
10/4/2006 1.9.3
---------------

 * No changes since 1.9.3-rc2.


23/3/2006 1.9.3-rc2
-------------------

 * Fixed malformed serial audit log entry problem.

 * Strict checking of what is supplied for the "severity" action.
   Prettier output in the logs (text instead of numbers).

 * Improved detection of the response protocol version.


6/3/2006 1.9.3-rc1
------------------

 * Improved the internal chroot feature to work with mod_fastcgi,
   mod_fcgi, mod_cgid (testers welcome).

 * Response headers are now escaped in the concurrent audit log

 * New action: logparts (adjust the audit log parts setting).

 * Added support for multiple messages per transaction.

 * Added SCRIPT_BASENAME, REQUEST_BASENAME.

 * Implemented variable caching to reduce memory consumption. Large memory
   savings can be achived but only when the rule set is significantly
   large. Not noticable for "normal" installations.

 * Fixed the "Server" trailer message in the concurrent audit log.

 * Removed the extra newline added to the index file by the concurrent
   audit logger.

 * Fixed a problem in the action list parser which caused parsing
   to stop after any action with a quoted parameter.

 * (Apache 2.x only) Fixed a response buffering problem that
   manifested as partial loss of output when virtual subrequests
   are used (it is the output from the virtual subrequests that
   would be lost).

 * Deprecated DynamicOnly because it is inherently difficult
   to use and often unpredictable.


16/1/2006 1.9.2
---------------

 * Increased allowed multipart header size to 4096.

 * Fixed small bugs in the multipart code that would (in some
   rare cases) lead to incorrectly interpreting the uploaded
   files.

 * (Apache 2.x only) Fix for a crash in the serial audit logger.

 * (Apache 2.x only) Fix to compile on Debian 3.1 (they are not using
   stock Apache).

 * Fixed a small concurrency issue.

 * Chained rules metadata now appears in the logs.

 * Restrict the length of each line in the concurrent audit
   logger index when logging over a pipe.

 * New concurrent audit logger trailer headers: Server, Action, Producer.

 * Added compile-time directive (DISABLE_SUEXEC) to disable
   process creation through suEXEC.

 * Added support for compilation with PCRE (instead of the
   native Apache regex library) to the Apache 1.3.x version
   (Apache 2.x already uses PCRE). PCRE is much faster.

 * Fixed a bug in the concurrent audit logging code where partial
   audit log entry files were being created for all requests.

 * Fixed bugs (in the Apache 2.x branch) to make audit logging
   through a pipe work.


30/11/2005 1.9.1
----------------

 * Variables OUTPUT and OUTPUT_STATUS are no longer accepted
   in the Apache 1.x version (since they do not work anyway).

 * Fixed a chained bug.

 * Relaxed multipart checks slightly, to allow empty
   multipart body. (In response to a bug report.)


06/11/2005 1.9
--------------

  * No changes since 1.9RC4.


03/11/2005 1.9RC4
-----------------

  * Warning messages emitted from chained rules are now logged at
    level 3.


01/11/2005 1.9RC3
-----------------

  * Made SecFilterSignatureAction behave in a slightly more consistent
    manner. When defined it applies to rules that do not have custom
    actions.


29/10/2005 1.9RC2
-----------------

  * Discovered (and fixed) a fragment of non multithred-safe code.

  * Fix a bug with the chain action.

  * Improved the per-rule performance figures not to include
    debug logging (which can be quite slow).


03/10/2005 1.9RC1
-----------------

  * Removed -DWORKER_HACK since it is easier and more elegant
    to use LoadFile.

  * Improvements to the output filtering to prevent Apache from
    printing the error message twice (when we have a regex
    match in the response body).

  * Improvements to the multipart parser, now it is more strict with
    that it accepts. (Incidently, Mozilla and IE don't know how to
    construct a proper multipart/form-data body, but Opera does.)

  * New directive, SecFilterSignatureAction. If specified, all signatures
    that follow the directive in the configuration file will use the
    actions it specified, optionally merging with the per-rule action
    list (if any specified).


16/09/2005 1.9dev4
------------------

  * Limited the GuardianLog line size when doing piped logging. Writes
    are atomic over a pipe only if the size of the data is less than
    PIPE_BUF.

  * Added a hack (compile with -DWORKER_HACK) to force the pthreads
    dynamic library to be loaded before chroot is performed. (Apache
    2.x only)

  * Fixed the \xHH unescaping bug when the character was a regex
    meta character. Such characters are now escaped with \. (Apache
    1.x only)

  * Unicode encoding checks not performed on the contents of the
    Referer request header.

  * Added the manual (in DocBook) format to the CVS.

  * Added action "rev", to be used as a rule serial number, allowing
    the "id" to remain unchanged (and unique).

  * Many changes related to how actions are processed. Introduced
    SecFilterActionsRestricted. When enabled, only the meta-data
    per-rule actions are allowed. This is useful when you want to
    include third-party rules to your configuration, and you don't
    want them to specify just anything in the action. Per-rule actions
    are now added on top of SecFilterDefaultAction actions.

  * Wrote a new action parser from scratch. It is now possible to
    escape action values, and even have a comma inside the
    value (yay).

  * Fixed doubling of response headers in the (serial) audit log.

  * Added support to enable or disable mod_security per request
    using an environment variable - MODSEC_ENABLE. This is something
    that is likely to be useful in combination with SetEnvif. This
    environment variable will not affect audit logging.


18/08/2005 1.9dev3
------------------

  * Files uploaded via PUT are now treated in the same manner
    as files uploaded via POST and multipart/form-data encoding.

  * Added experimental support for mod_security to run in an early
    hook. To test this compile with -DENABLE_EARLY_HOOK.

  * Implemented SecAuditLogRelevantStatus

  * Implemented an entirely new approach to audit logging - concurrent
    audit logging where each request is stored in its own file.

  * Changed the way internal chroot works. We are not using a
    file-based lock any more. The process is much cleaner. (I just
    need to test it thoroughly to see if it performs under all
    circumstances.)

  * Many changes to improve handling of DynamicOnly and related
    internal stuff.

  * Added OUTPUT_STATUS to the Apache 2.x version.

  * Implemented SecGuardianLog, to allow mod_security to pass information
    to httpd-guardian (see http://www.apachesecurity.net/tools/).

  * Removed debug log locking (writes should be atomic - why did I think
    otherwise?).

  * Log level is now present on every entry in the debug log.

  * Significantly enhanced the filter (rule) inheritance functionality
    by adding three new directives (SecFilterImport, SecFilterRemove,
    SecFilterInheritanceMandatory) and one new action (mandatory). 

  * Added "proxy" action to rewrite URL through the internal reverse
    proxy when a rule is triggered.

  * Added the script that converts Nessus scripts (.nasl files) into
    mod_security rules. Written by Javier Fernandez-Sanguino
    <jfernandez@germinus.com>.

  * Use GetTempPath on Windows to get the path for temporary files.

  * Non-existent named parameters (ARG_name) and cookies (COOKIE_name) are
    now treated as empty. This should allow us to write rules that trigger
    when a named parameter is not present.


19/04/2005 1.9dev2
------------------

  * Added individual rule timing (Apache 2.x only)

  * Deprecated SecServerResponseToken. It no longer works and it
    outputs a warning message.

  * mod_security now logs its version to the error log upon
    startup (as notice).

  * When SecServerSignature is used, mod_security now logs the
    real server signature to the error log (as notice).

  * Added two new actions: setenv, setnote

  * Added two new actions: auditlog, noauditlog

  * Added three new actions: id, msg, severity. These are simple
    text fields that appear in the error messages. They can be
    used to clasify problems.

  * Added RelevantOnly as option to SecUploadKeepFiles.

  * BUG Fixed the "pass" action bug.

  * 404 responses are no longer considered relevant.

  * The request body is now exported through the "mod_security-body"
    note. (This can be useful for logging other than through the
    audit log.

  * BUG Fixed a double URL-decoding bug (Apache first, then us), which
    could sometimes lead to a false positive.


05/03/2005 1.8.7
----------------

  * Stefan Esser discovered a trivial way to craft request to sneak
    in the request parameters that are in the request body past the
    named parameter syntax (e.g. ARG_name). Non-selective filtering
    (SecFilter), other variables (e.g. THE_REQUEST, ARGS, POST_PAYLOAD),
    and the audit log worked fine. Fixed.

  * Stefan Esser also pointed out PHP parses cookies differently from
    mod_security, and demonstrated a way to exploit the differences
    to sneak in a cookie past the named cookie syntax (e.g. COOKIE_name).
    So I decided to add another cookie parser to mod_security. A new
    directive, SecFilterCookieFormat, determines which parser is used.
    Possible values are 0 (default, for Netscape-style cookies, aka version
    0) and 1 (for RFC 2965 aka version 1 cookies). Without spending more
    time on research (to determine how different platforms parse cookies)
    -- which is on my TODO list -- I can't give a definitive answer
    whether the COOKIE_name syntax is good enough. It should be, but if
    you are very paranoid you may choose to use the HTTP_Cookie syntax
    to examine the whole cookie header. Look for more details in the
    documentation. As a consequence of the recent changes, the
    SecFilterCheckCookieFormat directive is now obsolete and has
    no effect.

  * BUG Request error message was not escaped properly when it was
    being logged to the audit log.

  * BUG (Apache 2 only) An error message is now logged if an external
    script cannot be executed.

  * BUG If the approver script does not exist the file is rejected.

  * BUG (Apache 2 only) Made the allow action work with output
    filtering.

  * BUG (Apache 2 only) Warning messages (e.g. "log,pass") did
    not get logged in output filtering.

  * Cookie normalization is now off by default (as was stated in the
    documentation).

  * BUG (Apache 2 only) The audit logging code can cause a segfault
    when it isn't explicitly configured in the configuration, and
    the main handler does not run for some reason. Fixed.

  * BUG (Apache 2 only) Fixed a bug in the code that handles the exec
    action, which would sometimes cause a segfault (when an external
    script is executed).


19/11/2004 1.9dev1
------------------

  * Added performance measurement to the Apache 2 versions.
    mod_security now produces the following notes:

     mod_security-time1 - after receiving request body
     mod_security-time2 - after completing input tests
     mod_security-time3 - after handler produces output

    Each note contains the time elapsed (in microseconds)
    since the beginning of processing.

  * Changed snort2modsec.pl to only work on web rules, and
    to use the rule sid in the output. With help from Javier
    Fernandez-Sanguino.

  * Added the ClamAV integration script.

  * New variables added: FILE_NAME_*, FILE_SIZE_*, FILE_NAMES,
    FILE_SIZES, FILES_COUNT, HEADER_*, HEADERS, HEADERS_NAMES,
    HEADERS_VALUES, HEADERS_COUNT, ARGS_COUNT, COOKIES_COUNT

  * Relaxed permissions used to create new files to allow group
    read. It is not possible to allow a process running as some
    other user (anti-virus daemon, for example) to examine the
    files that are being uploaded.

  * Requests with response codes 4xx and 5xx are now considered
    to be relevant as far as audit logging is concerned.

  * Cookie values are now *not* normalized by default.

  * Changed configuration directives to be allowed in .htaccess
    files only of AllowOverride Options is configured. Provided
    a compile-time option DISABLE_HTACCESS_CONFIG to disable
    .htaccess files altogether.

  * Enhanced logging to include the names of variables where the
    pattern match has occured.

  * New variables added: SCRIPT_UID, SCRIPT_GID, SCRIPT_USERNAME,
    SCRIPT_GROUPNAME, SCRIPT_MODE.


03/11/2004 1.8.6
----------------

  * Made changes to how mod_security works to accommodate those
    who only want to operate in detection mode. Validation checks
    are now performed only once, at the beginning of request
    processing (by mod_security, not Apache). At the same time I
    have expanded the validation checks to include request headers
    as well. Only normalisation will be performed later, as the
    rules in the rule set are processed. There is one constraint,
    though. Non-fatal default action is not allowed in the
    initialization phase. Any normalisation or validation problems
    will result in the request being rejected. Therefore the
    only way to operate in a fully transparent detection mode
    is to turn off implicit validation options (URL decoding, Unicode,
    byte range, cookie format validation). I hope to relax this
    restriction in the 1.9 branch.

  * BUG Fixed the broken "skip" action.

  * BUG Fixed a problem with file interception (when either storage or
    approval is requested) that occurs with IE.

  * BUG I introduced a new bug trying to fix a bug from 1.8.4. Uploading
    a file larger than the memory buffer would cause the approval
    phase to be skipped altogether.


21/10/2004 1.8.5
----------------

  * BUG Fixed the O_BINARY problem that manifested itself on Windows.    

  * BUG Fixed a problem with temporary file reading that manifested
    itself on Windows (Apache 2 version only).
    
  * BUG Fixed the problem with requests for folders (where mod_dir
    performs subrequests) and DynamicOnly is on, and there are
    several dynamic entries in the DirectoryIndex configuration before
    the "real" one. It's not a proper fix though. Fixing it properly
    could jeopardize the stability so I've just disabled DynamicOnly
    for folders.

  * BUG Removed the harmless message emitted to the error log on
    request line timeouts (Apache 1.3.31 started logging request
    line timeouts with 408).

  * BUG Dynamic POST buffering control did not work at all in the
    Apache 2 module (causing segfaults). Fixed now.

  * BUG Not defining a debug log file would case error messages
    not to be logged to the Apache error log.


29/07/2004 1.8.4
----------------

  * BUG When the ARGS variable was used in a multipart
    request it used to test against the raw payload. Now
    it only works on the request parameters (names & values),
    just as with non-multipart requests.

  * BUG mod_security would crash when the default action
    is not specified in the configuration file.

  * Fixed a problem when Apache loses our input filter on
    fast redirects (e.g. mod_dir) and subrequests (e.g.
    mod_fastcgi).

  * Relaxed the validation of multipart/form-data requests
    to allow broken clients (i.e. Internet Explorer) to work.


07/07/2004 1.8.3
----------------

  * BUG Fixed a warning message in the child process
    initialisation code, complaining about mutex
    re-initialisation failing (FreeBSD only).

  * BUG Fixed the problem where URL encoding validation
    was perform against multipart/form-data variables,
    which are not URL-encoded. In practice, a percentage
    character anywhere in the multipart/form-data
    body would cause the request to be rejected.

  * BUG Removed ap_escape_logitem from the source
    code, this time for real I think ;)


22/06/2004 1.8.2
----------------

  * BUG Fixed a bug that would cause mod_security to close
    stdin by mistake, with multipart/form-data requests
    and SecUploadKeepFiles set to Off and file validation
    is not used.

  * BUG Fixed a bug that would sometimes affect selective
    variable rules.

  * Removed ap_escape_logitem from the module (because of
    compatibility problems with older versions of Apache).

  * Fixed an invalid regular expression in the default
    configuration example.


16/06/2004 1.8.1
----------------

  * Zero-length POST payload was not allowed. Fixed.


15/06/2004 1.8
--------------

  * Found and fixed several small issues during the final code
    review.

  * Updated the converted Snort rules.

  * Added debug mode to the automated test script.


11/06/2004 1.8RC2
-----------------

  * Fixed a problem where validation functions would reject a
    request without performing the default action fully
    (previously only the status was honored).

  * Improved logging a great deal. It is now easy to identify
    what and where went wrong.

  * Child processes now re-initialize mutexes, as they should (Apache
    2.x only)

  * Other cosmetic changes here and there.

  * BUG Temporary files were being created with wrong permissions.

  * BUG Fixed a problem in the UTF-8 validation routine. Some valid
    UTF-8 streams were being rejected as invalid.


26/05/2004 1.8RC1
-----------------

  * POST payload in the audit log is now preceeded by a line
    containing the length of the payload.

  * Preparing for a stable release, this branch now compiles on
    Windows too. And on Netware.

  * Debug log entries are now sanitized.

  * Keeping the code healthy: lots of refactoring, smaller
    improvements made. Several small fixes too.


29/04/2004 1.8dev2
------------------

  * Added support for custom logging that will contain only information
    about requests where mod_security got involved. Mod_security will
    now generate Apache environment variable mod_security-relevant, which
    can then be used to trigger custom logging.

  * Audit log will now reference the full request body that is
    stored outside the audit log (which happens with file
    uploads)

  * Removed the fixed-length buffer in sec_logger. Audit logger
    now calculates data length before allocation. Therefore it can
    log requests  with very large headers.

  * When available, the UNIQUE_ID value produced my mod_unique_id is
    written to the audit log.

  * SECURITY Significant improvements to the chroot functionality. Fixed
    a problem when mod_security would sometimes "forget" to perform a
    chroot call. We now also perform a chdir to the target directory
    before the chroot call not to leave an open fd to a directory outside
    the jail.

  * Improved cookie handling. Implemented a new parser, added two
    directives for better control over features: SecFilterNormalizeCookies
    and SecFilterCheckCookieFormat.

  * Made external script execution work with suexec. mod_security now
    chdirs to the directory where script resides, and then calls it
    with a relative path.

  * Mod_security variables were not available (in the environment)
    to scripts executed via the "exec" action. Fixed.

  * Mod_security can now decide not to buffer a POST request
    dynamically. If the MODSEC_NOPOSTBUFFERING variable is set buffering
    will be skipped (this can be done with SetEnvIf, for example).

  * Initial support for multibyte charset filtering (added
    SecCharset directive to support this).

  * Removed non-threadsafe code from a couple of places.


21/03/2004 1.7.6
----------------

  * Code reviewed, tightened, cleaned up (eg removed C++ style comments,
    converted TABS to spaces).

  * Error log messages resulted from a match of regular expressions
    containing \xHH escape codes were written escaped instead in the
    original form (1.3.x branch only).


21/02/2004 1.7.5
----------------

  * SECURITY Fixed a bug in the Apache 2.0.x branch that could allow
    remote denial of service attacks to be performed, causing
    web server instances to crash.

  * Fixed a bug in the Apache 2.0.x branch where selective output
    filtering would not work when the content type is given together
    with the encoding (ie "Content-Type: text/html; charset=...").
    Encoding is now ignored.

  * Fixed a bug in both branches where "SecFilterEngine DynamicOnly"
    would not scan dynamic requests that are

  * Since the Apache 1.x regex library does not seem to implement
    the "\xHH" method of escaping I've added this functionality to
    mod_security (Apache 2.x uses a different regex library where
    this works)


18/12/2003 1.8dev1
------------------

  * Added SecUploadKeepFiles directive, which allows the files
    uploaded through the web server to be kept

  * Added SecUploadDir directive, to define where files will
    be uploaded

  * Added SecUploadApproveScript directive, to allow to specify
    an external script to approve a file that is uploaded

  * Added SecUploadInMemoryLimit (Apache2 only) to specify the
    maximal amount of memory to be used for in-memory processing
    during file upload. If a file is larger than the limit the
    disk will be used.

  * Added support for multipart/form-data. Selective variable
    filtering now works when this encoding is used too.

  * Improved the configuration process, added comments to
    directives, implemented better control where directives
    can be used. These changes may cause mod_security to
    refuse to start if a directive is used at a wrong place
    (if they do you should get a meaningful message).
    
  * Worked around a peculiar Apache behavior that caused a
    POST body not to be logged when an ErrorDocument
    directive is used


5/12/2003 1.7.4
---------------

  * Fixed a but that caused a request to be logged to the audit log
    even when a "nolog" action was used (and audit log was set to
    "RelevantOnly").

  * Fixed a bug in the Apache 2 version that could confuse PHP.


9/11/2003 1.7.3
---------------

  * More variables are now being normalised before rules are
    applied


28/10/2003 1.7.2
----------------

  * Added SecFilterOutputMimeTypes directive to control which
    mime types are scanned on output (to avoid scanning images
    and other binary files)

  * Added the script that converts Snort rules to mod_security
    rules to the distribution, together with a set of converted
    rules.

  * A set of rules used for regression testing is now in the
    CVS too.

  * Fixed a malloc-based buffer overflow problem in Apache 2
    version of the module. This problem could case segmentation
    faults in some cases. Because the problem is in the code that
    performs output scanning it could potentially be exploited
    locally (i.e. by a specially crafted PHP script).

  * Fixed a bug when a rule match was not logged together with
    a pass action. Changed behavior of the allow action to
    behave the same (rule match logged unless nolog action is
    used).

  * Fixed a problem with SecServerSignature that caused a
    real signature to be seen in some cases (on bad requests).

  * Fixed a problem with output filtering not being off by
    default (it is now).
  

21/10/2003 1.7.1
----------------

  * Fixed a mutex leak in Apache 2.x version of the module

  * Fixed a bug in the output scanning code of the Apache 2.x
    version of the module

  * Fixed a bug where SecAuditLog wouldn't work when set
    to "On"


18/10/2003 1.7
--------------

  * Fixed mod_security not to attempt to do any work if
    the context is not initialised properly.


24/9/2003 1.7RC1
----------------

  * Added output filtering to Apache 2.x

  * Removed the two-stage filtering process that used to take
    place in Apache 2.x (if you know what I'm talking about fine,
    if not ignore this)

  * Added the ability to filter cookies (names, values, etc) directly

  * Added SecServerSignature to mask the web server

  * Added new action, allow, to finish filter processing and let the
    request through

  * Added new action, chain, to chain several filter together (logical
    AND)

  * Added new action, skipnext, to skip over filters

  * New anti-evasion technique to fight null-byte attacks

  * Netware support (with help from Guenter Knauf)


17/8/2003 1.6
-------------

 * Windows compatibility. As this is the first Windows
   release the code should be considered of beta quality.

 * Unicode encoding validation

 * New action, pause, enables you to slow down, or completely
   confuse web vulnerability scanners

 * Switch that optimises request filtering, allowing you
   to only implement scanning on relevant resources

 * Internal chroot feature added to Apache 2

 * Fixed a POST variables parsing bug


10/7/2003 1.5.1
---------------

 * POST payload processing code for Apache 2 version
   completely rewritten.

 * Changed the SecAuditEngine parameter to take the
   following options: On, Off, DynamicOrRelevant,
   RelvantOnly. This new feature allows you to log only
   what you really need.

 * New internal chroot option available in the Apache 1
   version.

 * Fixed a problem where "+" was not decoded properly.

 * Fixed a problem where you could not use PHP CLI
   scripts in combination with the "exec" action.

 * Fixed a problem where zombie processes would remain
   after external binaries were executed using the
   "exec" action.

 * Fixed other bugs, two of which are security issues.


26/5/2003 1.5
-------------

 * Apache 2.x compatibility

 * Added SecFilterInheritance

 * Added SecFilterByteRange

 * Added SecFilterCheckURLEncoding 

 * A few bug fixes

 * New web site @ www.modsecurity.org

 * Comprehensive manual


08/2/2003 1.4.2
---------------

 * Got rid of the Apache patch, the module now works
   without it!


30/1/2003 1.4.1
---------------

 * The default method of locking is now FCNTL. It
   appears that FLOCK does not work well on Solaris.
   FCNTL seems to work fine on both platforms.

 * Fixed the bug with improper calling of the
   ap_pstrcat function, which could result in
   segfaults on some platforms (Solaris)


24/1/2003 1.4
-------------

 * Several bug fixes

 * Execute an external script on pattern match

 * Perform custom redirect on pattern match

 * Added a separate debug file with configurable
   log levels

 * Cleaned up the source code, added comments and
   removed TAB characters

 * Fixed the audit logger to log complete requests

 * mod_security now creates custom headers when
   a pattern match occurs, access is denied or
   an action is taken (external script execution)

 * Introduced the ability to test for a match against
   variable names only

 * Introduced the ability to test for a match against
   variable values only

 * Added the test script in Perl for automated testing,
   plus tests for most (all) features

 * Enhanced event logging, messages are now much
   more descriptive and helpful

 * mod_security can now appear as a token in the
   server signature ("Off" by default)


09/12/2002 1.3b
---------------

Introduced selective filtering (SecFilterSelective) where you
can choose which part of the request to observe. Fixed a couple
of bugs. Added inverted filters (when the regular expression
begins with an exclamation mark) where the regular expression
must be satisfied to proceed.


22/11/2002 1.2b
---------------

Changed the approach from using mod_proxy to patching the
core server. The software is usable now. Performed some tests
and it all looks fine.


21/11/2002 1.1b
---------------

Fixed the audit part of the module to log relevant request
information, and to ignore requests to which responses are
not dynamic.
