Pizza, pasta, pesto ... pineapple? This was one of the many important topics (and one of the most controversial) discussed at the CRS developer retreat 2022 in Italy. The annual CRS developer team retreat is always a highlight of the year, finally meeting face-to-face again and not just via chat. This time, the backdrop for …
Astronaut? Garbage truck driver? Electrical engineer? Metalsmith? In the end, Hungarian Ervin Hegedüs became a software developer. Within the Core Rule Set project, he contributes primarily to tool development and packaging. “New team members should above all be team players,” says Ervin. Ervin Hegedüs has had no shortage of interesting career ideas in his 51-year …
Meet the CRS team: Ervin, the gardening radio amateur in the background Read More »
He likes to play board games and the guitar, and he loves to fix bypasses to CRS rules: Italian Andrea Menin joined the Core Rule Set team in 2018. The most important requirement for anybody joining the project, he says, is to enjoy it. He never wanted to be a locomotive engineer or an astronaut, …
Meet the CRS team: Andrea, the musical man-in-the-middle Read More »
Yesterday, we released CRS versions 3.3.3 and 3.2.2 with important security improvements. Unfortunately, backporting the fixes from our development branch 4.0 introduced a regression which was only found after publication. As a result, some Paranoia Level 2 rules would activate even when running in Paranoia Level 1. This did not harm security but may introduce …
Release announcement covering fixes for CVE-2022-39955, CVE-2022-39956, CVE-2022-39957 and CVE-2022-39958, additional security fixes and security fixes in the latest ModSecurity releases 2.9.6 and 3.0.8. The OWASP ModSecurity Core Rule Set (CRS) team is pleased to announce the release of two new CRS versions.Edit: Updated download links now to refer to the fixed versions. Version 3.3.4 …
CRS Version 3.3.3 and 3.2.2 (covering several CVEs) Read More »
Dear all, A few months ago we happily announced the first Release Candidate for Core Rule Set 4.0. Our original plan was to finish the 4.0 release as fast as possible. However, we found ourselves in a unique situation for our project. After the Release Candidate, a large CRS user organized a CRS Bug Bounty …
The OWASP ModSecurity Core Rule Set team is proud to announce the Release Candidate 1 for the upcoming CRS v4.0.0 release. The release candidate is available from our installation page; see also the upgrade notes on that page. CRS 4 contains many important changes, such as: A plugin architecture for extending CRS and minimizing attack …
Core Rule Set v4.0.0 Release Candidate 1 available Read More »
The OWASP ModSecurity Core Rule Set project is very happy to announce Felipe Zipitría as a new and third Co-Leader. Felipe joins Walter Hop and Christian Folini in his new role. Felipe Zipitría holds a master of computer science from the University of the Republic in Montevideo, Uruguay. He worked as a system administrator for …
Early Blocking is a feature that CRS will deliver with the next major release, probably Spring 2022. You can use it immediately when deploying the latest dev / nightly build. This blog post will explain the feature, how to enable it and why it is very useful. What is Early Blocking? ModSecurity, the engine below …
In one of my previous blog posts, I introduced the CRS plugin mechanism that we are rolling out for the next major release. Check out the blog post to learn how you can start using plugins immediately, without waiting for the next release (hint: really simple). Several plugins are already available. One of them is …