CRS Version 3.3.4 and 3.2.3 fix a regression

Yesterday, we released CRS versions 3.3.3 and 3.2.2 with important security improvements.

Unfortunately, backporting the fixes from our development branch 4.0 introduced a regression which was only found after publication. As a result, some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. This did not harm security but may introduce false alarms for those running in Paranoia Level 1. We have fixed this in two new releases:

Version 3.3.4 — https://github.com/coreruleset/coreruleset/releases/tag/v3.3.4
Version 3.2.3 — https://github.com/coreruleset/coreruleset/releases/tag/v3.2.3

We recommend to install the newest rules to deploy this fix. We apologize for the inconvenience.

Walter Hop
CRS Co-Lead

Leave a Comment

Your email address will not be published.