Security Fix Release: ModSecurity v2.6.6
The ModSecurity Development Team has released version 2.6.6 in response to a multipart bypass vulnerability that was disclosed to us. Users are strongly encouraged to update. Please see the release notes included into CHANGES file.
Users are strongly encouraged to update to v2.6.6 (download).
- Added build system support for KfreeBSD and HURD.
- Fixed a multipart bypass issue related to quote parsing Credits to Qualys Vulnerability & Malware Research Labs (VMRL).
ModSecurity v2.7.0-RC1 Available
The ModSecurity Development Team is pleased to announce the availability of ModSecurity 2.7.0-RC1 Release Candidate. This version includes many security enhancements including the ability to add cryptographic hash validation tokens to outbound data to prevent parameter tampering. The release also includes many performance enhancements to the Lua API and PCRE code. Please see the release notes included into CHANGES file.
ModSecurity v2.7.0-RC1 (download).
- For known problems and more information about bug fixes, please see the online ModSecurity Jira.
- Please report any bug to firstname.lastname@example.org.
OWASP ModSecurity CRS v2.2.5 Available
This update includes security fixes related to multipart content-type bypasses so users are strongly encouraged to update (download). In addition, we have included many cool integration updates.
- Renamed main config file to modsecurity_crs_10_setup.conf
- Updated the rule IDs to start from OWASP ModSecurity CRS reserved range: 900000
- Updated rule formatting for readability
- Updated the CSRF rules to use UNIQUE_ID as the token source
- Added the zap2modsec.pl script to the /util directory which converts OWASP ZAP Scanner XML data into ModSecurity Virtual Patches
- Updated the Directory Traversal Signatures to include more obfuscated data
- Added Arachni Scanner Integration LUA script/rules files
- Added forceRequestBodyVariable action to rule ID 960904
- Updated the anomaly scoring value for rule ID 960000 to critical (Identified by QualysVulnerability & Malware Research Labs (VMRL))
- Updated Content-Type check to fix possible evasion with @within (Identified by Qualys Vulnerability & Malware Research Labs (VMRL))