v3.0.13

Major changes in v3:

• added Windows port
• improved CI workflow
• removed unnecessary string copy operations, improved engine speed - several PR's
• fixed a bug in @pm operator
• extended the C/C++ API

For more information please see CHANGES.

v2.9.8

Major changes in v2:

• added a CI workflow
• changed error log format
• added a new MULTIPART HEADER check
• fixed many potential memory leaks and other potential memory handling problems

For more information please see CHANGES.

v3.0.12

Security impacting issue

• Change REQUEST_FILENAME and REQUEST_BASENAME behavior
  [Issue #3048 - @martinhsv, @theMiddleBlue, @theseion, @M4tteoP, @airween]
  WAF bypass of the ModSecurity v3 release line for path-based payloads by submitting a specially crafted request URL. For details, see CVE 2024-1019.

Enhancements and bug fixes

• Set the minimum security protocol version (TLSv1.2) for SecRemoteRules
  [Issue security/code-scanning/2 - @airween]

v3.0.11

Security impacting issue

• Add WRDE_NOCMD to wordexp call
  [Issue #3024 - @sahruldotid, @martinhsv ]
  Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways.

New feature

• Add support for expirevar action
  [Issue #1803, #3001 - @martinhsv]

Enhancements and bug fixes

• Fix: validateDTD compile fails if libxml2 not installed
  [Issue #3014 - @zangobot, @martinhsv]
• Fix memory leak of validateDTD's dtd object
  [Issue #3008 - @martinhsv, @zimmerle ]
• Fix memory leaks in ValidateSchema
  [Issue #3005 - @martinhsv, @zimmerle]
• Fix: lmdb regex match on non-null terminated string
  [Issue #2985 - @martinhsv]
• Fix memory leaks in lmdb code (new'd strings)
  [Issue #2983 - @martinhsv]
• Configure: add additional name to pcre2 pkg-config list
  [Issue #2939 - @agebhar1, @fzipi, @martinhsv]

v3.0.10

Security impacting issue

• Fix: worst-case time in implementation of four transformations
  [Issue #2934 - @martinhsv]
  Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

Enhancements and bug fixes

• Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
  [Issue #2901 - @airween]
• Make MULTIPART_PART_HEADERS accessible to lua
  [Issue #2916 - @martinhsv]
• Fix: Lua scripts cannot read whole collection at once
  [Issue #2900 - @udi-aharon, @airween, @martinhsv]
• Fix: quoted Include config with wildcard
  [Issue #2905 - @wiseelf, @airween, @martinhsv]
• Support isolated PCRE match limits
  [Issue #2736 - @brandonpayton, @martinhsv]
• Fix: meta actions not applied if multiMatch in first rule of chain
  [Issue #2867, #2868 - @mlevogiannis, @martinhsv]
• Fix: audit log may omit tags when multiMatch
  [Issue #2866 - @mlevogiannis]
• Exclude CRLF from MULTIPART_PART_HEADER value
  [Issue #2870 - @airween, @martinhsv]
• Configure: use AS_ECHO_N instead echo -n
  [Issue #2894 - @liudongmiao, @martinhsv]
• Adjust position of memset from 2890
  [Issue #2891 -@mirkodziadzka-avi, @martinhsv]

v3.0.9

Security issue

• Add some member variable inits in Transaction class (possible segfault)
  [Issue #2886 - @GNU-Plus-Windows-User, @airween, @mdounin, @martinhsv]

Enhancements and bug fixes

• Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
  [Issue #2877, #2890 - @tomsommer, @martinhsv]
• Resolve memory leak on reload (bison-generated variable)
  [Issue #2876 - @martinhsv]
• Support equals sign in XPath expressions
  [Issue #2328 - @dennus, @martinhsv]
• Encode two special chars in error.log output
  [Issue #2854 - @airween, @martinhsv]
• Add JIT support for PCRE2
  [Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv]
• Support comments in ipMatchFromFile file via '#' token
  [Issue #2554 - @tomsommer, @martinhsv]
• Use name package name libmaxminddb with pkg-config
  [Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout]
• Fix: FILES_TMP_CONTENT collection key should use part name
  [Issue #2831 - @airween]
• Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
  [Issue #2806 - @hughmcmaster]
• During configure, do not check for pcre if pcre2 specified
  [Issue #2750 - @dvershinin, @martinhsv]
• Use pkg-config to find libxml2 first
  [Issue #2714 - @hughmcmaster]
• Fix two rule-reload memory leak issues
  [Issue #2801 - @Abce, @martinhsv]
• Correct whitespace handling for Include directive
  [Issue #2800 - @877509395, @martinhsv]

v2.9.7

Security impacting issues

• Fix: FILES_TMP_CONTENT may sometimes lack complete content
  [Issue #2857 - gieltje, @airween, @dune73, @martinhsv]

New features

• Support configurable limit on number of arguments processed
  [Issue #2844 - @jleproust, @martinhsv]
• Support for PCRE2
  [Issue #2840, #2833, #2737, #2827 - @martinhsv]

Bug fixes and enhancements

• Silence compiler warning about discarded const
  [Issue #2843 - @Steve8291, @martinhsv]
• Use uid for user if apr_uid_name_get() fails
  [Issue #2046 - @arminabf, @marcstern]
• Fix: handle error with SecConnReadStateLimit configuration
  [Issue #2815, #2834 - @marcstern, @martinhsv]]
• Adjustment of previous fix for log messages
  [Issue #2832 - @marcstern, @erkia]
• Mark apache error log messages as from mod_security2
  [Issue #2781 - @erkia]
• Use pkg-config to find libxml2 first
  [Issue #2818 - @hughmcmaster]

v3.0.8

Note: additional information on the release and some of the key changes will be published separately in short order.

New features and security impacting issues

• Adjust parser activation rules in modsecurity.conf-recommended
  [Issue #2796 - @terjanq, @martinhsv]
• Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
  [Issue #2795 - @terjanq, @martinhsv]

Bug fixes

• Prevent LMDB related segfault
  [Issue #2755, #2761 - @dvershinin]
• Fix msc_transaction_cleanup function comment typo
  [Issue #2788 - @lookat23]
• Fix: MULTIPART_INVALID_PART connected to wrong internal variable
  [Issue #2785 - @martinhsv]
• Restore Unique_id to include random portion after timestamp
  [Issue #2752, #2758 - @datkps11, @martinhsv]

v2.9.6

Note: additional information on the release and some of the key changes will be published separately in short order.

New features and security impacting issues

• Adjust parser activation rules in modsecurity.conf-recommended
  [Issue #2799 - @terjanq, @martinhsv]
• Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
  [Issue #2797 - @terjanq, @martinhsv]

Bug fixes

• Limit rsub null termination to where necessary
  [Issue #2794 - @marcstern, @martinhsv]
• IIS: Update dependencies for next planned release
  [@martinhsv]
• XML parser cleanup: NULL duplicate pointer
  [Issue #2760 - @martinhsv]
• Properly cleanup XML parser contexts upon completion
  [Issue #2239 - @argenet]
• Fix memory leak in streams
  [Issue #2208 - @marcstern, @vloup, @JamesColeman-LW]
• Fix: negative usec on log line when data type long is 32b
  [Issue #2753 - @ABrauer-CPT, @martinhsv]
• mlogc log-line parsing fails due to enhanced timestamp
  [Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv]
• Allow no-key, single-value JSON body
  [Issue #2735 - @marcstern, @martinhsv]
• Set SecStatusEngine Off in modsecurity.conf-recommended
  [Issue #2717 - @un99known99, @martinhsv]
• Fix memory leak that occurs on JSON parsing error
  [Issue #2236 @argenet, @vloup, @martinhsv]
• Multipart names/filenames may include single quote if double-quote enclosed
  [Issue #2352 @martinhsv]
• Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
  [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]

v3.0.7

New features

• Support PCRE2
  [Issue #2668 - @martinhsv]
• Support SecRequestBodyNoFilesLimit
  [Issue #2670 - @airween, @martinhsv]
• Add ctl:auditEngine action support
  [Issue #2606 - @alekravch, @martinhsv]

Bug fixes

• Move PCRE2 match block from member variable
  [@martinhsv]
• Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
  [Issue #2738 - @jleproust, @martinhsv]
• Fix memory leak when concurrent log includes REMOTE_USER
  [Issue #2727 - @liudongmiao]
• Fix LMDB initialization issues
  [Issue #2688 - @ziollek @martinhsv]
• Fix initcol error message wording
  [Issue #2732 - @877509395, @martinhsv]
• Tolerate other parameters after boundary in multipart C-T
  [Issue #1900 - @martinhsv]
• Add DebugLog message for bad pattern in rx operator
  [Issue #2723 - @martinhsv]
• Fix misuses of LMDB API
  [Issue #2601, #2602 - @hyc]
• Fix duplication typo in code comment
  [Issue #2677 - @gleydsonsoares]
• Fix multiMatch msg, etc, population in audit log
  [Issue #2573 - @Sachin-M-Desai , @martinhsv]
• Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
  [Issue #2627, #2648 - @lontchianicet , @victorserbu2709 , @martinhsv]
• Adjust confusing variable name in setRequestBody method
  [Issue #2635 - @Mesar-Ali , @martinhsv]
• Multipart names/filenames may include single quote if double-quote enclosed
  [Issue #2352 - @martinhsv]
• Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
  [Issue #2647 - @theMiddleBlue , @airween , @877509395 , @martinhsv]