CRS Project News August 2019

Life is interfering and the rhythm of the CRS news is not what I would like it to be. Three months since the last edition. But the advantage is of course, that there are more news to talk about once I get to write it all up.

What has happened in recent weeks

Significant pull requests that were merged

Things that are meant to happen in the coming weeks or thereafter

  • We are planning to release CRS 3.2. Release manager Walter Hop confirmed the following plan:
    Freeze on August 19, RC1 on August 26, RC2 on September 8, release on September 24.
    Link:
    https://github.com/coreruleset/coreruleset/issues/1496#issuecomment-518348210
  • The next CRS / ModSecurity meetups in Bern, Switzerland, will be on August 28 and thereafter on October 30.
    On August 28, we'll talk about Paranoia Levels in Practice. The program for October 30 has not been fixed yet.
    Link:
    https://www.meetup.com/CRS-ModSecurity-Meetup-Bern/
  • We are hosting a CRS Community Summit on September 25 at the RAI in Amsterdam. This is the last training day at the OWASP AppSec Global conference. This is meant for users of CRS, for integrators and committers or our project. Entry to the summit is free, but it makes sense to combine with the AppSec conference the next day of course if you make the trip to the Netherlands.
    The Summit will start in the early afternoon and we are going to have a dinner together afterwards.
    Please get in touch if you plan to attend, so we can accomodate enough seats at the RAI (and at the restaurant afterwards):
    Link:
    christian.folini / at / owasp.org
  • Christian Folini is going to present at the OWASP AppSec Global conference in Amsterdam on September 26 / 27. His talk will be about Practical CRS in high security settings.
    Link:
    https://ams.globalappsec.org/

Important pull requests in the queue

  • There is a PR for a new rule aiming at insecure unserialization in NodeJS. This is meant to be the first rule in a new rule group (REQUEST-934-APPLICATION-ATTACK-NODEJS.conf) that is going to be released together with CRS 3.2 if according to plan.
    Link:
    https://github.com/coreruleset/coreruleset/pull/1487
  • Not much more of much importance is in the queue. We have been very active with merging those last few weeks. There are just a few bugfixes here and there plus more tests.

News assembled by Christian Folini, CRS Co-Lead.

Leave a Comment

Your email address will not be published. Required fields are marked *