Upgrade Your ModSecurity

I just noticed that ModSecurity 2.5.8 and 2.5.9 has been released on the same day (March 11, 2009).

Later on I found out that version 2.5.8 fix the following security issues :

  • Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process. Discovered by Steve Grubb at Red Hat.
  • Removed an invalid “Internal error: Issuing “%s” for unspecified error.” message that was logged when denying with nolog/noauditlog set and

While the 2.5.9 superseded it to fix major security issue :

  • Fixed parsing multipart content with a missing part header name which would crash Apache. Discovered by “Internet Security Auditors” (isecauditors.com).

So if you are using ModSecurity version <= 2.5.8, please do upgrade your ModSecurity to version 2.5.9.

Oh BTW, if you are going to compile the ModSecurity by yourself, you may need to add –with-apr= option to the configure script, like the following :

./configure [your_other_options]


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s