Announcing ModSecurity version 3.0.5

We are happy to announce ModSecurity version 3.0.5!

It is a pleasure to announce the release of ModSecurity version 3.0.5 (libModSecurity). This version contains several improvements in different areas, including new features, cleanups, overall performance improvements, and fixes. A remarkable feature for version 3.0.5 is the limitation on the number of arguments to process; this is especially useful while inspecting JSON with a high number of key/values. Read more: https://github.com/SpiderLabs/ModSecurity/pull/2234

New features

• Having ARGS_NAMES, variables proxied
  [@zimmerle, @martinhsv, @KaNikita]

• Use explicit path for cross-compile environments.
  [Issue #2485 - @dtoubelis]

• Fix: FILES variable does not use multipart part name for key
  [Issue #2377 - @martinhsv]

• Regression: Mark the test as failed in case of segfault.
  [@zimmerle]

• GeoIP: switch to GEOIP_MEMORY_CACHE from GEOIP_INDEX_CACHE
  [Issues #2378, #2186 - @defanator]

• Add support to test framework for audit log content verification and add regression tests for issues #2000, #2196
  
  
• Support configurable limit on number of arguments processed
  [Issue #2234 - @jleproust, @martinhsv]

• Multipart Content-Dispostion should allow field: filename*=
  [@martinhsv]

• Adds support to lua 5.4
  [@zimmerle]

• Add support for new operator rxGlobal
  [@martinhsv]

Bug fixes

• Replaces put with setenv in SetEnv action
  [Issue #2469 - @martinhsv, @WGH-, @zimmerle]

• Regex key selection should not be case-sensitive
  [Issue #2296, #2107, #2297 - @michaelgranzow-avi, @victorhora, @airween, @martinhsv, @zimmerle]

• Fix: Only delete Multipart tmp files after rules have run
  [Issue #2427 - @martinhsv]

• Fixed MatchedVar on chained rules
  [Issue #2423, #2435, #2436 - @michaelgranzow-avi]

• Fix maxminddb link on FreeBSD
  [Issue #2131 - @granalberto, @zimmerle]

• Fix IP address logging in Section A
  [Issue #2300 - @inaratech, @zavazingo, @martinhsv]

• rx: exit after full match (remove /g emulation); ensure capture
  
  
• groups occuring after unused groups still populate TX vars
  [Issue #2336 - @martinhsv]

• Correct CHANGES file entry for #2234
  
  
• Fix rule-update-target for non-regex
  [Issue #2251 - @martinhsv]

• Fix configure script when packaging for Buildroot
  [Issue #2235 - @frankvanbever]

• modsecurity.pc.in: add Libs.private
  [Issue #1918, #2253 - @ffontaine, @Dridi, @victorhora]

Security impacting issues

• Handle URI received with uri-fragment
  [@martinhsv]

The complete list of changes is available on our changelogs: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5

The source and binaries (and the respective hashes/signatures) are available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.5

The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/labels/3.x

Stay tuned. We are going to release a follow-up blog post detailing the significant bits of this release. Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, and participating in the community ;)