
03/11/2004 1.8.6
----------------

  * Made changes to how mod_security works to accommodate those
    who only want to operate in detection mode. Validation checks
    are now performed only once, at the beginning of request
    processing (by mod_security, not Apache). At the same time I
    have expanded the validation checks to include request headers
    as well. Only normalisation will be performed later, as the
    rules in the rule set are processed. There is one constraint,
    though. Non-fatal default action is not allowed in the
    initialization phase. Any normalisation or validation problems
    will result in the request being rejected. Therefore the
    only way to operate in a fully transparent detection mode
    is to turn off implicit validation options (URL decoding, Unicode,
    byte range, cookie format validation). I hope to relax this
    restriction in the 1.9 branch.

  * BUG Fixed the broken "skip" action.

  * BUG Fixed a problem with file interception (when either storage or
    approval is requested) that occurs with IE.

  * BUG I introduced a new bug trying to fix a bug from 1.8.4. Uploading
    a file larger than the memory buffer would cause the approval
    phase to be skipped altogether.


21/10/2004 1.8.5
----------------

  * BUG Fixed the O_BINARY problem that manifested itself on Windows.    

  * BUG Fixed a problem with temporary file reading that manifested
    itself on Windows (Apache 2 version only).
    
  * BUG Fixed the problem with requests for folders (where mod_dir
    performs subrequests) and DynamicOnly is on, and there are
    several dynamic entries in the DirectoryIndex configuration before
    the "real" one. It's not a proper fix though. Fixing it properly
    could jeopardize the stability so I've just disabled DynamicOnly
    for folders.

  * BUG Removed the harmless message emitted to the error log on
    request line timeouts (Apache 1.3.31 started logging request
    line timeouts with 408).

  * BUG Dynamic POST buffering control did not work at all in the
    Apache 2 module (causing segfaults). Fixed now.

  * BUG Not defining a debug log file would case error messages
    not to be logged to the Apache error log.


29/07/2004 1.8.4
----------------

  * BUG When the ARGS variable was used in a multipart
    request it used to test against the raw payload. Now
    it only works on the request parameters (names & values),
    just as with non-multipart requests.

  * BUG mod_security would crash when the default action
    is not specified in the configuration file.

  * Fixed a problem when Apache loses our input filter on
    fast redirects (e.g. mod_dir) and subrequests (e.g.
    mod_fastcgi).

  * Relaxed the validation of multipart/form-data requests
    to allow broken clients (i.e. Internet Explorer) to work.


07/07/2004 1.8.3
----------------

  * BUG Fixed a warning message in the child process
    initialisation code, complaining about mutex
    re-initialisation failing (FreeBSD only).

  * BUG Fixed the problem where URL encoding validation
    was perform against multipart/form-data variables,
    which are not URL-encoded. In practice, a percentage
    character anywhere in the multipart/form-data
    body would cause the request to be rejected.

  * BUG Removed ap_escape_logitem from the source
    code, this time for real I think ;)


22/06/2004 1.8.2
----------------

  * BUG Fixed a bug that would cause mod_security to close
    stdin by mistake, with multipart/form-data requests
    and SecUploadKeepFiles set to Off and file validation
    is not used.

  * BUG Fixed a bug that would sometimes affect selective
    variable rules.

  * Removed ap_escape_logitem from the module (because of
    compatibility problems with older versions of Apache).

  * Fixed an invalid regular expression in the default
    configuration example.


16/06/2004 1.8.1
----------------

  * Zero-length POST payload was not allowed. Fixed.


15/06/2004 1.8
--------------

  * Found and fixed several small issues during the final code
    review.

  * Updated the converted Snort rules.

  * Added debug mode to the automated test script.


11/06/2004 1.8RC2
-----------------

  * Fixed a problem where validation functions would reject a
    request without performing the default action fully
    (previously only the status was honored).

  * Improved logging a great deal. It is now easy to identify
    what and where went wrong.

  * Child processes now re-initialize mutexes, as they should (Apache
    2.x only)

  * Other cosmetic changes here and there.

  * BUG Temporary files were being created with wrong permissions.

  * BUG Fixed a problem in the UTF-8 validation routine. Some valid
    UTF-8 streams were being rejected as invalid.


26/05/2004 1.8RC1
-----------------

  * POST payload in the audit log is now preceeded by a line
    containing the length of the payload.

  * Preparing for a stable release, this branch now compiles on
    Windows too. And on Netware.

  * Debug log entries are now sanitized.

  * Keeping the code healthy: lots of refactoring, smaller
    improvements made. Several small fixes too.


29/04/2004 1.8dev2
------------------

  * Added support for custom logging that will contain only information
    about requests where mod_security got involved. Mod_security will
    now generate Apache environment variable mod_security-relevant, which
    can then be used to trigger custom logging.

  * Audit log will now reference the full request body that is
    stored outside the audit log (which happens with file
    uploads)

  * Removed the fixed-length buffer in sec_logger. Audit logger
    now calculates data length before allocation. Therefore it can
    log requests  with very large headers.

  * When available, the UNIQUE_ID value produced my mod_unique_id is
    written to the audit log.

  * SECURITY Significant improvements to the chroot functionality. Fixed
    a problem when mod_security would sometimes "forget" to perform a
    chroot call. We now also perform a chdir to the target directory
    before the chroot call not to leave an open fd to a directory outside
    the jail.

  * Improved cookie handling. Implemented a new parser, added two
    directives for better control over features: SecFilterNormalizeCookies
    and SecFilterCheckCookieFormat.

  * Made external script execution work with suexec. mod_security now
    chdirs to the directory where script resides, and then calls it
    with a relative path.

  * Mod_security variables were not available (in the environment)
    to scripts executed via the "exec" action. Fixed.

  * Mod_security can now decide not to buffer a POST request
    dynamically. If the MODSEC_NOPOSTBUFFERING variable is set buffering
    will be skipped (this can be done with SetEnvIf, for example).

  * Initial support for multibyte charset filtering (added
    SecCharset directive to support this).

  * Removed non-threadsafe code from a couple of places.


21/03/2004 1.7.6
----------------

  * Code reviewed, tightened, cleaned up (eg removed C++ style comments,
    converted TABS to spaces).

  * Error log messages resulted from a match of regular expressions
    containing \xHH escape codes were written escaped instead in the
    original form (1.3.x branch only).


21/02/2004 1.7.5
----------------

  * SECURITY Fixed a bug in the Apache 2.0.x branch that could allow
    remote denial of service attacks to be performed, causing
    web server instances to crash.

  * Fixed a bug in the Apache 2.0.x branch where selective output
    filtering would not work when the content type is given together
    with the encoding (ie "Content-Type: text/html; charset=...").
    Encoding is now ignored.

  * Fixed a bug in both branches where "SecFilterEngine DynamicOnly"
    would not scan dynamic requests that are

  * Since the Apache 1.x regex library does not seem to implement
    the "\xHH" method of escaping I've added this functionality to
    mod_security (Apache 2.x uses a different regex library where
    this works)


18/12/2003 1.8dev1
------------------

  * Added SecUploadKeepFiles directive, which allows the files
    uploaded through the web server to be kept

  * Added SecUploadDir directive, to define where files will
    be uploaded

  * Added SecUploadApproveScript directive, to allow to specify
    an external script to approve a file that is uploaded

  * Added SecUploadInMemoryLimit (Apache2 only) to specify the
    maximal amount of memory to be used for in-memory processing
    during file upload. If a file is larger than the limit the
    disk will be used.

  * Added support for multipart/form-data. Selective variable
    filtering now works when this encoding is used too.

  * Improved the configuration process, added comments to
    directives, implemented better control where directives
    can be used. These changes may cause mod_security to
    refuse to start if a directive is used at a wrong place
    (if they do you should get a meaningful message).
    
  * Worked around a peculiar Apache behavior that caused a
    POST body not to be logged when an ErrorDocument
    directive is used


5/12/2003 1.7.4
---------------

  * Fixed a but that caused a request to be logged to the audit log
    even when a "nolog" action was used (and audit log was set to
    "RelevantOnly").

  * Fixed a bug in the Apache 2 version that could confuse PHP.


9/11/2003 1.7.3
---------------

  * More variables are now being normalised before rules are
    applied


28/10/2003 1.7.2
----------------

  * Added SecFilterOutputMimeTypes directive to control which
    mime types are scanned on output (to avoid scanning images
    and other binary files)

  * Added the script that converts Snort rules to mod_security
    rules to the distribution, together with a set of converted
    rules.

  * A set of rules used for regression testing is now in the
    CVS too.

  * Fixed a malloc-based buffer overflow problem in Apache 2
    version of the module. This problem could case segmentation
    faults in some cases. Because the problem is in the code that
    performs output scanning it could potentially be exploited
    locally (i.e. by a specially crafted PHP script).

  * Fixed a bug when a rule match was not logged together with
    a pass action. Changed behavior of the allow action to
    behave the same (rule match logged unless nolog action is
    used).

  * Fixed a problem with SecServerSignature that caused a
    real signature to be seen in some cases (on bad requests).

  * Fixed a problem with output filtering not being off by
    default (it is now).
  

21/10/2003 1.7.1
----------------

  * Fixed a mutex leak in Apache 2.x version of the module

  * Fixed a bug in the output scanning code of the Apache 2.x
    version of the module

  * Fixed a bug where SecAuditLog wouldn't work when set
    to "On"


18/10/2003 1.7
--------------

  * Fixed mod_security not to attempt to do any work if
    the context is not initialised properly.


24/9/2003 1.7RC1
----------------

  * Added output filtering to Apache 2.x

  * Removed the two-stage filtering process that used to take
    place in Apache 2.x (if you know what I'm talking about fine,
    if not ignore this)

  * Added the ability to filter cookies (names, values, etc) directly

  * Added SecServerSignature to mask the web server

  * Added new action, allow, to finish filter processing and let the
    request through

  * Added new action, chain, to chain several filter together (logical
    AND)

  * Added new action, skipnext, to skip over filters

  * New anti-evasion technique to fight null-byte attacks

  * Netware support (with help from Guenter Knauf)


17/8/2003 1.6
-------------

 * Windows compatibility. As this is the first Windows
   release the code should be considered of beta quality.

 * Unicode encoding validation

 * New action, pause, enables you to slow down, or completely
   confuse web vulnerability scanners

 * Switch that optimises request filtering, allowing you
   to only implement scanning on relevant resources

 * Internal chroot feature added to Apache 2

 * Fixed a POST variables parsing bug


10/7/2003 1.5.1
---------------

 * POST payload processing code for Apache 2 version
   completely rewritten.

 * Changed the SecAuditEngine parameter to take the
   following options: On, Off, DynamicOrRelevant,
   RelvantOnly. This new feature allows you to log only
   what you really need.

 * New internal chroot option available in the Apache 1
   version.

 * Fixed a problem where "+" was not decoded properly.

 * Fixed a problem where you could not use PHP CLI
   scripts in combination with the "exec" action.

 * Fixed a problem where zombie processes would remain
   after external binaries were executed using the
   "exec" action.

 * Fixed other bugs, two of which are security issues.


26/5/2003 1.5
-------------

 * Apache 2.x compatibility

 * Added SecFilterInheritance

 * Added SecFilterByteRange

 * Added SecFilterCheckURLEncoding 

 * A few bug fixes

 * New web site @ www.modsecurity.org

 * Comprehensive manual


08/2/2003 1.4.2
---------------

 * Got rid of the Apache patch, the module now works
   without it!


30/1/2003 1.4.1
---------------

 * The default method of locking is now FCNTL. It
   appears that FLOCK does not work well on Solaris.
   FCNTL seems to work fine on both platforms.

 * Fixed the bug with improper calling of the
   ap_pstrcat function, which could result in
   segfaults on some platforms (Solaris)


24/1/2003 1.4
-------------

 * Several bug fixes

 * Execute an external script on pattern match

 * Perform custom redirect on pattern match

 * Added a separate debug file with configurable
   log levels

 * Cleaned up the source code, added comments and
   removed TAB characters

 * Fixed the audit logger to log complete requests

 * mod_security now creates custom headers when
   a pattern match occurs, access is denied or
   an action is taken (external script execution)

 * Introduced the ability to test for a match against
   variable names only

 * Introduced the ability to test for a match against
   variable values only

 * Added the test script in Perl for automated testing,
   plus tests for most (all) features

 * Enhanced event logging, messages are now much
   more descriptive and helpful

 * mod_security can now appear as a token in the
   server signature ("Off" by default)


09/12/2002 1.3b
---------------

Introduced selective filtering (SecFilterSelective) where you
can choose which part of the request to observe. Fixed a couple
of bugs. Added inverted filters (when the regular expression
begins with an exclamation mark) where the regular expression
must be satisfied to proceed.


22/11/2002 1.2b
---------------

Changed the approach from using mod_proxy to patching the
core server. The software is usable now. Performed some tests
and it all looks fine.


21/11/2002 1.1b
---------------

Fixed the audit part of the module to log relevant request
information, and to ignore requests to which responses are
not dynamic.
