ModSecurity 2.5.9 release

denial of service (DoS)공격을 일으킬 수 있는 취약점 2개가 수정되었고 가장 좋은 방법은 2.5.9버전으로 업그레이드 
하는것 이지만 업그레이드가 여의치 않다면 아래 두가지 설정으로  문제가 부분을 수정할 수 있습니다.

PDF XSS protection engine off
SecPdfProtect Off
또 한가지 multipart request parser 취약점

###
# BEGIN TEMPORARY WORKAROUND
#
# Force URLENCODED processing so that the vulnerability is bypassed
# and the REQUEST_BODY target variable is populated, but at the 
# expense of no longer being able to parse multipart form arguments.
SecRule REQUEST_HEADERS:Content-Type "multipart/form-data" 
 "phase:1,t:none,t:lowercase,nolog,pass,ctl:requestBodyProcessor=URLENCODED"
#
# Deny any multipart requests with a zero length header name
SecRule REQUEST_HEADERS:Content-Type "multipart/form-data" 
 "chain,phase:2,t:none,t:lowercase,deny,msg:'ModSecurity DoS attempt - NULL part header name'"
SecRule REQUEST_BODY "(?m:^--.*\x0d\x0a?:.*\x0d\x0a?--)" "t:none"
#
# END TEMPORARY WORKAROUND
###

이하 원문 입니다.


fixes a potential DoS vulnerability discovered by "Internet Security Auditors" when parsing multipart
requests as well as a potential DoS vulnerability discovered in the PDF XSS protection engine (fixed in 2.5.8).  Additionally, 2.5.9 cleans up the build process and adds a few features, including atomic updates of persistent
counters and macro expansion of the append/prepend actions.  It is highly recommended to upgrade to this 2.5.9
release.

Please see the blog post for more information on the vulnerabilities fixed in this release:

http://blog.modsecurity.org/2009/03/modsecurity-vulnerabilities-fixed.html

------------------

change

2.5.9
-----

 * Fixed parsing multipart content with a missing part header name which would crash Apache.  
Discovered by "Internet Security Auditors" (isecauditors.com).

 * Added ability to specify the config script directly using --with-apr and --with-apu.

 * Updated copyright year to 2009.

 * Added macro expansion for append/prepend action.

 * Fixed race condition in concurrent updates of persistent counters. Updates are now atomic.

 * Cleaned up build, adding an option for verbose configure output and making the mlogc build more portable.


2.5.8
-----

 * Fixed PDF XSS issue where a non-GET request for a PDF file would crash the Apache httpd process.  
Discovered by Steve Grubb at Red Hat.

 * Removed an invalid "Internal error: Issuing "%s" for unspecified error." message that was logged when 
denying with nolog/noauditlog set and causing the request to be audited.

-----------------------------------------------------------------------------------------------------------
관련링크 :
http://modsecurity.org/
http://blog.modsecurity.org/2009/03/modsecurity-vulnerabilities-fixed.html
http://sourceforge.net/project/showfiles.php?group_id=68846&package_id=67646&release_id=667542