openSUSE-SU-2023:0257-1

This update for modsecurity fixes the following issues:

Update to version 3.0.10:

• Security impacting issue (fix boo#1213702, CVE-2023-38285)

  • Fix: worst-case time in implementation of four transformations
  • Additional information on this issue is available at https://www.trustwave.com/resources/blogs/spiderlabs-blog/modsecurity-v3-dos-vulnerability-in-four-transformations-cve-2023-38285/

• Enhancements and bug fixes

  • Add TX synonym for MSCPCRELIMITS_EXCEEDED
  • Make MULTIPARTPARTHEADERS accessible to lua
  • Fix: Lua scripts cannot read whole collection at once
  • Fix: quoted Include config with wildcard
  • Support isolated PCRE match limits
  • Fix: meta actions not applied if multiMatch in first rule of chain
  • Fix: audit log may omit tags when multiMatch
  • Exclude CRLF from MULTIPARTPARTHEADER value
  • Configure: use ASECHON instead echo -n
  • Adjust position of memset from 2890

Update to version 3.0.9:

• Add some member variable inits in Transaction class (possible segfault)
• Fix: possible segfault on reload if duplicate ip+CIDR in ip match list
• Resolve memory leak on reload (bison-generated variable)
• Support equals sign in XPath expressions
• Encode two special chars in error.log output
• Add JIT support for PCRE2
• Support comments in ipMatchFromFile file via '#' token
• Use name package name libmaxminddb with pkg-config
• Fix: FILESTMPCONTENT collection key should use part name
• Use ASHELPSTRING instead of obsolete ACHELPSTRING macro
• During configure, do not check for pcre if pcre2 specified
• Use pkg-config to find libxml2 first
• Fix two rule-reload memory leak issues

• Correct whitespace handling for Include directive

• Fix CVE-2023-28882, a segfault and a resultant crash of a worker process in some configurations with certain inputs, boo#1210993

Update to version 3.0.8

• Adjust parser activation rules in modsecurity.conf-recommended [#2796]
• Multipart parsing fixes and new MULTIPARTPARTHEADERS collection [#2795]
• Prevent LMDB related segfault [#2755, #2761]
• Fix msctransactioncleanup function comment typo [#2788]
• Fix: MULTIPARTINVALIDPART connected to wrong internal variable [#2785]
• Restore Unique_id to include random portion after timestamp [#2752, #2758]

Update to version 3.0.7

• Support PCRE2
• Support SecRequestBodyNoFilesLimit
• Add ctl:auditEngine action support
• Move PCRE2 match block from member variable
• Add SecArgumentsLimit, 200007 to modsecurity.conf-recommended
• Fix memory leak when concurrent log includes REMOTE_USER
• Fix LMDB initialization issues
• Fix initcol error message wording
• Tolerate other parameters after boundary in multipart C-T
• Add DebugLog message for bad pattern in rx operator
• Fix misuses of LMDB API
• Fix duplication typo in code comment
• Fix multiMatch msg, etc, population in audit log
• Fix some name handling for ARGS_*NAMES: regex SecRuleUpdateTargetById, etc.
• Adjust confusing variable name in setRequestBody method
• Multipart names/filenames may include single quote if double-quote enclosed
• Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended

Update to version 3.0.6

• Security issue: Support configurable limit on depth of JSON parsing, possible DoS issue. CVE-2021-42717

Update to version 3.0.5

• New: Having ARGS_NAMES, variables proxied
• Fix: FILES variable does not use multipart part name for key
• GeoIP: switch to GEOIPMEMORYCACHE from GEOIPINDEXCACHE
• Support configurable limit on number of arguments processed
• Adds support to lua 5.4
• Add support for new operator rxGlobal
• Fix: Replaces put with setenv in SetEnv action
• Fix: Regex key selection should not be case-sensitive
• Fix: Only delete Multipart tmp files after rules have run
• Fixed MatchedVar on chained rules
• Fix IP address logging in Section A
• Fix: rx: exit after full match (remove /g emulation); ensure capture groups occuring after unused groups still populate TX vars
• Fix rule-update-target for non-regex
• Fix Security Impacting Issues:
• Handle URI received with uri-fragment, CVE-2020-15598

update to 3.0.4:

• Fix: audit log data omitted when nolog,auditlog
• Fix: ModSecurity 3.x inspectFile operator does not pass
• XML: Remove error messages from stderr
• Filter comment or blank line for pmFromFile operator
• Additional adjustment to Cookie header parsing
• Restore chained rule part H logging to be more like 2.9 behaviour
• Small fixes in log messages to help debugging the file upload
• Fix Cookie header parsing issues
• Fix rules with nolog are logging to part H
• Fix argument key-value pair parsing cases
• Fix: audit log part for response body for JSON format to be E
• Make sure m_rulesMessages is filled after successfull match
• Fix @pm lookup for possible matches on offset zero.
• Regex lookup on the key name instead of COLLECTION:key
• Missing throw in Operator::instantiate
• Making block action execution dependent of the SecEngine status
• Making block action execution dependent of the SecEngine status
• Having body limits to respect the rule engine state
• Fix SecRuleUpdateTargetById does not match regular expressions
• Adds missing check for runtime ctl:ruleRemoveByTag
• Adds a new operator verifySVNR that checks for Austrian social security numbers.
• Fix variables output in debug logs
• Correct typo validade in log output
• fix/minor: Error encoding hexa decimal.
• Limit more log variables to 200 characters.
• parser: fix parsed file names
• Allow empty anchored variable
• Fixed FILES_NAMES collection after the end of multipart parsing
• Fixed validateByteRange parsing method
• Removes a memory leak on the JSON parser
• Enables LMDB on the regression tests.
• Fix: Extra whitespace in some configuration directives causing error
• Refactoring on Regex and SMatch classes.
• Fixed buffer overflow in Utils::Md5::hexdigest()
• Implemented merge() method for ConfigInt, ConfigDouble, ConfigString
• Adds initially support to the drop action.
• Complete merging of particular rule properties
• Replaces ACCHECKFILE with 'test -f'
• Fix inet addr handling on 64 bit big endian systems
• Fix tests on FreeBSD
• Changes ENV test case to read the default MODSECURTIY env var
• Regression: Sets MODSECURITY env var during the tests execution
• Fix setenv action to strdup key=variable
• Allow 0 length JSON requests.
• Fix 'make dist' target to include default configuration
• Replaced log locking using mutex with fcntl lock
• Correct the usage of modsecurity::Phases::NUMBEROFPHASES
• Adds support to multiple ranges in ctl:ruleRemoveById
• Rule variable interpolation broken
• Make the boundary check less strict as per RFC2046
• Fix buffer size for utf8toUnicode transformation
• Fix double macros bug
• Override the default status code if not suitable to redirect action
• parser: Fix the support for CRLF configuration files
• Organizes the server logs
• m_lineNumber in Rule not mapping with the correct line number in file
• Using sharedptr instead of uniqueptr on rules exceptions
• Changes debuglogs schema to avoid unecessary str allocation
• Fix the SecUnicodeMapFile and SecUnicodeCodePage
• Changes the timing to save the rule message
• Fix crash in mscrulesadd_file() when using disruptive action in chain
• Fix memory leak in AuditLog::init()
• Fix RulesProperties::appendRules()
• Fix RULE lookup in chained rules
• @ipMatch 'Could not add entry' on slash/32 notation in 2.9.0
• Using values after transformation at MATCHED_VARS
• Adds support to UpdateActionById.
• Add correct C function prototypes for mscinit and msccreateruleset
• Allow LuaJIT 2.1 to be used
• Match m_id JSON log with RuleMessage and v2 format
• Adds support to setenv action.
• Adds new transaction constructor that accepts the transaction id as parameter.
• Adds request IDs and URIs to the debug log
• Treating variables exception on load-time instead of run time.
• Fix: function m.setvar in Lua scripts and add testcases
• Fix SecResponseBodyAccess and ctl:requestBodyAccess directives
• Fix OpenBSD build
• Fix parser to support GeoLookup with MaxMind
• parser: Fix simple quote setvar in the end of the line
• Fix pc file
• modsecrulescheck: uses the gnu .la' instead of.a' file
• good practices: Initialize variables before use it
• Fix utf-8 character encoding conversion
• Adds support for ctl:requestBodyProcessor=URLENCODED
• Add LUA compatibility for CentOS and try to use LuaJIT first if available
• Allow LuaJIT to be used
• Implement support for Lua 5.1
• Variable names must match fully, not partially. Match should be case insensitive.
• Improves the performance while loading the rules
• Allow empty strings to be evaluated by regex::searchAll
• Adds basic pkg-config info
• Fixed LMDB collection errors
• Fixed false positive MULTIPARTUNMATCHEDBOUNDARY errors
• Fix ip tree lookup on netmask content
• Changes the behavior of the default sec actions
• Refactoring on {global,ip,resources,session,tx,user} collections
• Fix race condition in UniqueId::uniqueId()
• Fix memory leak in error message for mscrulesmerge C APIs
• Return false in SharedFiles::open() when an error happens
• Use rvalue reference in ModSecurity::serverLog
• Build System: Fix when multiple lines for curl version.
• Checks if response body inspection is enabled before process it
• Fix setvar parsing of quoted data
• Adds time stamp back to the audit logs
• Disables skip counter if debug log is disabled
• Cosmetics: Represents amount of skipped rules without decimal
• Add missing escapeSeqDecode, urlEncode and trimLeft/Right tfns to parser
• Fix STATUS var parsing and accept STATUS_LINE var for v2 backward comp.
• Fix memory leak in modsecurity::utils::expandEnv()
• Initialize m_dtd member in ValidateDTD class as NULL
• Fix broken @detectxss operator regression test case
• Fix utils::string::ssplit() to handle delimiter in the end of string
• Fix variable FILES_TMPNAMES
• Fix memory leak in Collections
• Fix lib version information while generating the .so file
• Adds support for ctl:ruleRemoveByTag
• Fix SecUploadDir configuration merge
• Include all prerequisites for 'make check' into dist archive
• Fix: Reverse logic of checking output in @inspectFile
• Adds support to libMaxMind
• Adds capture action to detectXSS
• Temporarily accept invalid MULTIPARTSEMICOLONMISSING operator
• Adds capture action to detectSQLi
• Adds capture action to rbl
• Adds capture action to verifyCC
• Adds capture action to verifySSN
• Adds capture action to verifyCPF
• Prettier error messages for unsupported configurations (UX)
• Add missing verify* transformation statements to parser
• Fix a set of compilation warnings
• Check for disruptive action on SecDefaultAction.
• Fix block-block infinite loop.
• Correction removebytag and removebymsg logic.
• Fix LMDB compile error
• Fix mscwhoam_i() to return pointer to a valid C string
• Added some cosmetics to autoconf related code
• Fix 'make dist' target to include necessary headers for Lua
• Fix 'include /foo/*.conf' for single matched object in directory
• Add missing Base64 transformation statements to parser
• Fixed resource load on ip match from file
• Fixed examples compilation while using disable-shared
• Fixed compilation issue while xml is disabled
• Having LDADD and LDFLAGS organized on Makefile.am
• Checking std::deque size before use it
• perf improvement: Added the concept of RunTimeString and removed all run time parser.
• perf improvement: Checks debuglog level before format debug msg
• perf. improvement/rx: Only compute dynamic regex in case of macro
• Fix uri on the benchmark utility
• disable Lua on systems with liblua5.1