v3.0.11
Security impacting issue
- Add WRDE_NOCMD to wordexp call
[Issue #3024 - @sahruldotid, @martinhsv ]
Note: Although this issue ostensibly allows for specially-crafted SecRule content to execute OS command-line commands when the rules are loaded, this is unlikely to be a serious issue in most deployments. A malicious actor who has access to modify the ModSecurity configuration of an installation can cause severe effects in a multitude of other ways.
New feature
- Add support for expirevar action
[Issue #1803, #3001 - @martinhsv]
Enhancements and bug fixes
- Fix: validateDTD compile fails if libxml2 not installed
[Issue #3014 - @zangobot, @martinhsv] - Fix memory leak of validateDTD's dtd object
[Issue #3008 - @martinhsv, @zimmerle ] - Fix memory leaks in ValidateSchema
[Issue #3005 - @martinhsv, @zimmerle] - Fix: lmdb regex match on non-null terminated string
[Issue #2985 - @martinhsv] - Fix memory leaks in lmdb code (new'd strings)
[Issue #2983 - @martinhsv] - Configure: add additional name to pcre2 pkg-config list
[Issue #2939 - @agebhar1, @fzipi, @martinhsv]
Contributors
zimmerle, agebhar1, and 4 other contributors