Don't do it. There is a change being made and then a reissue. I wish he would not reissue and just use a new version number. After-all, they are cheap. So looks like a new one will be coming soon. I've removed the downloads.
If you already have, I do not see any reason to go back to 2.7.0 unless you run into a problem with 2.7.1
Announcing the release of mod_security 2.7.1 for Apache 2.2 and 2.4. This is primarily a bug fix release. The information in the changes file is;
* Changed "Encryption" name of directives and options related to hmac feature to "Hash".
SecEncryptionEngine to SecHashEngine
SecEncryptionKey to SecHashKey
SecEncryptionParam to SecHashParam
SecEncryptionMethodRx to SecHashMethodRx
SecEncryptionMethodPm to SecHashMethodPm
@validateEncryption to @validateHash
ctl:EncryptionEnforcement to ctl:HashEnforcement
ctl:EncryptionEngine to ctl:HashEngine
Note if you use any of the above you will have to modify your config.
* Added a better random bytes generator using apr_generate_random_bytes() to create
the HMAC key.
* Fixed byte conversion issue during logging under Linux s390x platform.
* Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj).
* Fixed parsing error with modsecurity-recommended.conf and Apache 2.4.
* Fixed DROP action was disabled for Apache 2 module by mistake.
* Fixed bug when use ctl:ruleRemoveByTag.
* The doc/ directory now contains the instructions to access online documentation.
Also note that this version include the libxml2 2.9.0 DLL, if you are using mod_proxy_html and mod_xml2enc you may want to backup your old version of libxml2 first and revert back to it if this version 2.9.0 causes problems with these other modules. It should not but you never know what use cases could possibly.
What's meaning of this?Can you explain more?What happens?Is this a RC version?
I have update to mod_security 2.7.1.
Quote from: Gregg on November 08, 2012, 08:49:10 PM
Don't do it. There is a change being made and then a reissue. I wish he would not reissue and just use a new version number. After-all, they are cheap. So looks like a new one will be coming soon. I've removed the downloads.
I guess it then becomes an RC version. This is the second time mod_security has changed after a version has been put up for download, which was not labeled RC. Like I said, instead of yanking away the download I wish they would just do like Apache, or OpenSSL and just use a new version number, even if it is 6 days later. Version numbers are cheap.
The problem is a a minor issue in Apache with @strmatch. Your mileage may vary depending on how much of it you use. If you have concern, do revert to 2.7.0. I'm leaving mine at 2.7.1 for now but will be watching it closely.
As far as I take watch of mod_security 2.7.1,it runs well.Where should I notice more about @strmatch?If you find something else wrong,post it there to remind me to degrade to 2.7.0.