Your message dated Sun, 2 Apr 2006 21:34:20 +0200
with message-id <[EMAIL PROTECTED]>
and subject line removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
package: libapache2-mod-security
A new upstream stable version is available.
mod_security 1.9 contains the following changes since 1.8.7:
06/11/2005 1.9
--------------
* No changes since 1.9RC4.
03/11/2005 1.9RC4
-----------------
* Warning messages emitted from chained rules are now logged at
level 3.
01/11/2005 1.9RC3
-----------------
* Made SecFilterSignatureAction behave in a slightly more consistent
manner. When defined it applies to rules that do not have custom
actions.
29/10/2005 1.9RC2
-----------------
* Discovered (and fixed) a fragment of non multithred-safe code.
* Fix a bug with the chain action.
* Improved the per-rule performance figures not to include
debug logging (which can be quite slow).
03/10/2005 1.9RC1
-----------------
* Removed -DWORKER_HACK since it is easier and more elegant
to use LoadFile.
* Improvements to the output filtering to prevent Apache from
printing the error message twice (when we have a regex
match in the response body).
* Improvements to the multipart parser, now it is more strict with
that it accepts. (Incidently, Mozilla and IE don't know how to
construct a proper multipart/form-data body, but Opera does.)
* New directive, SecFilterSignatureAction. If specified, all signatures
that follow the directive in the configuration file will use the
actions it specified, optionally merging with the per-rule action
list (if any specified).
16/09/2005 1.9dev4
------------------
* Limited the GuardianLog line size when doing piped logging. Writes
are atomic over a pipe only if the size of the data is less than
PIPE_BUF.
* Added a hack (compile with -DWORKER_HACK) to force the pthreads
dynamic library to be loaded before chroot is performed. (Apache
2.x only)
* Fixed the \xHH unescaping bug when the character was a regex
meta character. Such characters are now escaped with \. (Apache
1.x only)
* Unicode encoding checks not performed on the contents of the
Referer request header.
* Added the manual (in DocBook) format to the CVS.
* Added action "rev", to be used as a rule serial number, allowing
the "id" to remain unchanged (and unique).
* Many changes related to how actions are processed. Introduced
SecFilterActionsRestricted. When enabled, only the meta-data
per-rule actions are allowed. This is useful when you want to
include third-party rules to your configuration, and you don't
want them to specify just anything in the action. Per-rule actions
are now added on top of SecFilterDefaultAction actions.
* Wrote a new action parser from scratch. It is now possible to
escape action values, and even have a comma inside the
value (yay).
* Fixed doubling of response headers in the (serial) audit log.
* Added support to enable or disable mod_security per request
using an environment variable - MODSEC_ENABLE. This is something
that is likely to be useful in combination with SetEnvif. This
environment variable will not affect audit logging.
18/08/2005 1.9dev3
------------------
* Files uploaded via PUT are now treated in the same manner
as files uploaded via POST and multipart/form-data encoding.
* Added experimental support for mod_security to run in an early
hook. To test this compile with -DENABLE_EARLY_HOOK.
* Implemented SecAuditLogRelevantStatus
* Implemented an entirely new approach to audit logging - concurrent
audit logging where each request is stored in its own file.
* Changed the way internal chroot works. We are not using a
file-based lock any more. The process is much cleaner. (I just
need to test it thoroughly to see if it performs under all
circumstances.)
* Many changes to improve handling of DynamicOnly and related
internal stuff.
* Added OUTPUT_STATUS to the Apache 2.x version.
* Implemented SecGuardianLog, to allow mod_security to pass information
to httpd-guardian (see http://www.apachesecurity.net/tools/).
* Removed debug log locking (writes should be atomic - why did I think
otherwise?).
* Log level is now present on every entry in the debug log.
* Significantly enhanced the filter (rule) inheritance functionality
by adding three new directives (SecFilterImport, SecFilterRemove,
SecFilterInheritanceMandatory) and one new action (mandatory).
* Added "proxy" action to rewrite URL through the internal reverse
proxy when a rule is triggered.
* Added the script that converts Nessus scripts (.nasl files) into
mod_security rules. Written by Javier Fernandez-Sanguino
<[EMAIL PROTECTED]>.
* Use GetTempPath on Windows to get the path for temporary files.
* Non-existent named parameters (ARG_name) and cookies (COOKIE_name) are
now treated as empty. This should allow us to write rules that trigger
when a named parameter is not present.
19/04/2005 1.9dev2
------------------
* Added individual rule timing (Apache 2.x only)
* Deprecated SecServerResponseToken. It no longer works and it
outputs a warning message.
* mod_security now logs its version to the error log upon
startup (as notice).
* When SecServerSignature is used, mod_security now logs the
real server signature to the error log (as notice).
* Added two new actions: setenv, setnote
* Added two new actions: auditlog, noauditlog
* Added three new actions: id, msg, severity. These are simple
text fields that appear in the error messages. They can be
used to clasify problems.
* Added RelevantOnly as option to SecUploadKeepFiles.
* BUG Fixed the "pass" action bug.
* 404 responses are no longer considered relevant.
* The request body is now exported through the "mod_security-body"
note. (This can be useful for logging other than through the
audit log.
* BUG Fixed a double URL-decoding bug (Apache first, then us), which
could sometimes lead to a false positive.
--- End Message ---
--- Begin Message ---
libapache-mod-security has been removed from Debian because it is
undistributable for legal reasons. See #313615
--
Martin Michlmayr
http://www.cyrius.com/
--- End Message ---
