ModSecurity v2.7.4 Released

ModSecurity™is an open source, free web application firewall (WAF) Apache module. With over 70% of all attacks now carried out over the web application level, organizations need all the help they can get in making their systems secure.

Changelog v2.7.4

Improvements

• Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
• Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
• NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.

Bug Fixes

• Fixed SecRulePerfTime storing unnecessary rules performance times.
• Fixed Possible SDBM deadlock condition.
• Fixed Possible @rsub memory leak.
• Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
• Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
• Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.

Security Issues

• Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI)

Download ModSecurity v2.7.4