization. Normally this is a good thing, but it may slow down a restart/reload on large rulesets. * A new form of processing flags has been introduced. ModSecurity processing flags may indicate an issue or inconsistency when processing a transaction. These flags have been placed in the TX collection so that they maintain backwards compatibility. Each of these flags are prefixed with "MSC_". If you are using this prefix, then you may have false positives and will need to change to another prefix. Currently there is just one flag, TX:MSC_PCRE_LIMITS_EXCEEDED, being used. See the documentation on the TX and SecPcreMatchLimit* directives for more information. * ModSecurity will now (by default) not process more than 100 file uploads. This can be overridden via SecUploadFileLimit. You are encouraged to *lower* the limit if you do not allow mass uploads of files on your site. * The @pmFromFile operator will now trim whitespace from both sides of the phrase (line) when reading in the list of phrases. If you have used whitespace as a left or right boundary in custom rules, then you will need to replace the boundary with non-whitespace character. As always, downloads are available from modsecurity.org. CHANGES: 04 Feb 2010 - 2.5.12 -------------------- * Fixed SecUploadFileMode to set the correct mode. * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions. * Added additional file info definitions introduced in APR 0.9.5 so that build will work with older APRs (IBM HTTP Server v6). * Added SecUploadFileLimit to limit the number of uploaded file parts that will be processed in a multipart POST. The default is 100. * Fixed path normalization to better handle backreferences that extend above root directories. Reported by Sogeti/ESEC R&D. * Trim whitespace around phrases used with @pmFromFile and allow for both LF and CRLF terminated lines. * Allow for more robust parsing for multipart header folding. Reported by Sogeti/ESEC R&D. * Fixed failure to match internally set TX variables with regex (TX:/.../) syntax. * Fixed failure to log full internal TX variable names and populate MATCHED_VAR* vars. * Enabled PCRE "studying" by default. This is now a configure-time option. * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to aide in REDoS type attacks. A rule that goes over the limits will set TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major release of ModSecurity (2.6.x) will move these flags to a dedicated collection. * Reduced default PCRE match limits reducing impact of REDoS on poorly written regex rules. Reported by Sogeti/ESEC R&D. * Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D. * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.) * Update copyright to 2010. * Reserved 700,000-799,999 IDs for Ivan Ristic. * Fixed SecAction not working when CONNECT request method is used (MODSEC-110). [Ivan Ristic] * Do not escape quotes in macro resolution and only escape NUL in setenv values. -- -- Brian Rectanus Breach Security ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html
RSS Feed