v3.0.0-rc1

This is the first release candidate for ModSecurity version 3.

If you are not familiar with ModSecurity version 3, most likely this release is not what you are looking for. For the Apache module please refer to the v2.x releases.

There is no change log as this is the first release candidate. The goal was to mimic the version 2 most popular functionalities.

In order to use this library within your webserver, you need use a compatible connectors: ModSecurity-nginx, ModSecurity-apache.

Further information about this release can be found in our wiki: ModSecurity-version-3-RC1

v2.9.2

Bug fixes

• IIS build refactoring and dependencies update
  [Issue #1487 - @victorhora]
• Best practice: Initialize msre_var pointers
  [Commit fbd57 - Allan Boll]
• nginx: Obtain port from r->connection->local_sockaddr. As reported by Przemyslaw Duda the lack of this commit may lead to a DoS. This patch is now merged on all nginx trees. But we still recommend nginx users to move forward to version 3.
  [Commit 51314 - @defanator and Przemyslaw Duda]
• Updates libinjection to v3.10.0
  [Issue #1412 - @client9, @zimmerle and @bjdijk]
• Avoid log flood while using SecConnEngine
  [Issue #1436 - @victorhora]
• Make url path absolute for SecHashEngine only when it is relative in the first place.
  [Issue #752, #1071 - @hideaki]
• Fix the hex digit size for SHA1 on msc_crypt implementation.
  [Issue #1354 - @zimmerle and @parthasarathi204]
• Avoid to flush xml buffer while assembling the injected html.
  [Issue #742 - @zimmerle]
• Avoid additional operator invokation if last transform of a multimatch doesn't modify the input
  [Issue #1086, #1087 - Daniel Stelter-Gliese]
• Adds a sanity check before use ctl:ruleRemoveTargetByTag.
  [Issue #1353 - @LukeP21 and @zimmerle]
• Uses an optional global lock while manipulating collections.
  [Issues #1224 - @mturk and @zimmerle]
• Fix collection naming problem while merging collections.
  [Issue #1274 - Coty Sutherland and @zimmerle]
• Fix --enable-docs adding missing Makefile, modifying autoconf and filenames
  [Issue #1322 - @victorhora]
• Change from using rand() to thread-safe ap_random_pick.
  [Issue #1289 - Robert Bost]
• Cosmetics: added comments on odd looking code to prevent future scrutiny
  [Issue #1279 - Coty Sutherland]
• {dis|en}able-server-context-logging: Option to disable logging of server info (log producer, sanitized objects, ...) in audit log.
  [Issue #1069 - Marc Stern]
• Allow drop to work with mod_http2
  [Issue #1308, #992 - @bazzadp]
• Fix SecConn(Read|Write)StateLimit on Apache 2.4
  [Issue #1340, #1337, #786 - Sander Hoentjen]
• {dis|en}able-stopwatch-logging: Option to disable logging of stopwatches
  in audit log.
  [Issue #1067 - Marc Stern]
• {dis|en}able-dechunk-logging: Option to disable logging of dechunking in audit log when log level < 9.
  [Issue #1068 - Marc Stern]
• Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4
  [ModSecurity team]
• {dis|en}able-handler-logging: Option to disable logging of Apache handler in audit log
  [Issue #1070, #1381 - Marc Stern]
• {dis|en}able-collection-delete-problem-logging: Option to disable logging of collection delete problem in audit log when log level < 9.
  [Issue #1380 - Marc Stern]
• Adds rule id in logs whenever a rule fail.
  [Issue #1379, #391 - Marc Stern]
• {dis|en}able-server-logging: Option to disable logging of "Server" in audit log when log level < 9.
  [Issue #1070 - Marc Stern]
• {dis|en}able-filename-logging: Option to disable logging of filename in audit log.
  [Issue #1065 - Marc Stern]
• Reads fuzzy hash databases on init
  [Issue #1339 - Robert Paprocki and @rendername]
• Changes the configuration to recognize soap+xml as XML
  [Issue #1374 - @emphazer and Chaim Sanders]
• Fix building with nginx >= 1.11.11
  [Issue #1373, #1359 - Andrei Belov and Thomas Deutschmann]
• Using Czechia instea of Czech Republic
  [Issue #1258 - Michael Kjeldsen]
• {dis|en}able-rule-id-validation: Option to disable rule id validation
  [Issue #1150 - Marc Stern and ModSecurity team]
• JSON Log: Append a newline to concurrent JSON audit logs
  [Issue #1233 - Robert Paprocki]
• JSON Log: Don't unnecessarily rename request body parts in cleanup
  [Issue #1223 - Robert Paprocki]
• Fix error message inside audit logs
  [Issue #1216 and #1073 - Armin Abfalterer]
• Remove port from IPV4 address when running under IIS.
  [Issue #1220, #1109 and #734 - Robert Culyer]
• Remove logdata and msg fields from JSON audit log rule.
  [Issue #1190 and #1174 - Robert Paprocki]
• Better handle the json parser cleanup
  [Issue #1204 - Ephraim Vider]
• Fix status failing to report in Nginx auditlogs
  [Issue #977, #1171 - @charlymps and Chaim Sanders]
• Fix file upload JSON audit log entry
  [Issue #1181 and #1173 - Robert Paprocki and Christian Folini]
• configure: Fix detection whether libcurl is linked against gnutls and, move verbose_output declaration up to the beginning.
  [Issue #1158 - Thomas Deutschmann (@Whissi)]
• Treat APR_INCOMPLETE as APR_EOF while receiving the request body.
  [Issue #1060, #334 - Alexey Sintsov]

Security Issues

• Allan Boll reported an uninitialize variable that may lead to a crash on Windows platform.
• Brian Adeloye reported an infinite loop on the version of libInjection used on ModSecurity 2.9.1.

v2.9.1

There are no changes between the version 2.9.1-RC1 and version 2.9.1.

Known issues

• Depending upon your Apache configuration you may have two "client" entries on the logs. The extended description of this issue can be found at: #840.

v2.9.1-rc1

New features

• Added support to generate audit logs in JSON format.
  
  [Issue #914, #897, #656 - Robert Paprocki]
• Extended Lua support to include version 5.3
  
  [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
• mlogc: Allows user to choose between TLS versions (TLSProtocol option
  introduced).
  
  [Issue #881 - Ishwor Gurung]
• Allows mod_proxy's "nocanon" behavior to be specified in proxy actions.
  
  [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]

Bug fixes

• Creating AuditLog serial file (or parallel index) respecting the
  permission configured with SecAuditLogFileMode. Previously, it was
  used only to save the transactions while in parallel mode.
  
  [Issue #852 - @littlecho and ModSecurity team]
• Checking for hashing injection response, to report in case of failure.
  
  [Issue #1041 - ModSecurity team]
• Stop buffering when the request is larger than SecRequestBodyLimit
  in ProcessPartial mode
  
  [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
• Refactoring conditional #if/#defs directives.
  
  [Issue #996 - Wesley M and ModSecurity team]
• mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
  files with Apache 2.4
  
  [Issue #775 - Elia Pinto]
• Understands IIS 10 as compatible on Windows installer.
  
  [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
• Fix apache logging limitation by using correct Apache call.
  
  [Issue #840 - Christian Folini]
• Fix apr_crypto.h check on 32-bit Linux platform
  
  [Issue #882, #883 - Kurt Newman]
• Fix variable resolution duration (Content of the DURATION variable).
  
  [Issue #662 - Andrew Elble]
• Fix crash while adding empty keys to persistent collections.
  
  [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
• Remove misguided call to srand()
  
  [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
• Fix compilation problem while ssdeep is installed in non-standard
  location.
  
  [Issue #872 - Kurt Newman]
• Fix invalid storage reference by apr_psprintf at msc_crypt.c
  
  [Issue #609 - Jeff Trawick]

Known issues

• Instabilities of nginx add-on are still expected. Please use the "nginx
  refactoring" branch and stay tuned for the ModSecurity version 3.

Release 2.9.0

Bug fix

• Fix apr_crypto.h include, now checking if apr_crypto.h is available by checking the definition WITH_APU_CRYPTO. [martinjina and ModSecurity team]

Archives also available at:

• Apache/Nginx:
  • https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz
  • https://www.modsecurity.org/tarball/2.9.0/modsecurity-2.9.0.tar.gz.sha256
• IIS
  • https://www.modsecurity.org/tarball/2.9.0/ModSecurityIIS_2.9.0-32b.msi
  • https://www.modsecurity.org/tarball/2.9.0/ModSecurityIIS_2.9.0-32b.msi.sha256
  • https://www.modsecurity.org/tarball/2.9.0/ModSecurityIIS_2.9.0-64b.msi
  • https://www.modsecurity.org/tarball/2.9.0/ModSecurityIIS_2.9.0-64b.msi.sha256

v2.9.0-rc2

Bug fixes

• OpenSSL dependency was removed on MS Windows builds. ModSecurity is now using
  Curl with WinSSL.
  [Gregg Smith, Steffen and ModSecurity team]
• ModSecurity now informs about external resources loaded/failed while reloading Apache.
  [ModSecurity team]
• Adds missing 'ModSecurity:' prefix in some warnings messages.
  [Walter Hop and ModSecurity team]
• External resources download is now more verbose. Holding the message
  to be displayed when Apache is ready to write on the error_log.
  [ModSecurity team]
• Remote resources loading process is now failing in case of HTTP error.
  [Walter Hop and ModSecurity team]
• Fixed start up crash on Apache with mod_ssl configured. Crash was happening
  during the download of remote resources.
  [Christian Folini, Walter Hop and ModSecurity team]
• Curl is not a mandatory dependency to ModSecurity core anymore.
  [Rainer Jung and ModSecurity team]

Archives also available at:

• Apache/Nginx:
  • https://www.modsecurity.org/tarball/2.9.0-rc2/modsecurity-2.9.0-RC2.tar.gz
  • https://www.modsecurity.org/tarball/2.9.0-rc2/modsecurity-2.9.0-RC2.tar.gz.sha256
• IIS
  • https://www.modsecurity.org/tarball/2.9.0-rc2/ModSecurityIIS_2.9.0-RC2-32b.msi
  • https://www.modsecurity.org/tarball/2.9.0-rc2/ModSecurityIIS_2.9.0-RC2-32b.msi.sha256
  • https://www.modsecurity.org/tarball/2.9.0-rc2/ModSecurityIIS_2.9.0-RC2-64b.msi
  • https://www.modsecurity.org/tarball/2.9.0-rc2/ModSecurityIIS_2.9.0-RC2-64b.msi.sha256

v2.9.0-rc1

New features

• 'pmFromFile' and 'ipMatchFromFile' operators are now accepting HTTPS served files as parameter.
• 'SecRemoteRules' directive - allows you to specify a HTTPS served file that may contain rules in the SecRule format to be loaded into your ModSecurity instance.
• 'SecRemoteRulesFailAction' directive - allows you to control whenever the user wants to Abort or just Warn when there is a problem while downloading rules specified with the directive: `SecRemoteRules'.
• 'fuzzyHash' operator - allows to match contents using fuzzy hashes.
• 'FILES_TMP_CONTENT' collection - make available the content of uploaded files.
• InsecureNoCheckCert - option to validate or not a chain of SSL certificates on mlogc connections.

Bug fixes

• ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1. [Issue #676 - Kris Kater and ModSecurity team]
• Fixed signature on "status call": ModSecurity is now using the original server signature. [Issues #702 - Linas and ModSecurity team]
• YAJL version is printed while ModSecurity initialization. [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
• Fixed subnet representation using slash notation on the @ipMatch operator. [Issue #706 - Walter Hop and ModSecurity team]
• Limited the length of a status call. [Issue #714 - 'cpanelkurt' and ModSecurity team]
• Added the missing -P option to nginx regression tests. [Issue #720 - Paul Yang]
• Fixed automake scripts to do not use features which will be deprecated in the upcoming releases of automake [Issue #760 - ModSecurity team]
• apr-utils's LDFALGS is now considered while building ModSecurity. [Issue #782 - Daniel J. Luke]
• IIS installer is not considering IIS 6 as compatible anymore. [Issue #790 - ModSecurity team]
• Fixed yajl build script: now looking for the correct header file. [Issue #804 - 'rpfilomeno' and ModSecurity team]
• mlgoc is now forced to use TLS 1.x. [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]

Archives also available at:

• Apache/Nginx:
  • https://www.modsecurity.org/tarball/2.9.0-rc1/modsecurity-2.9.0-RC1.tar.gz
  • https://www.modsecurity.org/tarball/2.9.0-rc1/modsecurity-2.9.0-RC1.tar.gz.sha256
• IIS
  • https://www.modsecurity.org/tarball/2.9.0-rc1/ModSecurityIIS_2.9.0-RC1-32b.msi
  • https://www.modsecurity.org/tarball/2.9.0-rc1/ModSecurityIIS_2.9.0-RC1-32b.msi.sha256
  • https://www.modsecurity.org/tarball/2.9.0-rc1/ModSecurityIIS_2.9.0-RC1-64b.msi
  • https://www.modsecurity.org/tarball/2.9.0-rc1/ModSecurityIIS_2.9.0-RC1-64b.msi.sha256

Release 2.8.0

Bug fix

• Build issue: Now using autotools to identify if sys/utsname.h is present.
• Changed configure.ac version to 2.8

Archives also available at:

• Apache/Nginx:
  • https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz
  • https://www.modsecurity.org/tarball/2.8.0/modsecurity-2.8.0.tar.gz.sha256
• IIS
  • https://www.modsecurity.org/tarball/2.8.0/ModSecurityIIS_2.8.0-32b.msi
  • https://www.modsecurity.org/tarball/2.8.0/ModSecurityIIS_2.8.0-32b.msi.sha256
  • https://www.modsecurity.org/tarball/2.8.0/ModSecurityIIS_2.8.0-64b.msi
  • https://www.modsecurity.org/tarball/2.8.0/ModSecurityIIS_2.8.0-64b.msi.sha256

v2.8.0-rc1

New features

• JSON Parser is no longer under tests. Now it is part of our mainline.
• Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list.
• New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request.
• ModSecurity status is now part of our mainline.
• New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality.
• Append and prepend are now supported on nginx (Ref: #635);
• SecServerSignature is now available on nginx (Ref: #637);

Improvements 

• Regression tests are not able to expect different values according to the platform;
• Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
• New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
• Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620, #619);
• Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
• IIS installer is now using the correct 32/64bits folders to install;
• IIS Installer 32bits now refuses to install on 64bits environments;
• IIS: Using new WiX options to build the package in the correct architecture;
• While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
• CRS from IIS version was upgraded to 2.2.9;
• IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
• ModSecurity now warns the user who tries to use "proxy" in IIS or Nginx. Proxy is Apache only;
• Remove warnings from the build process (Ref: #617);
• Apache configuration in regression tests was changed making it more platform independent;
• Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
• Regression tests were refactored to be more Nginx friendly;
• Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636);
  • Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
  • Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence;
  • Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
  • Increased the timeout while reading the auditlog;
  • SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
  • Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
  • Fixed regression tests scripts paths, to make it MacOS friendly;
  • Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail; 
• Updates to fix errors found by Parfait static code analysis (Ref: #612);
• Cleaning up on the repository, by removing unused files;
• IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
• IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).

Bug fix

• Correctly handling inet_pton in IIS version;
• Nginx was missing a terminator while the charset string was mounted (Ref: #148);
• Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
• Added missing environment variables to regression tests;
• Build system is now more flexible by looking at liblua at: /usr/local/lib;
• Fixed typo in README file.
• Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
• Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
• Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
• Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
• Avoiding segmentation fault by checking if a structure is null before access its members;
• Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
• Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
• If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645); 
• Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
• IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref #632).

Archives also available at:

• Apache/Nginx:
  • https://www.modsecurity.org/tarball/2.8.0-rc1/modsecurity-apache_2.8.0-RC1.tar.gz
  • https://www.modsecurity.org/tarball/2.8.0-rc1/modsecurity-apache_2.8.0-RC1.tar.gz.sha256
• IIS
  • https://www.modsecurity.org/tarball/2.8.0-rc1/ModSecurityIIS_2.8.0-RC1-32b.msi
  • https://www.modsecurity.org/tarball/2.8.0-rc1/ModSecurityIIS_2.8.0-RC1-32b.msi.sha256
  • https://www.modsecurity.org/tarball/2.8.0-rc1/ModSecurityIIS_2.8.0-RC1-64b.msi
  • https://www.modsecurity.org/tarball/2.8.0-rc1/ModSecurityIIS_2.8.0-RC1-64b.msi.sha256

Release 2.7.7

• Changed release version to 2.7.7;
• Got the configure scripts inside the release tarball;
• Tarball created outside Github respecting the names used in older versions and available under modsecurity.org avoiding to break packages' recipes.

Archives also available at:

• Apache/Nginx:
  • https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz
  • https://www.modsecurity.org/tarball/2.7.7/modsecurity-apache_2.7.7.tar.gz.sha256
• IIS
  • https://www.modsecurity.org/tarball/2.7.7/ModSecurityIIS_2.7.7-32b.msi
  • https://www.modsecurity.org/tarball/2.7.7/ModSecurityIIS_2.7.7-32b.msi.sha256
  • https://www.modsecurity.org/tarball/2.7.7/ModSecurityIIS_2.7.7-64b.msi
  • https://www.modsecurity.org/tarball/2.7.7/ModSecurityIIS_2.7.7-64b.msi.sha256