We are announcing the release of ModSecurity 3.0.8 (libModSecurity) and 2.9.6. These versions contain both new features and bug fixes.
Of note are some updates to request body parsing to prevent certain rule-bypass opportunities. Stay tuned. We are going to release some follow-up blog content providing more details of these items.
New features and security impacting issues
Bug fixes – v2
- Limit rsub null termination to where necessary
[Issue #2794 - @marcstern, @martinhsv]
- IIS: Update dependencies for next planned release
[@martinhsv]
- XML parser cleanup: NULL duplicate pointer
[Issue #2760 - @martinhsv]
- Properly cleanup XML parser contexts upon completion
[Issue #2239 - @argenet]
- Fix memory leak in streams
[Issue #2208 - @marcstern, @vloup, @JamesColeman-LW]
- Fix: negative usec on log line when data type long is 32b
[Issue #2753 - @ABrauer-CPT, @martinhsv]
- mlogc log-line parsing fails due to enhanced timestamp
[Issue #2682 - @bozhinov, @ABrauer-CPT,@martinhsv]
- Allow no-key, single-value JSON body
[Issue #2735 - @marcstern, @martinhsv]
- Set SecStatusEngine Off in modsecurity.conf-recommended
[Issue #2717 - @un99known99, @martinhsv]
- Fix memory leak that occurs on JSON parsing error
[Issue #2236 - @argenet, @vloup, @martinhsv]
- Multipart names/filenames may include single quote if double-quote enclosed
[Issue #2352 - @martinhsv]
- Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
[Issue #2647 - @theMiddleBlue, @airween, @877509395, @martinhsv]
Bug fixes – v3
Additional information on the releases, including the source and binaries (and hashes/signatures), is available at:
The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues
Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.