
21/02/2004 1.7.5
----------------

  * SECURITY Fixed a bug in the Apache 2.0.x branch that could allow
    remote denial of service attacks to be performed, causing
    web server instances to crash.

  * Fixed a bug in the Apache 2.0.x branch where selective output
    filtering would not work when the content type is given together
    with the encoding (ie "Content-Type: text/html; charset=...").
    Encoding is now ignored.

  * Fixed a bug in both branches where "SecFilterEngine DynamicOnly"
    would not scan dynamic requests that are

  * Since the Apache 1.x regex library does not seem to implement
    the "\xHH" method of escaping I've added this functionality to
    mod_security (Apache 2.x uses a different regex library where
    this works)


05/12/2003 1.7.4
----------------

  * Fixed a but that caused a request to be logged to the audit log
    even when a "nolog" action was used (and audit log was set to
    "RelevantOnly").

  * Fixed a bug in the Apache 2 version that could confuse PHP.


9/11/2003 1.7.3
---------------

  * More variables are now being normalised before rules are
    applied.


28/10/2003 1.7.2
----------------

  * Added SecFilterOutputMimeTypes directive to control which
    mime types are scanned on output (to avoid scanning images
    and other binary files).

  * Added the script that converts Snort rules to mod_security
    rules to the distribution, together with a set of converted
    rules.

  * A set of rules used for regression testing is now in the
    CVS too.

  * SECURITY Fixed a malloc-based buffer overflow problem in Apache 2
    version of the module. This problem could case segmentation
    faults in some cases. Because the problem is in the code that
    performs output scanning it could potentially be exploited
    locally (i.e. by a specially crafted PHP script).

  * Fixed a bug when a rule match was not logged together with
    a pass action. Changed behavior of the allow action to
    behave the same (rule match logged unless nolog action is
    used).

  * Fixed a problem with SecServerSignature that caused a
    real signature to be seen in some cases (on bad requests).

  * Fixed a problem with output filtering not being off by
    default (it is now).
  

21/10/2003 1.7.1
----------------

  * Fixed a mutex leak in Apache 2.x version of the module

  * Fixed a bug in the output scanning code of the Apache 2.x
    version of the module

  * Fixed a bug where SecAuditLog wouldn't work when set
    to "On"

18/10/2003 1.7
--------------

  * Fixed mod_security not to attempt to do any work if
    the context is not initialised properly.


24/9/2003 1.7RC1
----------------

  * Added output filtering to Apache 2.x

  * Removed the two-stage filtering process that used to take
    place in Apache 2.x (if you know what I'm talking about fine,
    if not ignore this)

  * Added the ability to filter cookies (names, values, etc) directly

  * Added SecServerSignature to mask the web server

  * Added new action, allow, to finish filter processing and let the
    request through

  * Added new action, chain, to chain several filter together (logical
    AND)

  * Added new action, skipnext, to skip over filters

  * New anti-evasion technique to fight null-byte attacks

  * Netware support (with help from Guenter Knauf)


17/8/2003 1.6
-------------

 * Windows compatibility. As this is the first Windows
   release the code should be considered of beta quality.

 * Unicode encoding validation

 * New action, pause, enables you to slow down, or completely
   confuse web vulnerability scanners

 * Switch that optimises request filtering, allowing you
   to only implement scanning on relevant resources

 * Internal chroot feature added to Apache 2

 * Fixed a POST variables parsing bug


10/7/2003 1.5.1
---------------

 * POST payload processing code for Apache 2 version
   completely rewritten.

 * Changed the SecAuditEngine parameter to take the
   following options: On, Off, DynamicOrRelevant,
   RelvantOnly. This new feature allows you to log only
   what you really need.

 * New internal chroot option available in the Apache 1
   version.

 * Fixed a problem where "+" was not decoded properly.

 * Fixed a problem where you could not use PHP CLI
   scripts in combination with the "exec" action.

 * Fixed a problem where zombie processes would remain
   after external binaries were executed using the
   "exec" action.

 * Fixed other bugs, two of which are security issues.


26/5/2003 1.5
-------------

 * Apache 2.x compatibility

 * Added SecFilterInheritance

 * Added SecFilterByteRange

 * Added SecFilterCheckURLEncoding 

 * A few bug fixes

 * New web site @ www.modsecurity.org

 * Comprehensive manual


08/2/2003 1.4.2
---------------

 * Got rid of the Apache patch, the module now works without it!


30/1/2003 1.4.1
---------------

 * The default method of locking is now FCNTL. It
   appears that FLOCK does not work well on Solaris.
   FCNTL seems to work fine on both platforms.

 * Fixed the bug with improper calling of the
   ap_pstrcat function, which could result in
   segfaults on some platforms (Solaris)


24/1/2003 1.4
-------------

 * Several bug fixes

 * Execute an external script on pattern match

 * Perform custom redirect on pattern match

 * Added a separate debug file with configurable
   log levels

 * Cleaned up the source code, added comments and
   removed TAB characters

 * Fixed the audit logger to log complete requests

 * mod_security now creates custom headers when
   a pattern match occurs, access is denied or
   an action is taken (external script execution)

 * Introduced the ability to test for a match against
   variable names only

 * Introduced the ability to test for a match against
   variable values only

 * Added the test script in Perl for automated testing,
   plus tests for most (all) features

 * Enhanced event logging, messages are now much
   more descriptive and helpful

 * mod_security can now appear as a token in the
   server signature ("Off" by default)


09/12/2002 1.3b
---------------

Introduced selective filtering (SecFilterSelective) where you
can choose which part of the request to observe. Fixed a couple
of bugs. Added inverted filters (when the regular expression
begins with an exclamation mark) where the regular expression
must be satisfied to proceed.


22/11/2002 1.2b
---------------

Changed the approach from using mod_proxy to patching the
core server. The software is usable now. Performed some tests
and it all looks fine.


21/11/2002 1.1b
---------------

Fixed the audit part of the module to log relevant request
information, and to ignore requests to which responses are
not dynamic.
