Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package owasp-modsecurity-crs for
openSUSE:Factory checked in at 2025-01-28 17:06:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/owasp-modsecurity-crs (Old)
and /work/SRC/openSUSE:Factory/.owasp-modsecurity-crs.new.2316 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "owasp-modsecurity-crs"
Tue Jan 28 17:06:16 2025 rev:9 rq:1240848 version:4.9.0
Changes:
--------
---
/work/SRC/openSUSE:Factory/owasp-modsecurity-crs/owasp-modsecurity-crs.changes
2023-09-01 14:22:34.303429191 +0200
+++
/work/SRC/openSUSE:Factory/.owasp-modsecurity-crs.new.2316/owasp-modsecurity-crs.changes
2025-01-28 17:06:17.421230934 +0100
@@ -1,0 +2,469 @@
+Tue Dec 3 08:13:47 UTC 2024 - Flavio Castelli <fcaste...@suse.com>
+- Version 4.9.0
+ * Important changes
+ - feat: add variable to skip response rules by @fzipi in #3944
+ * New features and detections
+ - feat: add fish shell files to restricted-files.data by @OhMyVolk in #3915
+ - feat: add quantitative testing to Git workflow by @airween in #3924
+ * Other Changes
+ - feat: added support for new web shells by @azurit in #3898
+ - fix(security): remove double URL decode (921151 PL2, 932190 PL3, 942441
PL2, 942442 PL2, 942460 PL3) by @azurit in #3741
+ - docs: extended rule documentation (900200) by @dune73 in #3934
+- Version 4.8.0
+ * Important changes:
+ - fix: 9EA-241022 v4 by @RedXanadu in #3905
+ * New features and detections
+ - chore: set up nginx tests by @theseion in #3856
+ * Other Changes
+ - fix: remove unnecessary capture groups by @TimDiam0nd in #3849
+ - fix(942120): update operators by @Xhoenix in #3841
+ - fix(933120): do not match on base64 encoded strings by @fzipi in #3863
+ - fix(refactor): 942130 and 942131 regex-assembly by @Xhoenix in #3862
+ - fix(942520): SQL operators can be one or more characters by @Xhoenix in
#3845
+ - chore: remove verify id-range by @fzipi in #3885
+ - chore: remove find-max-datalen-in-tests by @fzipi in #3891
+ - chore: remove honeypot sensor by @fzipi in #3883
+ - chore: remove browser tools by @fzipi in #3887
+ - chore: remove send-payload-pls by @fzipi in #3879
+ - chore: remove geo-location by @fzipi in #3875
+ - chore: remove crs2 renumbering by @fzipi in #3873
+ - chore: remove change-version script by @fzipi in #3869
+ - chore: remove join multiline rules by @fzipi in #3877
+ - chore: remove av-scanning by @fzipi in #3871
+ - chore: remove util virtual patching by @fzipi in #3889
+ - fix: include v3.3.6 release notes in latest by @fzipi in #3867
+ - chore: remove fp-finder by @fzipi in #3893
+- Version 4.7.0
+ * New features and detections
+ - feat: added sendgrid.env into restricted files by @azurit in #3823
+ * Other Changes
+ - fix: Changed regex (920470) to match multiple whitespaces after
Content-Type parameters to avoid false-positives by @lostmann-owl-it in #3818
+ - fix: fp with user-agent containing ; pg (932239 PL2) by @franbuehler in
#3727
+ - fix: update xss detection with onwebkitplaybacktargetavailabilitychanged
event by @fzipi in #3822
+ - feat: refactoring (944110 PL1) by @azurit in #3715
+- Version 4.6.0
+ * Important changes:
+ - fix: prevent using backslash in file names by @fzipi in #3799
+ - feat: add new rule to catch invalid character in multipart headers by
@airween, @theseion, @fzipi in #3796
+ * Other Changes
+ - feat: rule to detect bash tilde expansion by @Xhoenix in #3765
+ - fix: Update 932270's ver by @airween in #3786
+ - perf: remove unnecessary chain rule and capture (921180 PL3) by
@EsadCetiner in #3787
+ - fix: add pem to restricted file extensions by @EsadCetiner in #3789
+ - fix(942160): check REQUEST_FILENAME by @mat1010 in #3782
+- Version 4.5.0
+ * New features and detections
+ - feat: added arithmetic expansion payload by @Xhoenix in #3756
+ * Other Changes
+ - fix(security): alias false negative by @Xhoenix in #3740
+ - feat: add test overrides for nginx by @theseion in #3369
+ - fix: use proper capture for log output of 932300 by @theseion in #3763
+ - chore: use lowercase character class for 932320 by @theseion in #3772
+ - fix: remove nonnecessary variable (932260 PL1) by @dune73 in #3773
+- Version 4.4.0
+ * New features and detections
+ - feat: skip response rules if data are compressed by @azurit in #3742,
#3712
+ * Other Changes
+ - fix(934140): update regex by @fzipi in #3731
+ - fix: replacing t:UrlDecode with t:UrlDecodeUni (921240 PL1, 932170 PL1,
932171 PL1, 932190 PL3, 932190 PL1, 933211 PL3, 941310 PL1, 941350 PL1) by
@azurit in #3713
+- Version 4.3.0
+ * New features and detections
+ - feat: catch Java PostgreSQL errors (951240 PL1) by @azurit in #3686
+ - feat: block The Mysterious Mozlila User Agent bot (913100 PL1) by
@brentclark in #3646
+ * Other Changes
+ - fix: Oracle SQL database data leakage FP (951120 PL1) by @azurit in #3685
+ - fix: typos in 920330 and 942280 tests by @TimDiam0nd in #3688
+ - test: change pl-1 to pl1 to be inline with others by @TimDiam0nd in #3690
+ - feat: use renovate to update docker-compose by @theseion in #3697
+ - fix: FP for sched (932235 PL1, 932236 PL2, 932237 PL3, 932239 PL2, â¦
by @theseion in #3701
+ - fix: collections not being initialized without User-Agent header by
@azurit in #3645
+ - feat: refactoring of rule 941310 (PL1 941310) by @azurit in #3700
+ - fix: resolving more FPs with Oracle error messages (951120 PL1) by
@azurit in #3703
+ - fix: removing double t:urlDecodeUni (920221 PL1, 920440 PL1, 932200 PL2,
932205 PL2, 932206 PL2) by @azurit in #3699
+ - fix: false positives from PHP config directives and functions (933120
PL1, 933151 PL2) by @ssigwart in #3638
+ - feat: prevent detection of web shells rules as malware by Windows
Defender (955260 PL1) by @azurit in #3687
+ - fix: fp with name axel by removing it from rce rule (932260 PL1) by
@franbuehler in #3705
+- Version 4.2.0
+ * Changes with direct rule impact (sorted by lowest rule ID per change where
available):
+ - fix: increase length of Accept-Encoding header from 50 to 100 (920520
PL1) (Franziska Bühler) [#3661]
+ - fix: add missing roundcube files (930120 PL1, 930121 PL2, 930130 PL1,
932180 PL1) (Esad Cetiner) [#3635]
+ - fix: add visudo and cscli to unix-shell.data (932160 PL1, 932161 PL2)
(Esad Cetiner) [#3663]
+ - feat: block crowdsec cscli and visudo commands (932235 PL1, 932236 PL2,
932237 PL3, 932239 PL2, 932260 PL1) (Esad Cetiner) [#3649]
+ - fix: add detection for php evasion attempt (933100 PL1) (Franziska
Bühler) [#3667]
+ * Changes without direct rule impact:
+ - feat: disassemble php rule (933100 PL1) (Franziska Bühler) [#3662]
+ - chore: remove references to nonexistant 942110 rule (Esad Cetiner)
[#3648]
+- Version 4.1.0.
+ - feat: add check for combinations of t:lowercase and (?i) to lint
(Franziska Bühler) [#3584]
+ - feat: add support for additional ansible and chef commands (932160 PL1,
932161 PL2, 932235 PL1, 932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Esad
Cetiner) [#3601]
+ - feat: move HTTP header rules to phase 1 (932161 PL2, 932205 PL2, 932206
PL2, 932237 PL3) (Esad Cetiner) [#3570]
+ - fix: prevent FPs against names due to "cron" (932260 PL1, 932236 PL2,
932237 PL3, 932239 PL2) (@superlgn) [#3578]
+ - fix: add missing tags and ver action (various rules) (Jozef Sudolský)
[#3571]
+ - fix: adding more missing tags and ver actions (Jozef Sudolský) [#3593]
+ - fix: do not check URL fragments in referer headers as part of the existing
rule to prevent FPs (932205 PL2) (Max Leske) [#3485]
+ - fix: range expressions must not start with \v (various rules) (Max Leske)
[#3615]
+ - fix: remove t:lowercase from rules that use '(?i)' modifier in their regex
(942150 PL2, 942151 PL1, 942152 PL2) (Ervin Hegedus) [#3585]
+ - test: change HTTP method to uppercase for test 932260-28 (Matteo Pace)
[#3580]
+ - chore(deps): update workflow actions (Max Leske) [#3613]
+ - chore: add Esad Cetiner to list of developers (@EsadCetiner) [#3589]
+- Version 4.0.0.
+ * Important changes:
+ - feat: introduce plugin architecture for extending CRS and minimizing
attack surface. (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe)
[#2038, #2448, #2404]
+ - feat: migrate application exclusions and less-used functionality to
plugins (Christian Folini, Max Leske, Jozef Sudolský, Andrew Howe)
+ - feat: introduce early blocking option (Christian Folini) [#1955]
+ - feat: introduce new rule file/category to detect use of common web
shells in responses (955100-955340 PL1, 955350 PL2) (Jozef Sudolský, Andrea
Menin) [#1962, #2039, #2116]
+ - feat: rename 'Node.js' category to 'generic' (Felipe ZipitrÃa) [#2340]
+ - feat: make all formerly PCRE-only regular expressions compatible with
RE2/Hyperscan regular expression engines (Max Leske, Felipe ZipitrÃa, Allan
Boll, Franziska Bühler) [#1868, #2356, #2425, #2426, #2371, #2372]
+ - feat: add support for HTTP/3 (Jozef Sudolský) [#3218]
+ - feat: add granular control over reporting levels in 9801xx rules (Simon
Studer, Andrew Howe, Christian Folini) [#2482, #2488]
+ - feat: add new rule to explicitly detect multiple Content-Type abuse
(CVE-2023-38199) (920620 PL1) (Andrea Menin) [#3237]
+ - feat: add enable_default_collections flag to not initialize collections
by default (Matteo Pace) [#3141]
+ - feat: extend definition of restricted headers to include
Content-Encoding and Accept-Charset by default (920450 PL1, 920451 PL2) (Walter
Hop) [#2780, #2782]
+ - feat: drop HTTP/0.9 support to resolve FP (Federico G. Schwindt) [#1966]
+ - fix: refactor and rename anomaly scoring variables and paranoia level
definition (Simon Studer) [#2417]
+ - tests: complete goal of 100% test coverage for rules (entire team,
Juan-Pablo Tosso, NiceYouKnow)
+ - feat: switch to using WordNet instead of spell for finding English words
in spell.sh (Max Leske) [#3242]
+ - feat: publish nightly packages regularly (Felipe ZipitrÃa) [#2207]
+ * Changes with direct rule impact (sorted by lowest rule ID per change where
available):
+ - feat: add placeholder files for new plugin architecture (Walter Hop)
[#2515]
+ - feat: check initialization and use for all TX variables (Ervin Hegedus)
[#3043]
+ - feat: extend rule to detect restricted method override headers (Mark
Zeman / KramNamez) [#3056]
+ - feat: extend rules to detect keyword time as prefix of *nix and Windows
RCE rules (rules later replaced) (Franziska Bühler) [#2819]
+ - feat: improve Unix shell evasion prefix (various rules) (Jitendra Patro,
Max Leske) [#3518]
+ - feat: improve performance by removing unnecessary lowercase
transformations (various rules) (Jozef Sudolský) [#2106]
+ - feat: add additional prefix commands to 'unix-shell-evasion-prefix'
(various rules) (Jitendra Patro) [#3557
+ - feat: consolidate 'unix-evasion-prefix*' files to ensure they don't
diverge (various rules) (Franziska Bühler, Max Leske, Andrew Howe) [#3531]
+ - feat: move regexp-assemble data files to root directory (Felipe
ZipitrÃa) [#3002]
+ - feat: move rules to the earliest phase possible based on their inputs
(various rules) (Ervin Hegedus) [#1941]
+ - feat: remove superfluous 'urlDecodeUni' transformations (various rules)
(Federico G. Schwindt) [#1845]
+ - feat: rename 'tx.blocking_early' to 'tx.early_blocking' (various rules)
(Christian Folini) [#2414]
+ - feat: simplify regular expressions by replacing upper-case with
lower-case matches if the expression is case-insensitive (various rules)
(Felipe ZipitrÃa) [#2485]
+ - feat: remove SecCollectionTimeout from crs-setup.conf (Christian Folini)
[#3559]
+ - fix: do not log 'MATCHED_VAR' when the it contains the full response
body (various rules) (Jozef Sudolský) [#1985]
+ - fix: do not unnecessarily escape forward slashes in regular expressions
(various rules) (Federico G. Schwindt) [#1842]
+ - fix: reformat several initialization rules to follow project guidelines
(Ervin Hegedus) [#3157]
+ - fix: remove auditLogParts actions from all rules where present (Andrea
Menin, Ervin Hegedus) [#3034, #3081]
+ - fix: remove uncommon Content Types from default in
crs-setup.conf.example (Andrea Menin) [#2768]
+ - fix: update diverse rules to follow new naming convention with paranoia
level TX variables (Christoph Hansen) [#2937]
+ - fix: update various rules to consolidate use of backslashes to \x5c
representation for better compatibility with known WAF engines (various rules)
(Andrew Howe, Max Leske) [#2335, #2345, #2375, #2376, #2399, #2400, #2402,
#2410, #2420, #2441, #2442, #2454, #2426]
+ - fix: remove initialization rules for redundant IP reputation variables
(901150, 901152) (Andrew Howe) [#2833]
+ - fix: initialize all variables used properly (901169) (Ervin Hegedus)
[#2802]
+ - feat: improve sampling mode efficiency (901410, 901420, 901440) (Paul
Beckett) [#2094]
+ - fix: replace uses of 'ctl:ruleEngine=Off' with
"ctl:ruleRemoveByTag=OWASP_CRS" to accomodate more than one ruleset (901450,
905100, 905110) (Jozef Sudolský) [#2156]
+ - feat: remove old, commented-out IP reputation check rule (910110 PL1)
(Paul Beckett) [#2148]
+ - feat: detect 'burpcollaborator' scanner (913100 PL1) (Amir Hosein
Aliakbarian) [#2152]
+ - feat: detect 'httpx' scanner (913100 PL1) (Will Woodson) [#2045]
+ - feat: detect 'LeakIX' scanner (913100 PL1) (Jozef Sudolský) [#1961]
+ - feat: detect 'QQGameHall' malware (913100 PL1) (Walter Hop) [#2144]
+ - feat: detect User-Agent of Tsunami Security Scanner (913100 PL1)
(@hoexter) [#3480]
+ - fix: avoid FP for YAM package manager (913100 PL1) (Jozef Sudolský)
[#2022]
+ - fix: move 'ecairn' from scanners to crawlers (913100 PL1) (Felipe
ZipitrÃa) [#2408]
+ - feat: detect 'CensysInspect' and seoscanners.net crawlers (913102 PL2)
(Andrew Howe) [#2155]
+ - feat: detect 'ecairn' crawler (913102 PL2) (Jozef Sudolský) [#2024]
+ - feat: detect 'Krzana' bot (913102 PL2) (Deepshikha Sinha) [#2432]
+ - fix: remove rule to detect security scanner http headers (913110 PL1)
(Christian Folini) [#3241]
+ - feat: remove ineffective anti-scanner list scanners-urls.data and
associated rule (913120 PL1) (Christian Folini) [#3235]
+ - fix: correct the regular expression assembly (920120 PL1) (Max Leske)
[#2333]
+ - feat: increase rule score from warning to critial (920220 PL1) (Max
Leske) [#3512]
+ - fix: reduce FPs by handling the last path segment separately in new rule
(920220 PL1, 920221 PL1) (Max Leske) [#3512]
+ - fix: reduce FPs by matching on decoded variables (920220 PL1) (Max
Leske) [#3512]
+ - feat: prevent FPs by moving rule to higher PL (920240 PL2) (Max Leske)
[#3506]
+ - feat: valiadate 'SEC-CH-UA' and 'SEC-CH-UA-MOBILE' request headers
(920274 PL4) (Chaim Sanders) [#1970]
+ - fix: use the right kind of validation for 'Sec-CH-UA' and
'Sec-CH-UA-Mobile' request headers (920274 PL4, 920275 PL4) (somechris) [#2028]
+ - fix: make validatioin of 'Sec-Fetch-User' header more strict (920275
PL4) (somechris) [#2020]
+ - feat: move rule from PL2 to PL3 (920300 PL3) (Franziska Bühler) [#2013]
+ - fix: amend rule to exclude CONNECT requests from requiring an Accept
header (920300 PL3) (Andrew Howe) [#2297]
+ - feat: add IPv6 to the 'Host header is a numeric IP address' check
(920350 PL1) (itsTheFae, Ervin Hegedus, Jozef Sudolský) [#1929]
+ - fix: avoid FP on '.axd' in restricted extensions, these are public
(920440 PL1) (Jozef Sudolský) [#1925]
+ - feat: rework restricted headers mechanism into two separate lists
(920450 PL1, 920451 PL2) (Andrew Howe) [#3152]
+ - fix: avoid FP in 'application/*+json' Content-Type (920470 PL1) (Mirko
Dziadzka, Walter Hop) [#2455]
+ - fix: avoid FP in CalDAV Content-Type (920470 PL1) (Vandan Rohatgi)
[#2505]
+ - fix: avoid FP in 'Content-Type' header with '#' character (920470 PL1)
(Jozef Sudolský) [#1856]
+ - fix: avoid FP on 'version' string in Content-Type header (920470 PL1)
(Jozef Sudolský) [#1901]
+ - fix: resolve false negative when matching against allowed charsets
variable (920480 PL1) (katef, Federico G. Schwindt) [#1957]
+ - fix: replace unnecessary capture groups in regular expressions with
non-capturing groups (920510 PL3, 932200 PL2, 942510 PL2, 942511 PL3) (Federico
G. Schwindt) [#1983]
+ - feat: improve explanatory rule comments (920520 PL1) (Max Leske) [#2391]
+ - feat: validate 'Accept-Encoding' header (920520 PL1, 920521 PL3)
(Franziska Bühler) [#2357]
+ - feat: new rule detect multiple occurrences of charset keyword in content
type header (920530 PL1) (Jan Gora / terjanq) [#2571]
+ - feat: new rule to detect Unicode character bypass check for non JSON
requests (920540 PL1) (Franziska Bühler, 0SPwn) [#2512]
+ - feat: new rule to detect # char in URIs (920610 PL1) (Karel Knibbe)
[#2919]
+ - fix: use correct anomaly scoring variables and paranoia level tags
across several rules (921170 PL1, 921220 PL4, 932220 PL2, 932331 PL3, 933211
PL3, 934101 PL1, 942362 PL2, 951100) (Christoph Hansen) [#2931]
+ - feat: new rules to detect HTTP parameter pollution bypasses (921210 PL3,
921220 PL4) (Christian Folini) [#2747]
+ - fix: use correct anomaly scoring variables and paranoia level tags
across several rules (921220 PL4, 932101 PL2, 932331 PL3, 933211 PL3, 942362
PL2) (Ervin Hegedus) [#2832]
+ - feat: new rule to detect range header that is now forbidden on PL3 and
up (921230 PL3) (Christian Folini) [#2760]
+ - feat: new rule to detect mod_proxy attack (CVE-2021-40438) (921240 PL1)
(Franziska Bühler) [#2818]
+ - fix: add urlDecodeUni transformation rules with REQUEST_URI /
REQUEST_BASENAME in phase 1 (921240 PL1, 920440 PL1, 920201 PL2, 920202 PL4)
(Christian Folini) [#3411]
+ - feat: new rules to detecting ModSecurity body processor confusion using
the Content-Type HTTP header (921421 PL1, 921422 PL2) (Simon Studer, Ervin
Hegedus) [#2763]
+ - fix: handle false positives when detecting ModSecurity body processor
confusion (921422 PL2) (Ervin Hegedus) [#2784]
+ - feat: new rules detecting attacks on multipart headers (922100 PL1,
922110 PL1, 922120 PL1) (Felipe ZipitrÃa) [#2769]
+ - fix: prevent unintended match of character set substrings in
multipart/form-data requests (922100 PL1) (Jozef Sudolský) [#3470]
+ - feat: remove redundant t:lowercase for a little performance (922110 PL1)
(Jozef Sudolský) [#3469]
+ - fix: remove possessive quantifiers (922110 PL1) (Felipe ZipitrÃa)
[#2989]
+ - fix: update comments (922110 PL1, 942440 PL2) (Jozef Sudolský) [#3468]
+ - fix: add missing quotes at the end of action lists (930050) (Ervin
Hegedus) [#2184]
+ - feat: disassemble regular expression (930100 PL1) (Andrew Howe) [#2298]
+ - fix: detect path traversal in uploaded file names (930100 PL1, 930110
PL1) (k4n5ha0, Franziska Bühler, Felipe ZipitrÃa) [#2451]
+ - fix: detect triple dot path traversal (930100 PL1, 930110 PL1)
(Franziska Bühler) [#2309, #2310]
+ - feat: extended rule to detect Tomcat specific path traversal attack
(930110 PL1) (Christoph Hansen) [#2915]
+ - fix: avoid FP for '..' without slashes (930110 PL1) (Tetrik, Walter Hop)
[#2016]
+ - feat: block access to AWS CLI files (930120 PL1, 930121 PL2) (Jozef
Sudolský) [#2439]
+ - feat: block access to extended list of sensitive files (930120 PL1,
930121 PL2, 930130 PL1) (Jozef Sudolský) [#1960]
+ - feat: detect /proc and /sys access attempts (930120 PL1, 930130 PL1)
(Andrew Howe) [#2154]
+ - feat: extend rule to detect access attempts to /tmp/ (930120 PL1, 930121
PL2) (Max Leske) [#3131]
+ - feat: extend rule to detect ECDSA type SSH identity files via list of
sensitive *nix files (930120 PL1) (Pinaki Mondal / 0xInfection) [#2586]
+ - fix: avoid detecting Google OAuth2 callback requests as malicious
(930120 PL1, 930121 PL1) (Jozef Sudolský, Christian Folini) [#1958]
+ - feat: extend rule to detect additional sensitive files on *nix systems
(930121 PL2, 930130 PL1) (Gwendal Le Coguic / gwen001) [#2560]
+ - feat: new rules to detect LFI and SQLi in user-agent and referer request
headers (930121 PL2, 942152 PL2, 942321 PL2) (Franziska Bühler, Max Leske,
Shivam Bathla) [#3102]
+ - fix: extend rule to detect more LFI (930121 PL2) (Felipe ZipitrÃa)
[#2791]
+ - feat: add BlockCypher.log to restricted-files.data (930130 PL1) (Jozef
Sudolský) [#3501]
+ - feat: add 'sslvpn_websession' to restricted-files.data (930130 PL1)
(Jozef Sudolský) [#2338]
+ - feat: add .vscode to restricted-files.data (930130 PL1) (Frederik Himpe)
[#3471]
+ - feat: extend data file to include additional restricted file names
(restricted-files.data, 930130 PL1) (Jitendra Patro) [#3219]
+ - feat: extend data file to include PrestaShop configuration file
(restricted-files.data, 930130 PL1) (Jean-François Viguier) [#3192]
+ - feat: extend rule to detect npm-shrinkwrap.json to restricted-files
(930130 PL1) (Esa Jokinen / oh2fih) [#2627]
+ - fix: block access to the Java-related WEB-INF directory (930130 PL1)
(Jozef Sudolský) [#2092]
+ - fix: remove duplicate keyword (930130 PL1) (Jozef Sudolský) [#3517]
+ - feat: extend rules to detect additional protocols in RFI attacks (931130
PL2, 934120 PL2) (Karel Knibbe) [#2572]
+ - feat: extend rule to detect url:file: schema in Java RFI attacks (931130
PL2) (Andrew Howe) [#2727]
+ - fix: add local_file scheme from Python 2 (931130 PL2, 934120 PL2)
(Felipe ZipitrÃa) [#2809]
+ - fix: close userinfo-based bypass (931130 PL2) (Andrea Menin) [#2479]
+ - feat: new rule to detect path traversal attacks using URL encoded URL
schemes in Java applications (931131 PL2) (Christoph Hansen) [#2902]
+ - feat: extend rule to detect additional *nix shell commands (931160 PL1)
(Gwendal Le Coguic / gwen001) [#2563]
+ - feat: disassemble complex regexes for 932xxx rules that were
subsequently replaced by other rules (Max Leske) [#2566]
+ - feat: detect additional Unix RCE commands (932100 PL1, 932105 PL1)
(Felipe ZipitrÃa) [#2129]
+ - feat: extend rule to detect additional entries to *nix command lists
(932100 PL1, 932105 PL1) (Finn Westendorf / wfinn) [#2552]
+ - feat: extend rule to detect additional *nix commands (932100 PL1)
(Felipe ZipitrÃa) [#2676]
+ - feat: improve and extend cmdline processor to find more evasions (932100
PL1, 932105 PL1, 932230 PL1, 932150 PL1, 932175 PL1, 932220 PL2, 932240 PL1,
932106 PL3) (Felipe ZipitrÃa) [#2907]
+ - fix: avoid false positive with certain HTML character entities (932100
PL1) (Franziska Bühler) [#1954]
+ - feat: move *nix command injection rule 932101, 932106 into the same
range as the other *nix command injection rules (932231 PL2, 932232 PL3)
(Felipe ZipitrÃa, Max Leske) [#3092]
+ - feat: extend rule to detect additional *nix commands (932105 PL1)
(Felipe ZipitrÃa) [#2677]
+ - feat: extend rule to detect mshta in Windows shell commands (932110 PL1)
(Somdev Sangwan / s0md3v) [#2588]
+ - feat: new Windows commands rules based on lolbas-project replacing
932110, 932115 (932370 PL1, 932380 PL1) (Felipe ZipitrÃa, Franziska Bühler,
Max Leske) [#3059, 3170]
+ - fix: avoid false positive on 'sort' (932115 PL1) (Franziska Bühler)
[#2012]
+ - feat: detect 'Invoke-WebRequest' command (932120 PL1) (Paul Beckett)
[#2271]
+ - feat: extend rule to detect additional PowerShell cmdlet on Windows
(932120 PL1) (Pinaki Mondal / 0xInfection) [#2589]
+ - feat: extend rule to detect PowerShell RCEs better via new automation
(932120 PL1) (Felipe ZipitrÃa) [#2669]
+ - feat: new rule to detect Windows cmdlet aliases (932125 PL1) (Pinaki
Mondal / 0xInfection) [#2589]
+ - fix: extend rule to detect character class *nix expressions (932130 PL1)
(Somdev Sangwan / s0md3v, Walter Hop) [#2594]
+ - feat: new rules to detect Log4j / Log4Shell attacks (932131 PL2, 944150
PL1, 944151 PL2, 944152 PL4) (Christian Folini, Max Leske) [#2349]
+ - fix: prevent false positives against brackets in User-Agent header
(932131 PL2) (Max Leske) [#3486]
+ - feat: extend rule to detect busybox, $SHELL, and ${SHELL} in *nix RCE
attacks (932150 PL1) (Walter Hop) [#2728]
+ - feat: extend rule to detect C99 and printf utilities (932150 PL1) (Karel
Knibbe) [#2569]
+ - feat: extend rule to detect ksh in *nix RCE attacks (932150 PL1) (Andrew
Howe) [#2721]
+ - feat: extend rule to detect RCE attacks using compression utilities
(932150 PL1) (Andrew Howe) [#2712]
+ - feat: extend rule to detect RCEs using Base64 evasions (932150 PL1)
(Somdev Sangwan / s0md3v, Andrew Howe) [#2590]
+ - feat: extend rule to detect RCEs using evasions quotes with python...
commands (932150 PL1) (Somdev Sangwan / s0md3v, Andrew Howe) [#2590]
+ - feat: new rule to detect generalised *nix RCE (932150 PL2) (Karel
Knibbe) [#2583]
+ - feat: replace *nix command injection rules 932150 PL1, 932151 PL1 with
new rules for commands of less than 4 characters and commands of more than 4
characters in length respectively (932250 PL1, 932260 PL1) (Felipe ZipitrÃa,
Max Leske) [#3092]
+ - fix: avoid FP on 'time' and 'ping' keywords (932150 PL1) (Walter Hop)
[#2457]
+ - feat: extend rule to detect RCE better via automation (932160 PL1)
(Felipe ZipitrÃa) [#2662]
+ - fix: remove unnecessary prefixes from paths in unix-shell.data (932160
PL1) (Felipe ZipitrÃa) [#2662]
+ - feat: extend rule to detect expre in unix-shell list (932161 PL2)
(Felipe ZipitrÃa) [#2667]
+ - feat: new rules to detect *nix commands in user-agent and referer
request headers (932161 PL2, 932237 PL3) (Franziska Bühler, Max Leske, Shivam
Bathla) [#3132]
+ - feat: new rule detecting alias builtin (932175 PL1) (Felipe ZipitrÃa)
[#2796]
+ - feat: use new automation to generate restricted-uploads.data from
restricted-files.data (932180 PL1) (Max Leske) [#3282]
+ - fix: use correct anomaly scoring variable (932180 PL1, 932200 PL2)
(Jozef Sudolský) [#2324]
+ - feat: detect RCE attempts with uninitialized shell vars (932200 PL2)
(Andrea Menin) [#2151]
+ - feat: extend rule to detect RCE in user-agent request header (932200
PL2) (Franziska Bühler, Shivam Bathla) [#3108]
+ - feat: reduce FPs by removing User-Agent from individual target list
(932200 PL2) (Max Leske) [#3489]
+ - fix: generate correct log entries when using 'MATCHED_VAR_NAME' in
conjunction with chain rules (932200 PL2, 933120 PL1, 933151 PL2) (Jozef
Sudolský) [#2347]
+ - fix: new rules to handle referer header and fix false positive (932205
PL2, 932206 PL2) (Max Leske) [#3300]
+ - feat: extend rule to detect quote evasion (932210 PL2) (Max Leske)
[#3120]
+ - feat: extend rule to detect sh (932210 PL2) (Franziska Bühler) [#2816]
+ - feat: extend rule to detect SQLi via automation of keyword list updates
(932210 PL2) (Felipe ZipitrÃa) [#2801]
+ - feat: new rule to detect SQLite system command injection (932210 PL2)
(flo405, Andrea Menin, Christian Folini) [#2032]
+ - fix: add word boundaries for sh in RCE rules (932230 PL1, 932250 PL1)
(Max Leske) [#3186]
+ - fix: avoid FPs in RCE detections against words 'environment' and
'performance' (932230 PL1, 932235 PL1, 932260 PL1, 932236 PL2, 932237 PL3,
932239 PL2) (Esad Cetiner) [#3477]
+ - fix: handle false positive against sh in *nix command injection attacks
(932230 PL1, 932250 PL1, 932236 PL2) (Max Leske) [#3186]
+ - feat: add unix commands pyversions and py3versions (932235 PL1, 932260
PL1, 932236 PL2, 932237 PL3, 932239 PL2) (Jitendra Patro) [#3465]
+ - feat: replace *-with-params.ra files with suffix replacements (932235
PL1, 932236 PL2, 932239 PL2, 932237 PL3) (Max Leske) [#3331]
+ - fix: prevent FP on keywords 'more' and 'time' in Unix RCE (932235 PL1)
(Franziska Bühler) [#3488]
+ - fix: reduce FPs at the start of strings by excluding 'as' and 'at'
(932236 PL2) (Franziska Bühler, Max Leske, Andrew Howe) [#3531
+ - fix: prevent FPs against names due to "axel" and "perl" (932235 PL1,
932260 PL1, 932236 PL2, 932239 PL2, 932237 PL3) (@superlgn) [#3492]
+ - fix: add whitespace after keywords mail and task to solve false
positives (932236 PL2) (Franziska Bühler) [#3274]
+ - fix: align unix-shell-upto3* files (932236 PL2) (Max Leske) [#3128]
+ - fix: handle false positives with word "settings" (932236 PL2, 932237
PL3, 932239 PL2) (Esad Cetiner) [#3394]
+ - fix: prevent FP on keywords more and time in Unix RCE (932236 PL2)
(Franziska Bühler) [#3487]
+ - fix: solved false positives with creation of word boundaries for
commonly used words used in *nix RCE rules (932236 PL2) (Max Leske) [#3187]
+ - fix: use correct anomaly scoring variable (932236 PL2) (Ervin Hegedus)
[#3112]
+ - fix: improve rule by matching non-word-boundary of commands with options
(932237 PL3) (Max Leske) [#3425]
+ - feat: new rule to detect *nix commands in user-agent and referer request
headers (932239 PL2) (Franziska Bühler, Shivam Bathla) [#3104, #3318]
+ - fix: reduce FPs in generic quote evasion detection (932240 PL2) (Max
Leske) [#3494]
+ - fix: remove ARGS_NAME from target variables in (932240 PL2) (Andrea
Menin) [#2960]
+ - fix: use correct anomaly scoring variables and paranoia level tags
across for rule (932240 PL2) (Ervin Hegedus) [#2963]
+ - fix: false positives by requiring specific tokens to follow commands
(932250 PL1) (Max Leske) [#3186]
+ - fix: Added missing target name to logdata (932260 PL1, 932240 PL2)
(Ervin Hegedus) [#3409]
+ - fix: remove chained rule (932260 PL1) (Max Leske) [#3521]
+ - feat: new rules to detect email protocol attacks (932300 PL2, 932310
PL2, 932320 PL2) (Felipe ZipitrÃa) [#2322]
++++ 172 more lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/owasp-modsecurity-crs/owasp-modsecurity-crs.changes
++++ and
/work/SRC/openSUSE:Factory/.owasp-modsecurity-crs.new.2316/owasp-modsecurity-crs.changes
Old:
----
owasp-modsecurity-crs-3.3.5.tar.xz
New:
----
owasp-modsecurity-crs-4.9.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ owasp-modsecurity-crs.spec ++++++
--- /var/tmp/diff_new_pack.YavWIa/_old 2025-01-28 17:06:18.029256145 +0100
+++ /var/tmp/diff_new_pack.YavWIa/_new 2025-01-28 17:06:18.033256311 +0100
@@ -26,7 +26,7 @@
%define apache2_serverroot %(%{apxs2} -q PREFIX)
%define apache2_localstatedir %(%{apxs2} -q LOCALSTATEDIR)
Name: owasp-modsecurity-crs
-Version: 3.3.5
+Version: 4.9.0
Release: 0
Summary: OWASP ModSecurity Common Rule Set (CRS)
License: Apache-2.0
@@ -62,7 +62,7 @@
%prep
%setup -q -n coreruleset-%{version}
-sed -i -e '/^#!/c#!%{_bindir}/perl' util/*/*.pl
+sed -i -e '/^#!/c#!%{_bindir}/python3' util/*/*.py
cp %{SOURCE99} .
%build
@@ -104,16 +104,10 @@
%license LICENSE
%dir %{_datadir}/%{name}
%{_datadir}/%{name}/util
-%attr(0754, root, root) %{_datadir}/%{name}/util/av-scanning/runav.pl
-%attr(0754, root, root) %{_datadir}/%{name}/util/crs2-renumbering/update.py
-%attr(0754, root, root) %{_datadir}/%{name}/util/join-multiline-rules/join.py
-%attr(0754, root, root)
%{_datadir}/%{name}/util/regexp-assemble/regexp-assemble-v2.pl
-%attr(0754, root, root)
%{_datadir}/%{name}/util/regexp-assemble/regexp-assemble.pl
-%attr(0754, root, root)
%{_datadir}/%{name}/util/regexp-assemble/regexp-cmdline.py
-%attr(0754, root, root) %{_datadir}/%{name}/util/send-payload-pls.sh
-%attr(0754, root, root) %{_datadir}/%{name}/util/verify.rb
-%attr(0754, root, root)
%{_datadir}/%{name}/util/virtual-patching/arachni2modsec.pl
-%attr(0754, root, root) %{_datadir}/%{name}/util/virtual-patching/zap2modsec.pl
+%attr(0754, root, root) %{_datadir}/%{name}/util/crs-rules-check/rules-check.py
+%attr(0754, root, root)
%{_datadir}/%{name}/util/find-rules-without-test/find-rules-without-test.py
+%attr(0754, root, root)
%{_datadir}/%{name}/util/php-dictionary-gen/php-dictionary-creator.sh
+%attr(0754, root, root) %{_datadir}/%{name}/util/rule_ctl/rule_ctl.py
%{_datadir}/%{name}/*.conf*
%{_datadir}/%{name}/rules
++++++ owasp-modsecurity-crs-3.3.5.tar.xz -> owasp-modsecurity-crs-4.9.0.tar.xz
++++++
++++ 116985 lines of diff (skipped)
