We are announcing the release of ModSecurity version 2.9.7. This version contains a mixture of new features, enhancements, and bug fixes.
Security impacting issues
In certain cases, the FILES_TMP_CONTENT variable may not contain the entire file content. This could mean a rule failing to detect malicious content that it ordinarily would – possibly because a malicious actor specially crafted the file input with the goal of bypassing detection. If you use this variable you should strongly consider upgrading to the fixed version.
New Features
A new configuration item called SecArgumentsLimit will limit the number of items added to the ARGS collection and set the REQBODY_ERROR variable when the limit is breached. There is a software default of 1000. If you expect to have legitimate requests that exceed that limit, you should specify a higher limit in your modsecurity.conf file.
Support for PCRE2 is now available in ModSecurity v2. Legacy PCRE is still the default; to use PCRE2, you must specify ‘--with-pcre2’ during the configure step
Bug fixes and enhancements
Additional information on the release, including the source and binaries (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7
The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues
Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.
