Overview

Request 1109077 accepted

- Update to version 3.0.10:
* Security impacting issue (fix bsc#1213702, CVE-2023-38285)
- Fix: worst-case time in implementation of four transformations
- Additional information on this issue is available at
https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
* Enhancements and bug fixes
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
- Make MULTIPART_PART_HEADERS accessible to lua
- Fix: Lua scripts cannot read whole collection at once
- Fix: quoted Include config with wildcard
- Support isolated PCRE match limits
- Fix: meta actions not applied if multiMatch in first rule of chain
- Fix: audit log may omit tags when multiMatch
- Exclude CRLF from MULTIPART_PART_HEADER value
- Configure: use AS_ECHO_N instead echo -n
- Adjust position of memset from 2890

- Update to version 3.0.9:
* Add some member variable inits in Transaction class (possible segfault)
* Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
* Resolve memory leak on reload (bison-generated variable)
* Support equals sign in XPath expressions
* Encode two special chars in error.log output
* Add JIT support for PCRE2
* Support comments in ipMatchFromFile file via '#' token
* Use name package name libmaxminddb with pkg-config
* Fix: FILES_TMP_CONTENT collection key should use part name
* Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
* During configure, do not check for pcre if pcre2 specified
* Use pkg-config to find libxml2 first

Loading...
Request History
Adam Majer's avatar

adamm created request

- Update to version 3.0.10:
* Security impacting issue (fix bsc#1213702, CVE-2023-38285)
- Fix: worst-case time in implementation of four transformations
- Additional information on this issue is available at
https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/
* Enhancements and bug fixes
- Add TX synonym for MSC_PCRE_LIMITS_EXCEEDED
- Make MULTIPART_PART_HEADERS accessible to lua
- Fix: Lua scripts cannot read whole collection at once
- Fix: quoted Include config with wildcard
- Support isolated PCRE match limits
- Fix: meta actions not applied if multiMatch in first rule of chain
- Fix: audit log may omit tags when multiMatch
- Exclude CRLF from MULTIPART_PART_HEADER value
- Configure: use AS_ECHO_N instead echo -n
- Adjust position of memset from 2890

- Update to version 3.0.9:
* Add some member variable inits in Transaction class (possible segfault)
* Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
* Resolve memory leak on reload (bison-generated variable)
* Support equals sign in XPath expressions
* Encode two special chars in error.log output
* Add JIT support for PCRE2
* Support comments in ipMatchFromFile file via '#' token
* Use name package name libmaxminddb with pkg-config
* Fix: FILES_TMP_CONTENT collection key should use part name
* Use AS_HELP_STRING instead of obsolete AC_HELP_STRING macro
* During configure, do not check for pcre if pcre2 specified
* Use pkg-config to find libxml2 first


Saul Goodman's avatar

licensedigger accepted review

ok


Factory Auto's avatar

factory-auto added origin-reviewers as a reviewer

Please review sources


Factory Auto's avatar

factory-auto accepted review

Check script succeeded


Yuchen Lin's avatar

maxlin_factory added as a reviewer

Being evaluated by staging project "openSUSE:Backports:SLE-15-SP6:Staging:adi:2"


Yuchen Lin's avatar

maxlin_factory accepted review

Picked "openSUSE:Backports:SLE-15-SP6:Staging:adi:2"


Max Lin's avatar

mlin7442 accepted review

ok


Yuchen Lin's avatar

maxlin_factory accepted review

Staging Project openSUSE:Backports:SLE-15-SP6:Staging:adi:2 got accepted.


Yuchen Lin's avatar

maxlin_factory approved review

Staging Project openSUSE:Backports:SLE-15-SP6:Staging:adi:2 got accepted.


Yuchen Lin's avatar

maxlin_factory accepted request

Staging Project openSUSE:Backports:SLE-15-SP6:Staging:adi:2 got accepted.

openSUSE Build Service is sponsored by