Hi!

mod_security-2.5.11 was released on Nov 4 - please bump.

ModSecurity 2.5.11 has been released and is now available.

This release fixes a multipart parsing issue that has the potential to 
allow bypassing the rules engine.  This bypass can be avoided via some 
simple rules, however.  Other changes include a rules update (CRS 2.0.3) 
and some minor cleanup in build, mlogc, persistence and the output 
filter ordering.

By using non-standard (but accepted by some platforms) quoting, 
ModSecurity may be fooled into thinking some parameters are uploaded 
files.  A working exmple was presented at POC2009.  To mitigate this, 
the following rules (also included in the latest CRS v2.0.3, included 
with ModSecurity 2.5.11) are recommended until you can update to 
ModSecurity 2.5.11:

# Identify multipart/form-data name evasion attempts
SecRule FILES "['\";=]" \
   "phase:2,deny,log,t:none,\
    msg:'Attempted multipart/form-data bypass'"
SecRule FILES_NAMES "['\";=]" \
   "phase:2,deny,log,t:none,\
    msg:'Attempted multipart/form-data bypass'"

Downloads and docs from modsecurity.org as usual.


04 Nov 2009 - 2.5.11
--------------------

  * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
    set true if any invalid quoting is found during multipart parsing.

  * Fixed parsing quoted strings in multipart Content-Disposition
    headers.  Discovered by Stefan Esser.

  * Cleanup persistence database locking code.

  * Added warning during configure if libcurl is found linked against
    gnutls for SSL.  The openssl lib is recommended as gnutls has
    proven to cause issues with mutexes and may crash.

  * Cleanup some mlogc (over)logging.

  * Do not log output filter errors in the error log.

  * Moved output filter to run before other stock filters (mod_deflate,
    mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
    in the response.  Patch originally submitted by Ivan Ristic.

-- Brian Rectanus Breach Security

Reproducible: Always