Re: ModSecurity 2.5.4 Released

Brian Rectanus wrote:
> Hello all,
> 
> ModSecurity 2.5.4 was released.  This fixes a problem with
> transformation caching in ModSecurity 2.5 through version 2.5.3.
> 
> Transformation Caching Issue Details:
> 
> If you are using a transformation in SecDefaultAction and t:none in a
> rule, then there is the potential for the rule to use the wrong cached
> value (the default transformation value), possibly resulting in a false
> negative (no match).  The Core Rules v1.6 do not require a default
> transformation, but there is a potential for a false negative if a
> default transformation is defined.  Upgrading to 2.5.4 is encouraged,
> however, workarounds are available until an upgrade is possible.
> 
> Workarounds for Transformation Caching Issue in 2.5.0-2.5.3:
> 
> 1) (recommended) Disable transformation caching until you can upgrade to
> 2.5.4 with:
> 
>    SecCacheTransformations Off
> 
> 2) Remove any default transformations in SecDefaultAction if other rules
> are not depending on them.
> 
> Packages can be downloaded from modsecurity.org as always.
> 
> -B
>