mod_security 2.7.1 for Apache 2.2.x & 2.4 Released

Started by Gregg, November 08, 2012, 08:49:10 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Gregg

November 08, 2012, 08:49:10 PM Last Edit: November 09, 2012, 10:03:02 PM by Gregg
Don't do it. There is a change being made and then a reissue. I wish he would not reissue and just use a new version number. After-all, they are cheap. So looks like a new one will be coming soon. I've removed the downloads.

If you already have, I do not see any reason to go back to 2.7.0 unless you run into a problem with 2.7.1

Announcing the release of mod_security 2.7.1 for Apache 2.2 and 2.4. This is primarily a bug fix release. The information in the changes file is;

  * Changed "Encryption" name of directives and options related to hmac feature to "Hash".

    SecEncryptionEngine       to SecHashEngine
    SecEncryptionKey          to SecHashKey
    SecEncryptionParam        to SecHashParam
    SecEncryptionMethodRx     to SecHashMethodRx
    SecEncryptionMethodPm     to SecHashMethodPm
    @validateEncryption       to @validateHash
    ctl:EncryptionEnforcement to ctl:HashEnforcement
    ctl:EncryptionEngine      to ctl:HashEngine

Note if you use any of the above you will have to modify your config.

  * Added a better random bytes generator using apr_generate_random_bytes() to create
    the HMAC key.
  * Fixed byte conversion issue during logging under Linux s390x platform.
  * Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj).
  * Fixed parsing error with modsecurity-recommended.conf and Apache 2.4.
  * Fixed DROP action was disabled for Apache 2 module by mistake.
  * Fixed bug when use ctl:ruleRemoveByTag.
  * The doc/ directory now contains the instructions to access online documentation.


Also note that this version include the libxml2 2.9.0 DLL, if you are using mod_proxy_html and mod_xml2enc you may want to backup your old version of libxml2 first and revert back to it if this version 2.9.0 causes problems with these other modules. It should not but you never know what use cases could possibly.

chromerep

#1
November 09, 2012, 10:59:39 PM
What's meaning of this?Can you explain more?What happens?Is this a RC version?
I have update to mod_security 2.7.1.

Quote from: Gregg on November 08, 2012, 08:49:10 PM
Don't do it. There is a change being made and then a reissue. I wish he would not reissue and just use a new version number. After-all, they are cheap. So looks like a new one will be coming soon. I've removed the downloads.

Gregg

#2
November 10, 2012, 01:26:24 AM
I guess it then becomes an RC version. This is the second time mod_security has changed after a version has been put up for download, which was not labeled RC. Like I said, instead of yanking away the download I wish they would just do like Apache, or OpenSSL and just use a new version number, even if it is 6 days later. Version numbers are cheap.

The problem is a a minor issue in Apache with @strmatch. Your mileage may vary depending on how much of it you use. If you have concern, do revert to 2.7.0. I'm leaving mine at 2.7.1 for now but will be watching it closely.

chromerep

#3
November 10, 2012, 07:56:26 AM
As far as I take watch of mod_security 2.7.1,it runs well.Where should I notice more about @strmatch?If you find something else wrong,post it there to remind me to degrade to 2.7.0.
Print
Go Up Pages1
User actions