Announcing ModSecurity version 3.0.10

We are announcing the release of ModSecurity version 3.0.10 (libModSecurity). This version contains a mixture of enhancements and bug fixes.

Security impacting issue

Fix: worst-case time in implementation of four transformations
[Issue #2934 - @martinhsv]

Poor worst-case performance in the transformations removeWhitespace, removeNull, replaceNull and removeCommentsChar could enable malicious individuals to cause some DoS effects. This item has been assigned CVE-2023-38285. Additional information should be available shortly at https://www.trustwave.com/resources/blogs/spiderlabs-blog/.

Enhancements and bug fixes

• Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
  [Issue #2901, - @airween]
• Make MULTIPART_PART_HEADERS accessible to lua
  [Issue #2916 - @martinhsv]
• Fix: Lua scripts cannot read whole collection at once
  [Issue #2900 - @udi-aharon, @airween, @martinhsv]
• Fix: quoted Include config with wildcard
  [Issue #2905 - @wiseelf, @airween, @martinhsv]
• Support isolated PCRE match limits
  [Issue #2736 - @brandonpayton, @martinhsv]
• Fix: meta actions not applied if multiMatch in first rule of chain
  [Issue #2867, #2868 - @mlevogiannis, @martinhsv]
• Fix: audit log may omit tags when multiMatch
  [Issue #2866 - @mlevogiannis]
• Exclude CRLF from MULTIPART_PART_HEADER value
  [Issue #2870 - @airween, @martinhsv]
• Configure: use AS_ECHO_N instead echo -n
  [Issue #2894 - @liudongmiao, @martinhsv]
• Adjust position of memset from 2890
  [Issue #2891 - @mirkodziadzka-avi, @martinhsv]

Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.10

The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues

Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.