File modsecurity.changes of Package modsecurity
-------------------------------------------------------------------
Wed Mar 19 17:46:26 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
- update to 3.0.14:
* changed t:htmlEntityDecode transformation
CVE-2025-27110 boo#1238061
* add value checking to @validateByteRange operator
* aligned TIME_MON variable's behavior
* Leverage std::make_unique & std::make_shared to create objects in the heap
* Simplified handling of RuleMessage by removing usage of std::shared_ptr
* Simplified constructors, copy constructors & assignment operators
- new upstream
- add upstream signing key and validate source signature
- drop build dependencies no longer needed
- build with support for curl, MaxMindDB, ssdeep (libfuzzy), yail
- build with pcre2 instead of pcre
- correct upstream license, it is Apache-2.0
-------------------------------------------------------------------
Tue Dec 3 07:24:11 UTC 2024 - Flavio Castelli <fcastelli@suse.com>
- Update to version 3.0.13:
+ Added Windows port
+ Improved CI workflow
+ Removed unnecessary string copy operations, improved engine speed - several PR's
+ Fixed a bug in @pm operator
+ Extended the C/C++ API
-------------------------------------------------------------------
Thu Feb 15 15:58:32 UTC 2024 - Dominique Leuenberger <dimstar@opensuse.org>
- Update to version 3.0.12:
+ Change REQUEST_FILENAME and REQUEST_BASENAME behavior
WAF bypass of the ModSecurity v3 release line for path-based
payloads by submitting a specially crafted request URL
(CVE-2024-1019).
+ Enhancements and bug fixes
- Set the minimum security protocol version (TLSv1.2) for
SecRemoteRules.
-------------------------------------------------------------------
Mon Jan 29 14:22:50 UTC 2024 - Dirk Müller <dmueller@suse.com>
- update to 3.0.11:
* Add WRDE_NOCMD to wordexp call
* Fix: validateDTD compile fails if when libxml2 not
installed
* Fix memory leak of validateDTD's dtd object
* Fix memory leaks in ValidateSchema
* Add support for expirevar action
* Fix: lmdb regex match on non-null terminated string
* Fix memory leaks in lmdb code (new'd strings)
* Configure: add additional name to pcre2 pkg-config list
-------------------------------------------------------------------
Mon Sep 4 15:59:43 UTC 2023 - David Anes <david.anes@suse.com>
- Update to version 3.0.10:
* Security impacting issue (fix bsc#1213702, CVE-2023-38285)
- Fix: worst-case time in implementation of four transformations
- Additional information on this issue is available at
https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
* Enhancements and bug fixes
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
- Make MULTIPART_PART_HEADERS accessible to lua
- Fix: Lua scripts cannot read whole collection at once
- Fix: quoted Include config with wildcard
- Support isolated PCRE match limits
- Fix: meta actions not applied if multiMatch in first rule of chain
- Fix: audit log may omit tags when multiMatch
- Exclude CRLF from MULTIPART_PART_HEADER value
- Configure: use AS_ECHO_N instead echo -n
- Adjust position of memset from 2890
-------------------------------------------------------------------
Tue May 9 11:30:26 UTC 2023 - Danilo Spinella <danilo.spinella@suse.com>
- Update to version 3.0.9:
* Add some member variable inits in Transaction class (possible segfault)
* Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
* Resolve memory leak on reload (bison-generated variable)
* Support equals sign in XPath expressions
* Encode two special chars in error.log output
* Add JIT support for PCRE2
* Support comments in ipMatchFromFile file via '#' token
* Use name package name libmaxminddb with pkg-config
* Fix: FILES_TMP_CONTENT collection key should use part name
* Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
* During configure, do not check for pcre if pcre2 specified
* Use pkg-config to find libxml2 first
* Fix two rule-reload memory leak issues
* Correct whitespace handling for Include directive
- Fix CVE-2023-28882, a segfault and a resultant crash of a worker process
in some configurations with certain inputs, bsc#1210993
-------------------------------------------------------------------
Fri Dec 16 14:21:07 UTC 2022 - Michael Ströder <michael@stroeder.com>
- Update to version 3.0.8
* Adjust parser activation rules in modsecurity.conf-recommended [#2796]
* Multipart parsing fixes and new MULTIPART_PART_HEADERS collection [#2795]
* Prevent LMDB related segfault [#2755, #2761]
* Fix msc_transaction_cleanup function comment typo [#2788]
* Fix: MULTIPART_INVALID_PART connected to wrong internal variable [#2785]
* Restore Unique_id to include random portion after timestamp [#2752, #2758]
-------------------------------------------------------------------
Sun Aug 14 12:34:25 UTC 2022 - Georg Pfuetzenreuter <georg.pfuetzenreuter@suse.com>
- Update to version 3.0.7
* Support PCRE2
* Support SecRequestBodyNoFilesLimit
* Add ctl:auditEngine action support
* Move PCRE2 match block from member variable
* Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
* Fix memory leak when concurrent log includes REMOTE_USER
* Fix LMDB initialization issues
* Fix initcol error message wording
* Tolerate other parameters after boundary in multipart C-T
* Add DebugLog message for bad pattern in rx operator
* Fix misuses of LMDB API
* Fix duplication typo in code comment
* Fix multiMatch msg, etc, population in audit log
* Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
* Adjust confusing variable name in setRequestBody method
* Multipart names/filenames may include single quote if double-quote enclosed
* Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
-------------------------------------------------------------------
Fri Feb 25 12:15:57 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de>
- Update to version 3.0.6
* Security issue: Support configurable limit on depth of JSON
parsing, possible DoS issue. CVE-2021-42717
- Update to version 3.0.5
* New: Having ARGS_NAMES, variables proxied
* Fix: FILES variable does not use multipart part name for key
* GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
* Support configurable limit on number of arguments processed
* Adds support to lua 5.4
* Add support for new operator rxGlobal
* Fix: Replaces put with setenv in SetEnv action
* Fix: Regex key selection should not be case-sensitive
* Fix: Only delete Multipart tmp files after rules have run
* Fixed MatchedVar on chained rules
* Fix IP address logging in Section A
* Fix: rx: exit after full match (remove /g emulation); ensure
capture groups occuring after unused groups still populate TX vars
* Fix rule-update-target for non-regex
* Fix Security Impacting Issues:
* Handle URI received with uri-fragment, CVE-2020-15598
-------------------------------------------------------------------
Wed Jul 22 10:39:48 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- add baselibs, fix packaging (install into %_libdir)
- update to 3.0.4:
- Fix: audit log data omitted when nolog,auditlog
- Fix: ModSecurity 3.x inspectFile operator does not pass
- XML: Remove error messages from stderr
- Filter comment or blank line for pmFromFile operator
- Additional adjustment to Cookie header parsing
- Restore chained rule part H logging to be more like 2.9 behaviour
- Small fixes in log messages to help debugging the file upload
- Fix Cookie header parsing issues
- Fix rules with nolog are logging to part H
- Fix argument key-value pair parsing cases
- Fix: audit log part for response body for JSON format to be E
- Make sure m_rulesMessages is filled after successfull match
- Fix @pm lookup for possible matches on offset zero.
- Regex lookup on the key name instead of COLLECTION:key
- Missing throw in Operator::instantiate
- Making block action execution dependent of the SecEngine status
- Making block action execution dependent of the SecEngine status
- Having body limits to respect the rule engine state
- Fix SecRuleUpdateTargetById does not match regular expressions
- Adds missing check for runtime ctl:ruleRemoveByTag
- Adds a new operator verifySVNR that checks for Austrian social
security numbers.
- Fix variables output in debug logs
- Correct typo validade in log output
- fix/minor: Error encoding hexa decimal.
- Limit more log variables to 200 characters.
- parser: fix parsed file names
- Allow empty anchored variable
- Fixed FILES_NAMES collection after the end of multipart parsing
- Fixed validateByteRange parsing method
- Removes a memory leak on the JSON parser
- Enables LMDB on the regression tests.
- Fix: Extra whitespace in some configuration directives causing error
- Refactoring on Regex and SMatch classes.
- Fixed buffer overflow in Utils::Md5::hexdigest()
- Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
- Adds initially support to the drop action.
- Complete merging of particular rule properties
- Replaces AC_CHECK_FILE with 'test -f'
- Fix inet addr handling on 64 bit big endian systems
- Fix tests on FreeBSD
- Changes ENV test case to read the default MODSECURTIY env var
- Regression: Sets MODSECURITY env var during the tests execution
- Fix setenv action to strdup key=variable
- Allow 0 length JSON requests.
- Fix "make dist" target to include default configuration
- Replaced log locking using mutex with fcntl lock
- Correct the usage of modsecurity::Phases::NUMBER_OF_PHASES
- Adds support to multiple ranges in ctl:ruleRemoveById
- Rule variable interpolation broken
- Make the boundary check less strict as per RFC2046
- Fix buffer size for utf8toUnicode transformation
- Fix double macros bug
- Override the default status code if not suitable to redirect action
- parser: Fix the support for CRLF configuration files
- Organizes the server logs
- m_lineNumber in Rule not mapping with the correct line number in file
- Using shared_ptr instead of unique_ptr on rules exceptions
- Changes debuglogs schema to avoid unecessary str allocation
- Fix the SecUnicodeMapFile and SecUnicodeCodePage
- Changes the timing to save the rule message
- Fix crash in msc_rules_add_file() when using disruptive action in chain
- Fix memory leak in AuditLog::init()
- Fix RulesProperties::appendRules()
- Fix RULE lookup in chained rules
- @ipMatch "Could not add entry" on slash/32 notation in 2.9.0
- Using values after transformation at MATCHED_VARS
- Adds support to UpdateActionById.
- Add correct C function prototypes for msc_init and msc_create_rule_set
- Allow LuaJIT 2.1 to be used
- Match m_id JSON log with RuleMessage and v2 format
- Adds support to setenv action.
- Adds new transaction constructor that accepts the transaction id
as parameter.
- Adds request IDs and URIs to the debug log
- Treating variables exception on load-time instead of run time.
- Fix: function m.setvar in Lua scripts and add testcases
- Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
- Fix OpenBSD build
- Fix parser to support GeoLookup with MaxMind
- parser: Fix simple quote setvar in the end of the line
- Fix pc file
- modsec_rules_check: uses the gnu `.la' instead of `.a' file
- good practices: Initialize variables before use it
- Fix utf-8 character encoding conversion
- Adds support for ctl:requestBodyProcessor=URLENCODED
- Add LUA compatibility for CentOS and try to use LuaJIT first if available
- Allow LuaJIT to be used
- Implement support for Lua 5.1
- Variable names must match fully, not partially. Match should be case
insensitive.
- Improves the performance while loading the rules
- Allow empty strings to be evaluated by regex::searchAll
- Adds basic pkg-config info
- Fixed LMDB collection errors
- Fixed false positive MULTIPART_UNMATCHED_BOUNDARY errors
- Fix ip tree lookup on netmask content
- Changes the behavior of the default sec actions
- Refactoring on {global,ip,resources,session,tx,user} collections
- Fix race condition in UniqueId::uniqueId()
- Fix memory leak in error message for msc_rules_merge C APIs
- Return false in SharedFiles::open() when an error happens
- Use rvalue reference in ModSecurity::serverLog
- Build System: Fix when multiple lines for curl version.
- Checks if response body inspection is enabled before process it
- Code Cleanup.
- Fix setvar parsing of quoted data
- Fix LDFLAGS for unit tests.
- Adds time stamp back to the audit logs
- Disables skip counter if debug log is disabled
- Cosmetics: Represents amount of skipped rules without decimal
- Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
- Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
- Fix memory leak in modsecurity::utils::expandEnv()
- Initialize m_dtd member in ValidateDTD class as NULL
- Fix broken @detectxss operator regression test case
- Fix utils::string::ssplit() to handle delimiter in the end of string
- Fix variable FILES_TMPNAMES
- Fix memory leak in Collections
- Fix lib version information while generating the .so file
- Adds support for ctl:ruleRemoveByTag
- Fix SecUploadDir configuration merge
- Include all prerequisites for "make check" into dist archive
- Fix: Reverse logic of checking output in @inspectFile
- Adds support to libMaxMind
- Adds capture action to detectXSS
- Temporarily accept invalid MULTIPART_SEMICOLON_MISSING operator
- Adds capture action to detectSQLi
- Adds capture action to rbl
- Adds capture action to verifyCC
- Adds capture action to verifySSN
- Adds capture action to verifyCPF
- Prettier error messages for unsupported configurations (UX)
- Add missing verify*** transformation statements to parser
- Fix a set of compilation warnings
- Check for disruptive action on SecDefaultAction.
- Fix block-block infinite loop.
- Correction remove_by_tag and remove_by_msg logic.
- Fix LMDB compile error
- Fix msc_who_am_i() to return pointer to a valid C string
- Added some cosmetics to autoconf related code
- Fix "make dist" target to include necessary headers for Lua
- Fix "include /foo/*.conf" for single matched object in directory
- Add missing Base64 transformation statements to parser
- Fixed resource load on ip match from file
- Fixed examples compilation while using disable-shared
- Fixed compilation issue while xml is disabled
- Having LDADD and LDFLAGS organized on Makefile.am
- Checking std::deque size before use it
- perf improvement: Added the concept of RunTimeString and removed
all run time parser.
- perf improvement: Checks debuglog level before format debug msg
- perf. improvement/rx: Only compute dynamic regex in case of macro
- Fix uri on the benchmark utility
- disable Lua on systems with liblua5.1
-------------------------------------------------------------------
Sat Jul 14 09:58:58 UTC 2018 - jengelh@inai.de
- Remove rhetoric part from descriptions.
-------------------------------------------------------------------
Mon Jul 9 09:09:58 UTC 2018 - mrostecki@suse.com
- Remove libltdl7 from build dependencies
-------------------------------------------------------------------
Mon Jul 2 12:30:53 UTC 2018 - mrostecki@suse.com
- Make use of %license macro
- Make use of %{version} variable
- Sort dependencies alphabetically
-------------------------------------------------------------------
Mon Mar 19 10:37:58 UTC 2018 - mrostecki@suse.com
- Initial release
