package: libapache2-mod-security
A new upstream stable version is available.
mod_security 1.9 contains the following changes since 1.8.7:
06/11/2005 1.9
--------------
* No changes since 1.9RC4.
03/11/2005 1.9RC4
-----------------
* Warning messages emitted from chained rules are now logged at
level 3.
01/11/2005 1.9RC3
-----------------
* Made SecFilterSignatureAction behave in a slightly more consistent
manner. When defined it applies to rules that do not have custom
actions.
29/10/2005 1.9RC2
-----------------
* Discovered (and fixed) a fragment of non multithred-safe code.
* Fix a bug with the chain action.
* Improved the per-rule performance figures not to include
debug logging (which can be quite slow).
03/10/2005 1.9RC1
-----------------
* Removed -DWORKER_HACK since it is easier and more elegant
to use LoadFile.
* Improvements to the output filtering to prevent Apache from
printing the error message twice (when we have a regex
match in the response body).
* Improvements to the multipart parser, now it is more strict with
that it accepts. (Incidently, Mozilla and IE don't know how to
construct a proper multipart/form-data body, but Opera does.)
* New directive, SecFilterSignatureAction. If specified, all signatures
that follow the directive in the configuration file will use the
actions it specified, optionally merging with the per-rule action
list (if any specified).
16/09/2005 1.9dev4
------------------
* Limited the GuardianLog line size when doing piped logging. Writes
are atomic over a pipe only if the size of the data is less than
PIPE_BUF.
* Added a hack (compile with -DWORKER_HACK) to force the pthreads
dynamic library to be loaded before chroot is performed. (Apache
2.x only)
* Fixed the \xHH unescaping bug when the character was a regex
meta character. Such characters are now escaped with \. (Apache
1.x only)
* Unicode encoding checks not performed on the contents of the
Referer request header.
* Added the manual (in DocBook) format to the CVS.
* Added action "rev", to be used as a rule serial number, allowing
the "id" to remain unchanged (and unique).
* Many changes related to how actions are processed. Introduced
SecFilterActionsRestricted. When enabled, only the meta-data
per-rule actions are allowed. This is useful when you want to
include third-party rules to your configuration, and you don't
want them to specify just anything in the action. Per-rule actions
are now added on top of SecFilterDefaultAction actions.
* Wrote a new action parser from scratch. It is now possible to
escape action values, and even have a comma inside the
value (yay).
* Fixed doubling of response headers in the (serial) audit log.
* Added support to enable or disable mod_security per request
using an environment variable - MODSEC_ENABLE. This is something
that is likely to be useful in combination with SetEnvif. This
environment variable will not affect audit logging.
18/08/2005 1.9dev3
------------------
* Files uploaded via PUT are now treated in the same manner
as files uploaded via POST and multipart/form-data encoding.
* Added experimental support for mod_security to run in an early
hook. To test this compile with -DENABLE_EARLY_HOOK.
* Implemented SecAuditLogRelevantStatus
* Implemented an entirely new approach to audit logging - concurrent
audit logging where each request is stored in its own file.
* Changed the way internal chroot works. We are not using a
file-based lock any more. The process is much cleaner. (I just
need to test it thoroughly to see if it performs under all
circumstances.)
* Many changes to improve handling of DynamicOnly and related
internal stuff.
* Added OUTPUT_STATUS to the Apache 2.x version.
* Implemented SecGuardianLog, to allow mod_security to pass information
to httpd-guardian (see http://www.apachesecurity.net/tools/).
* Removed debug log locking (writes should be atomic - why did I think
otherwise?).
* Log level is now present on every entry in the debug log.
* Significantly enhanced the filter (rule) inheritance functionality
by adding three new directives (SecFilterImport, SecFilterRemove,
SecFilterInheritanceMandatory) and one new action (mandatory).
* Added "proxy" action to rewrite URL through the internal reverse
proxy when a rule is triggered.
* Added the script that converts Nessus scripts (.nasl files) into
mod_security rules. Written by Javier Fernandez-Sanguino
<[EMAIL PROTECTED]>.
* Use GetTempPath on Windows to get the path for temporary files.
* Non-existent named parameters (ARG_name) and cookies (COOKIE_name) are
now treated as empty. This should allow us to write rules that trigger
when a named parameter is not present.
19/04/2005 1.9dev2
------------------
* Added individual rule timing (Apache 2.x only)
* Deprecated SecServerResponseToken. It no longer works and it
outputs a warning message.
* mod_security now logs its version to the error log upon
startup (as notice).
* When SecServerSignature is used, mod_security now logs the
real server signature to the error log (as notice).
* Added two new actions: setenv, setnote
* Added two new actions: auditlog, noauditlog
* Added three new actions: id, msg, severity. These are simple
text fields that appear in the error messages. They can be
used to clasify problems.
* Added RelevantOnly as option to SecUploadKeepFiles.
* BUG Fixed the "pass" action bug.
* 404 responses are no longer considered relevant.
* The request body is now exported through the "mod_security-body"
note. (This can be useful for logging other than through the
audit log.
* BUG Fixed a double URL-decoding bug (Apache first, then us), which
could sometimes lead to a false positive.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
