We are announcing the release of ModSecurity version 3.0.9 (libModSecurity). This version contains a mixture of enhancements and bug fixes.
Security issue
- Add some member variable inits in Transaction class (possible segfault)
[Issue #2886 - @GNU-Plus-Windows-User, @airween , @mdounin, @martinhsv]
In some configurations with certain inputs, this bug could result in a segfault and a resultant crash of a worker process. A large volume of such requests sent very quickly could lead to the server becoming slow or unresponsive to legitimate requests. This item has been assigned CVE-2023-28882.
Enhancements and bug fixes
- Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
[Issue #2877, #2890 - @tomsommer, @martinhsv] - Resolve memory leak on reload (bison-generated variable)
[Issue #2876 - @martinhsv] - Support equals sign in XPath expressions
[Issue #2328 - @dennus, @martinhsv] - Encode two special chars in error.log output
[Issue #2854 - @airween, @martinhsv] - Add JIT support for PCRE2
[Issue #2791 - @wfjsw, @airween, @FireBurn, @martinhsv] - Support comments in ipMatchFromFile file via '#' token
[Issue #2554 - @tomsommer, @martinhsv] - Use name package name libmaxminddb with pkg-config
[Issue #2595, #2596 - @frankvanbever, @ffontaine, @arnout] - Fix: FILES_TMP_CONTENT collection key should use part name
[Issue #2831 - @airween] - Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
[Issue #2806 - @hughmcmaster] - During configure, do not check for pcre if pcre2 specified
[Issue #2750 - @dvershinin, @martinhsv] - Use pkg-config to find libxml2 first
[Issue #2714 - @hughmcmaster] - Fix two rule-reload memory leak issues
[Issue #2801 - @Abce, @martinhsv] - Correct whitespace handling for Include directive
[Issue #2800 - @877509395, @martinhsv]
Additional information on the release, including the source (and hashes/signatures), is available at: https://github.com/SpiderLabs/ModSecurity/releases/tag/v3.0.9
The list of open issues is available on GitHub: https://github.com/SpiderLabs/ModSecurity/issues
Thanks to everybody who helped in this process: reporting issues, making comments and suggestions, sending patches, etc.