We are happy to announce ModSecurity version 2.9.4!
Version 2.9.4 does not include any new features but fixes and enhancements. Users from 2.9.4 can count on an expanded list of countries on the GeoIP operations, including BL BQ CW MF SS SX. Also, the timestamp on log entries was extended to support microseconds. We have decided to remove the Core Ruleset(CRS) from the Windows(TM) Installer, giving users the freedom to update and manage their rules with more flexibility. If you are an Apache user, this is the version you are looking forward to running on your server. Family 2.x is the recommendation for Apache users; 3.x is the recommendation for Nginx users.
Enhancements
Bug fixes
- Store temporaries in the request pool for regexes compiled per-request.
- [Issue #890, #2049 - @lightsey]
- Fix other usage of the global pool for request temporaries in re_operators.c
- [Issue #890, #2049 - @lightsey]
- Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
- [Issue #2033 - @studersi]
- Fix the order of error_msg validation
- [Issue #2128 - @marcstern, @zimmerle]
- When the input filter finishes, check whether we returned data
- [Issue #2091, #2092 - @rainerjung]
- fix: care non-null terminated chunk data
- [Issue #2097 - @orisano]
- Fix for apr_global_mutex_create() crashes with mod_security
- [Issue #1957 - @blappm]
- Fix inet addr handling on 64 bit big endian systems
- [Issue #1980 - @zimmerle, @airween]
Notes
- Windows installer no longer includes OWASP CRS.
The complete list of changes is available on our changelogs:
- https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.4
The source and binaries (and the respective hashes/signatures) are
available at:
- https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.4
The list of open issues is available on GitHub:
- https://github.com/SpiderLabs/ModSecurity/labels/2.x
Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, and participating in the community ;)