CRS Project News November

This is the CRS newsletter covering the period from Early October until today.

We held our monthly community chat. We had quite a few people stop by. Special thanks to our active participants:

  • dune73
  • fzipi
  • csanders
  • franbuehler
  • emphazer
  • spartantri
  • luketheduke
  • techair
  • jose_
  • airween
  • athmane
  • bostrt

During the chat we discussed the following

  • Promotion of 3 heavy contributors to developers (@fgsch@fzipi and @spartantri)
    • Docs will be updated to reflect their promotion, congrats and thank you!!!
  • CRS Summit at AppSecEU in June in Tel Aviv (?)
    • dune73 will setup a project and let us know the status as we move along.
    • fzipi spoke at OWASP Dev Summit about WAF test data. A new license is available (
  • Testing (FTW is working when using with CRS-support/ftw#14)
    • PR is awaiting merge but seems to be working well.
    • dune73 plans to write a blog.
  • Idea to update release poster (with logo in the center)
    • We had some great press about the poster.
    • Need to check balance but Dune73 will finance privately changes.
    • Shooting for by AppSecEU
    • Idea to start to sell the release poster via a printing service like Redbubble
  • Info: CRS nominated for the German Open Source Business award (
    • Everyone is excited thank you to Dune73 for nominating us
  • Plans for new blog posts
    • Franbuehler writing up about SQL disassembly
    • dune73 writing about FTW
    • csanders-git writing about Apache vulnerability breakdown.
  • [PR #881] : Java Attacks
    • Will be assigned to csanders-git
  • [PR #884] : SQL injection probing rule split 942370
    • emphazer is working on a PR for this so it's in line with franbuelers comments.
  • [PR #896] : Command substitution backquoted version support
    • Splitting into two and fixing conflict when available.
  • [PR #899] : Dokuwiki and Nextcloud exclusion packages (work in progress)
    • Will be done when submitter has time.
  • [PR #905] : Duplicated header bypass fix and chunk support
    • csanders-git and fzipi are going to take the helm on getting this one through.
  • [PR #922] : New developers (see above)
    • Merged, need to add other testers also.
    • remove spratantri from 905 as contributor
  • Many PRs / test updates by @azhao155 (which are awesome). Bring up a question about what to do with Apache versus Nginx
    • behaviors when the underlying engine 'fixes' and issue.
    • Going to add support for multiple return status. This should take care of all the test updates.
  • [Issue #924] Tagging of CVE/CWE
    • The conversation centered around the if adding these added increased complexity of writing rules it may also muddy logs
    • Everyone agreed additional information would be nice, CVE CWE, WASC, CAPEC
    • Pushed the conversation back to the issue with regard to CVE.
  • Release 3.1 planning
    • Possible after Java fixes are done.
  • Stickers and maybe shirts (for appsec eu) using Redbubble
  • New ModSecv3 t-shirt were made, current order is empty but more may be coming

The next community chats will be held on the following dates:

  • Dec 4, 2017, 20:30 CET
  • January 8, 2018 20:30 CET (Note: The change from our normal schedule)
  • February 5, 2018 20:30 CET

Upcoming talks and talks that were just posted

Some nice new blog posts have come out on

Leave a Comment

Your email address will not be published. Required fields are marked *