|
5 | 5 | or the CRS mailinglist at |
6 | 6 | * https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set |
7 | 7 |
|
8 | | -== Version 3.0.1 - 4/16/2017 == |
9 | | - |
10 | | -* As of CRS version 3.0.1, support has been added for the application/soap+xml MIME |
11 | | - type by default, as specified in RFC 3902. OF IMPORTANCE, application/soap+xml is |
12 | | - indicative that XML will be provided. In accordance with this, ModSecurity's XML |
13 | | - Request Body Processor should also be configured to support this MIME type. Within |
14 | | - the ModSecurity project, commit 5e4e2af |
15 | | - (https://github.com/SpiderLabs/ModSecurity/commit/5e4e2af7a6f07854fee6ed36ef4a381d4e03960e) |
16 | | - has been merged to support this endevour. However, if you are running a modified or |
17 | | - preexisting version of the modsecurity.conf provided by this repository, you may |
18 | | - wish to upgrade rule '200000' accordingly. The rule now appears as follows: |
19 | | - |
20 | | -``` |
21 | | -SecRule REQUEST_HEADERS:Content-Type "(?:application(?:/soap\+|/)|text/)xml" \ |
22 | | - "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML" |
23 | | -``` |
| 8 | +== Version 3.0.1 - 5/9/2017 == |
| 9 | + |
| 10 | + * SECURITY: Removed insecure handling of X-Forwarded-For header; |
| 11 | + reported by Christoph Hansen (Walter Hop) |
| 12 | + * Fixed documentation errors in RESPONSE-999-... (Chaim Sanders) |
| 13 | + * Reduced FPs on 942190 by adding a word boundary to regex (Franziska Bühler) |
| 14 | + * Reduced FPs on 932150 by removing keyword reset (Franziska Bühler) |
| 15 | + * Tidied exceptions in 930100 (Roberto Paprocki) |
| 16 | + * Reduced FPs for 920120 by splitting into stricter sibling (Franziska Bühler) |
| 17 | + * Simplified some Drupal rule exclusions (Damien McKenna, Christian Folini) |
| 18 | + * Extended KNOWN_BUGS with remarks on JSON support on Debian (Franziska Bühler) |
| 19 | + * Updated README to add gitter support (Chaim Sanders) |
| 20 | + * Clarified DoS documentation for static extensions (Roberto Paprocki) |
| 21 | + * Added application/octet-stream to allowed content types (Christian Folini) |
| 22 | + * Typo in 942220 alert message (Chaim Sanders, @bossloper) |
| 23 | + * Moved referrer check of 941100 into new PL2 rule (Franziska Bühler) |
| 24 | + * Closed multiple @pmf evasions via lowercase transformation (Roberto Paprocki) |
| 25 | + * Clarified libinjection bundling in INSTALL file (@cjdp) |
| 26 | + * Reduced FPs via Wordpress Rule Exclusions (Walter Hop) |
| 27 | + * Support for RFC 3902 (Content Type application/soap+xml; Christoph Hansen) |
| 28 | + Make sure you update ModSecurity recommended rule 200000 as well. |
| 29 | + * Bugfix in 942410 regex (Christian Folini) |
| 30 | + * Reduced FPs for 942360 (Walter Hop) |
| 31 | + * Reduced FPs for 941120 by restricting event handler names (Franziska Bühler) |
| 32 | + * Extended 931000 with scheme "file" to fix false negative (Federico Schwindt) |
| 33 | + * Extended 905100 and 905110 for HTTP/2.0 (includes bugfix, Christoph Hansen) |
| 34 | + * Moved 941150 from PL1 to PL2; includes Bugfix for rule (Christian Folini) |
| 35 | + * Updated documentation for 920260 (Chaim Sanders) |
| 36 | + * Bugfix in upgrade.py (Victor Hora) |
| 37 | + * Fixed FP in RCE rule 932140 (Walter Hop) |
| 38 | + * Fixed comment for arg limit check rule 920370 (Christian Folini) |
| 39 | + * Created CONTRIBUTORS file |
| 40 | + * Added Christoph Hansen (emphazer) to CONTRIBUTORS file |
| 41 | + * Added Franziska Bühler (franbuehler) to CONTRIBUTORS file |
| 42 | + * Fixed bug with DoS rule 912160 (@loudly-soft, Christian Folini) |
| 43 | + |
24 | 44 |
|
25 | 45 |
|
26 | 46 | == Version 3.0.0 - 11/10/2016 == |
|
0 commit comments