|Main Archive Page > Month Archives > oss-security archives|
On Tue, 28 Sep 2010, Josh Bressers wrote:
>> 6. ModSecurity
>> There was already a CVE request by Jan Lieskovsky, but it doesn't
>> to have led to an ID assignment:
> This one is also too big for me to handle properly. Can MITRE take it?
This changelog is too vague to be certain which issues are really about
"security" versus which ones are enhancements or feature additions. So,
I'll need some help here.
Here are ones that smell like security issues:
* Fixed path normalization to better handle backreferences that extend
above root directories. Reported by Sogeti/ESEC R&D.
* Fixed failure to match internally set TX variables with regex
* Fixed failure to log full internal TX variable names and populate
* Fixed memory leak in v1 cookie parser. Reported by Sogeti/ESEC R&D.
Here are ones that *might* be security issues, but it's unclear:
* Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
* Fixed SecUploadFileMode to set the correct mode.
* Trim whitespace around phrases used with @pmFromFile and allow
for both LF and CRLF terminated lines.
* Allow for more robust parsing for multipart header folding. Reported
by Sogeti/ESEC R&D.
* Reduced default PCRE match limits reducing impact of REDoS on poorly
written regex rules. Reported by Sogeti/ESEC R&D.
* Do not escape quotes in macro resolution and only escape NUL in
Here are ones that smell like "defense in depth" or "fixing non-security
bug in security feature" or "addition of new 'signature' type" (thus no
* Added SecUploadFileLimit to limit the number of uploaded file parts
that will be processed in a multipart POST. The default is 100.
* Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion)
to aide in REDoS type attacks. A rule that goes over the limits will set
TX:MSC_PCRE_LIMITS_EXCEEDED. It is intended that the next major
release of ModSecurity (2.6.x) will move these flags to a dedicated
* Enabled PCRE "studying" by default. This is now a configure-time
* Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
* Fixed SecAction not working when CONNECT request method is used
(MODSEC-110). [Ivan Ristic]