Announcing ModSecurity version 3.0.11

We are announcing the release of ModSecurity version 3.0.11 (libModSecurity). This version includes expirevar support as a new feature, and a mixture of enhancements and bug fixes.

Security impacting issue

• Add WRDE_NOCMD to wordexp call
  [Issue #3024 - @sahruldotid, @martinhsv]

Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways.

New feature

• Add support for expirevar action
  [Issue #1803 , #3001 - @martinhsv]

Enhancements and bug fixes

• Fix: validateDTD compile fails if libxml2 not installed
  [Issue #3014, - @zangobot, @martinhsv]
• Fix memory leak of validateDTD's dtd object
  [Issue #3008 - @martinhsv, @zimmerle]
• Fix memory leaks in ValidateSchema
  [Issue #3005 - @martinhsv, @zimmerle]
• Fix: lmdb regex match on non-null terminated string
  [Issue #2985 - @martinhsv]
• Fix memory leaks in lmdb code (new'd strings)
  [Issue #2983 - @martinhsv]
• Configure: add additional name to pcre2 pkg-config list
  [Issue #2939 - @agebhar1, @fzipi , @martinhsv]

Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.11

The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues

Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.