We are announcing the release of ModSecurity version 2.9.7. This version contains a mixture of new features, enhancements, and bug fixes.
Security impacting issues
- Fix: FILES_TMP_CONTENT may sometimes lack complete content
[Issue #2857 - gieltje, @airween, @dune73 @martinhsv]
In certain cases, the FILES_TMP_CONTENT variable may not contain the entire file content. This could mean a rule failing to detect malicious content that it ordinarily would – possibly because a malicious actor specially crafted the file input with the goal of bypassing detection. If you use this variable you should strongly consider upgrading to the fixed version.
A new configuration item called SecArgumentsLimit will limit the number of items added to the ARGS collection and set the REQBODY_ERROR variable when the limit is breached. There is a software default of 1000. If you expect to have legitimate requests that exceed that limit, you should specify a higher limit in your modsecurity.conf file.
Support for PCRE2 is now available in ModSecurity v2. Legacy PCRE is still the default; to use PCRE2, you must specify ‘--with-pcre2’ during the configure step
Bug fixes and enhancements
- Silence compiler warning about discarded const
[Issue #2843- @Steve8291, @martinhsv]
- Use uid for user if apr_uid_name_get() fails
[Issue#2046 - @arminabf, @marcstern]
- Fix: handle error with SecConnReadStateLimit configuration
[Issue #2815, #2834- @marcstern, @martinhsv]
- Adjustment of previous fix for log messages
[Issue #2832- @marcstern, @erkia]
- Mark apache error log messages as from mod_security2
[Issue #2781- @erkia]
- Use pkg-config to find libxml2 first
[Issue #2818- @hughmcmaster]
Additional information on the release, including the source and binaries (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v2.9.7
The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues
Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.