We are announcing the release of ModSecurity version 3.0.10 (libModSecurity). This version contains a mixture of enhancements and bug fixes.
Security impacting issue
Fix: worst-case time in implementation of four transformations
[Issue #2934 - @martinhsv]
Poor worst-case performance in the transformations removeWhitespace, removeNull, replaceNull and removeCommentsChar could enable malicious individuals to cause some DoS effects. This item has been assigned CVE-2023-38285. Additional information should be available shortly at https://www.trustwave.com/resources/blogs/spiderlabs-blog/.
Enhancements and bug fixes
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
[Issue #2901, - @airween]
- Make MULTIPART_PART_HEADERS accessible to lua
[Issue #2916 - @martinhsv]
- Fix: Lua scripts cannot read whole collection at once
[Issue #2900 - @udi-aharon, @airween, @martinhsv]
- Fix: quoted Include config with wildcard
[Issue #2905 - @wiseelf, @airween, @martinhsv]
- Support isolated PCRE match limits
[Issue #2736 - @brandonpayton, @martinhsv]
- Fix: meta actions not applied if multiMatch in first rule of chain
[Issue #2867, #2868 - @mlevogiannis, @martinhsv]
- Fix: audit log may omit tags when multiMatch
[Issue #2866 - @mlevogiannis]
- Exclude CRLF from MULTIPART_PART_HEADER value
[Issue #2870 - @airween, @martinhsv]
- Configure: use AS_ECHO_N instead echo -n
[Issue #2894 - @liudongmiao, @martinhsv]
- Adjust position of memset from 2890
[Issue #2891 - @mirkodziadzka-avi, @martinhsv]
Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10
The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues
Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.