CRS Project News September 2018

We skipped the monthly news in August as the 3.1-RC release had been delayed into September. But here we go again with the mostly monthly newsletter of the CRS project.

The most important news is the publication of the release candidate 1 for CRS 3.1.

What has happened in recent weeks

Significant pull requests that were merged

  • Development has been shifted to the new 3.2 branch, that has been declared master
  • Walter Hop contributed 2 new strings to the list of Java Struts namespaces for use in the new 944130 rule
    Link: https://github.com/SpiderLabs/owasp-modsecurity-crs/pull/1177
  • Other than that, everybody is waiting for new issues popping up with the 3.1-RC release but it has been quiet on that front so far.

Things that are meant to happen in the coming weeks

  • We plan to release CRS 3.1 in October unless we see any road blockers.
  • There is a strange bug that a PL2 rule among the new Java rules in CRS 3.1-RC1 triggers. If it is a bug, it’s rather a ModSecurity bug, but it’s completely unclear how this is happening as reproduction has been very cumbersome so far. What is clear it happens in connection with chunked transfer encoding of JSON payloads at PL2 and higher. So it is a rather peculiar situation that is relatively rare.
    Link: https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1185

Important pull requests in the queue

Leave a Comment

Your email address will not be published. Required fields are marked *