github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2026-01-01 14:15:46 +03:00
Code Issues Packages Projects Releases Wiki Activity

merge upstream & update configs

Browse Source
This commit is contained in:
Mihai Pitu
2013-08-23 13:54:30 +03:00
parent 107ff9af8f
commit 9651da3d4c
192 changed files with 14497 additions and 439 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
CHANGES
View File

@@ -1,3 +1,56 @@
23 Jul 2013 - 2.7.5
-------------------
Improvements:
* SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter.
* Updated Libinjection to version 3.4.1. Many improvements were made.
* Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug).
Bug Fixes:
* Fixed utf8toUnicode tfn null byte conversion.
* Fixed NGINX crash when issue reload command.
* Fixed flush output buffer before inject modified hashed response body.
* Fixed url normalization for Hash Engine.
* Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files.
Security Issues:
10 May 2013 - 2.7.4
-------------------
Improvements:
* Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
* Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
* NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.
Bug Fixes:
* Fixed SecRulePerfTime storing unnecessary rules performance times.
* Fixed Possible SDBM deadlock condition.
* Fixed Possible @rsub memory leak.
* Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
* Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
* Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.
Security Issues:
* Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
28 Mar 2013 - 2.7.3
-------------------
@@ -32,7 +85,7 @@
* SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable
by default the external entity load task executed by LibXml2. This is a security issue
reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
[CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
21 Jan 2013 - 2.7.2
-------------------
@@ -130,7 +183,7 @@
support Include directive like Apache2.
* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
validation.
validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt).
* Updated Reference Manual.