I just noticed that ModSecurity 2.5.8 and 2.5.9 has been released on the same day (March 11, 2009).
Later on I found out that version 2.5.8 fix the following security issues :
- Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat.
- Removed an invalid “Internal error: Issuing “%s” for unspecified error.” message that was logged when denying with nolog/noauditlog set and
While the 2.5.9 superseded it to fix major security issue :
- Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by “Internet Security Auditors” (isecauditors.com).
So if you are using ModSecurity version <= 2.5.8, please do upgrade your ModSecurity to version 2.5.9.
Oh BTW, if you are going to compile the ModSecurity by yourself, you may need to add –with-apr= option to the configure script, like the following :