"Fossies" - the Fresh Open Source Software Archive

Member "modsecurity-2.9.7/CHANGES" (4 Jan 2023, 82916 Bytes) of package /linux/www/modsecurity-2.9.7.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGES": 2.9.6_vs_2.9.7.

A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.


    1 04 Jan 2023 - 2.9.7
    2 -------------------
    3 
    4  * Fix: FILES_TMP_CONTENT may sometimes lack complete content
    5    [Issue #2857 - gieltje, @airween, @dune73, @martinhsv]
    6  * Support configurable limit on number of arguments processed
    7    [Issue #2844 - @jleproust, @martinhsv]
    8  * Silence compiler warning about discarded const
    9    [Issue #2843 - @Steve8291, @martinhsv]
   10  * Support for JIT option for PCRE2
   11    [Issue #2840 - @martinhsv]
   12  * Use uid for user if apr_uid_name_get() fails
   13    [Issue #2046 - @arminabf, @marcstern]
   14  * Fix: handle error with SecConnReadStateLimit configuration
   15    [Issue #2815, #2834 - @marcstern, @martinhsv]
   16  * Only check for pcre2 install if required
   17    [Issue #2833 - @martinhsv]
   18  * Adjustment of previous fix for log messages
   19    [Issue #2832 - @marcstern, @erkia]
   20  * Mark apache error log messages as from mod_security2
   21    [Issue #2781 - @erkia]
   22  * Use pkg-config to find libxml2 first
   23    [Issue #2818 - @hughmcmaster]
   24  * Support for PCRE2 in mlogc
   25    [Issue #2737, #2827 - @martinhsv]
   26  * Support for PCRE2
   27    [Issue #2737 - @martinhsv]
   28 
   29 07 Sep 2022 - 2.9.6
   30 -------------------
   31 
   32  * Adjust parser activation rules in modsecurity.conf-recommended
   33    [Issue #2799 - @terjanq, @martinhsv]
   34  * Multipart parsing fixes and new MULTIPART_PART_HEADERS collection
   35    [Issue #2797 - @terjanq, @martinhsv]
   36  * Limit rsub null termination to where necessary
   37    [Issue #2794 - @marcstern, @martinhsv]
   38  * IIS: Update dependencies for next planned release
   39    [@martinhsv]
   40  * XML parser cleanup: NULL duplicate pointer
   41    [Issue #2760 - @martinhsv]
   42  * Properly cleanup XML parser contexts upon completion
   43    [Issue #2239 - @argenet]
   44  * Fix memory leak in streams
   45    [Issue #2208 - @marcstern, @vloup, @JamesColeman-LW]
   46  * Fix: negative usec on log line when data type long is 32b
   47    [Issue #2753 - @ABrauer-CPT, @martinhsv]
   48  * mlogc log-line parsing fails due to enhanced timestamp
   49    [Issue #2682 - @bozhinov, @ABrauer-CPT, @martinhsv]
   50  * Allow no-key, single-value JSON body
   51    [Issue #2735 - @marcstern, @martinhsv]
   52  * Set SecStatusEngine Off in modsecurity.conf-recommended
   53    [Issue #2717 - @un99known99, @martinhsv]
   54  * Fix memory leak that occurs on JSON parsing error
   55    [Issue #2236 @argenet, @vloup, @martinhsv]
   56  * Multipart names/filenames may include single quote if double-quote enclosed
   57    [Issue #2352 @martinhsv]
   58  * Add SecRequestBodyJsonDepthLimit to modsecurity.conf-recommended
   59    [Issue #2647 @theMiddleBlue, @airween, @877509395 ,@martinhsv]
   60  * IIS: Update dependencies for Windows build as of v2.9.5
   61    [@martinhsv]
   62 
   63 22 Nov 2021 - 2.9.5
   64 -------------------
   65 
   66  * Support configurable limit on depth of JSON parsing
   67    [@theMiddleBlue, @airween, @dune73, @martinhsv]
   68 
   69 21 Jun 2021 - 2.9.4
   70 -------------------
   71 
   72  * Add microsec timestamp resolution to the formatted log timestamp
   73    [Issue #2095 - @rainerjung]
   74  * Store temporaries in the request pool for regexes compiled per-request.
   75    [Issue #890, #2049 - @lightsey]
   76  * Fix other usage of the global pool for request temporaries in re_operators.c
   77    [Issue #890, #2049 - @lightsey]
   78  * Adds a sanity check before use ctl:ruleRemoveTargetById and ctl:ruleRemoveTargetByMsg.
   79    [Issue #2033 - @studersi]
   80  * Fix the order of error_msg validation
   81    [Issue #2128 - @marcstern, @zimmerle]
   82  * Added missing Geo Countries
   83    [Issue #2123, #2124 - @emphazer]
   84  * When the input filter finishes, check whether we returned data
   85    [Issue #2091, #2092 - @rainerjung]
   86  * fix: care non-null terminated chunk data
   87    [Issue #2097 - @orisano]
   88  * Fix for apr_global_mutex_create() crashes with mod_security
   89    [Issue #1957 - @blappm]
   90  * Fix inet addr handling on 64 bit big endian systems
   91    [Issue #1980 - @zimmerle, @airween]
   92 
   93 
   94 05 Dec 2018 - 2.9.3
   95 -------------------
   96 
   97  * Enable optimization for large stream input by default on IIS
   98    [Issue #1299 - @victorhora, @zimmerle]
   99  * Allow 0 length JSON requests.
  100    [Issue #1822 - @allanbomsft, @zimmerle, @victorhora, @marcstern]
  101  * Include unanmed JSON values in unnamed ARGS
  102    [Issue #1577, #1576 - @marcstern, @victorhora, @zimmerle]
  103  * Fix buffer size for utf8toUnicode transformation 
  104    [Issue #1208 - @katef, @victorhora]
  105  * Fix sanitizing JSON request bodies in native audit log format
  106    [p0pr0ck5, @victorhora]
  107  * IIS: Update Wix installer to bundle a supported CRS version (3.0)
  108    [@victorhora, @zimmerle]
  109  * IIS: Update dependencies for Windows build
  110    [Issue #1848 - @victorhora, @hsluoyz]
  111  * IIS: Set SecStreamInBodyInspection by default on IIS builds (#1299)
  112    [Issue #1299 - @victorhora]
  113  * IIS: Update modsecurity.conf
  114    [Issue #788 - @victorhora, @brianclark]
  115  * Add sanity check for a couple malloc() and make code more resilient
  116    [Issue #979 - @dogbert2, @victorhora, @zimmerl]
  117  * Fix NetBSD build by renaming the hmac function to avoid conflicts
  118    [Issue #1241 - @victorhora, @joerg, @sevan]
  119  * IIS: Windows build, fix duplicate YAJL dir in script
  120    [Issue #1612 - @allanbomsft, @victorhora]
  121  * IIS: Remove body prebuffering due to no locking in modsecProcessRequest
  122    [Issue #1917 - @allanbomsft, @victorhora]
  123  * Fix mpm-itk / mod_ruid2 compatibility
  124    [Issue #712 - @ju5t , @derhansen, @meatlayer, @victorhora]
  125  * Code cosmetics: checks if actionset is not null before use it
  126    [Issue #1556 - @marcstern, @zimmerle, @victorhora]
  127  * Only generate SecHashKey when SecHashEngine is On
  128    [Issue #1671 - @dmuey, @monkburger, @zimmerle]
  129  * Docs: Reformat README to Markdown and update dependencies
  130    [Issue #1857 - @hsluoyz, @victorhora]
  131  * IIS: no lock on ProcessRequest. No reload of config. 
  132    [Issue #1826 - @allanbomsft]
  133  * IIS: buffer request body before taking lock
  134    [Issue #1651 - @allanbomsft]
  135  * good practices: Initialize variables before use it
  136    [Issue #1889 - Marc Stern]
  137  * Let body parsers observe SecRequestBodyNoFilesLimit
  138    [Issue #1613 - @allanbomsft]
  139  * potential off by one in parse_arguments
  140    [Issue #1799 - @tinselcity, @zimmerle]
  141  * Fix utf-8 character encoding conversion
  142    [Issue #1794 - @tinselcity, @zimmerle]
  143  * Fix ip tree lookup on netmask content
  144    [Issue #1793 - @tinselcity, @zimmerle]
  145  * IIS: set overrideModeDefault to Allow so that individual websites can
  146    add <ModSecurity ...> to their web.config file
  147    [Issue #1781 - @default-kramer]
  148  * modsecurity.conf-recommended: Fix spelling
  149    [Issue #1721 - @padraigdoran]
  150  * build: fix when multiple lines for curl version
  151    [Issue #1771 - @Artistan]
  152  * Fix arabic charset in unicode_mapping file
  153    [Issue #1619 - @alaa-ahmed-a]
  154  * Optionally preallocates memory when SecStreamInBodyInspection is on
  155    [Issue #1366 - @allanbomsft, @zimmerle]
  156  * Fixed typo in build_yajl.bat
  157    [Issue #1366 - @allanbomsft]
  158  * Fixes SecConnWriteStateLimit
  159    [Issue #1545 - @nicjansma]
  160  * Added "empy chunk" check
  161    [Issue #1347, #1446 - @gravagli, @bostrt, @zimmerle]
  162  * Add capture action to @detectXSS operator
  163    [Issue #1488, #1482 - @victorhora]
  164  * Fix for wildcard operator when loading conf files on Nginx / IIS
  165    [Issue #1486, #1285 - @victorhora and @thierry-f-78]
  166  * Set of fixies to make windows build workable with the buildbots
  167    [Commit 94fe3 - @zimmerle]
  168  * Uses LOG_NO_STOPWATCH instead of DLOG_NO_STOPWATCH
  169    [Issue #1510 - @marcstern]
  170  * Adds missing headers
  171    [Issue #1454 - @devnexen]
  172 
  173 
  174 18 Jul 2017 - 2.9.2
  175 -------------------
  176 
  177  * IIS build refactoring and dependencies update
  178    [Issue #1487 - @victorhora]
  179  * Best practice: Initialize msre_var pointers
  180    [Commit fbd57 - Allan Boll]
  181  * nginx: Obtain port from r->connection->local_sockaddr.
  182    [Commit 51314 - @defanator]
  183  * Updates libinjection to v3.10.0
  184    [Issue #1412 - @client9, @zimmerle and @bjdijk]
  185  * Avoid log flood while using SecConnEngine
  186    [Issue #1436 - @victorhora]
  187  * Make url path absolute for SecHashEngine only when it is relative
  188    in the first place.
  189    [Issue #752, #1071 - @hideaki]
  190  * Fix the hex digit size for SHA1 on msc_crypt implementation.
  191    [Issue #1354 - @zimmerle and @parthasarathi204]
  192  * Avoid to flush xml buffer while assembling the injected html.
  193    [Issue #742 - @zimmerle]
  194  * Avoid additional operator invokation if last transform of a multimatch
  195    doesn't modify the input
  196    [Issue #1086, #1087 - Daniel Stelter-Gliese]
  197  * Adds a sanity check before use ctl:ruleRemoveTargetByTag.
  198    [Issue #1353 - @LukeP21 and @zimmerle]
  199  * Uses an optional global lock while manipulating collections.
  200    [Issues #1224 - @mturk and @zimmerle]
  201  * Fix collection naming problem while merging collections.
  202    [Issue #1274 - Coty Sutherland and @zimmerle]
  203  * Fix --enable-docs adding missing Makefile, modifying autoconf and filenames
  204    [Issue #1322 - @victorhora]
  205  * Change from using rand() to thread-safe ap_random_pick.
  206    [Issue #1289 - Robert Bost]
  207  * Cosmetics: added comments on odd looking code to prevent future
  208    scrutiny
  209    [Issue #1279 - Coty Sutherland]
  210  * {dis|en}able-server-context-logging: Option to disable logging of
  211    server info (log producer, sanitized objects, ...) in audit log.
  212    [Issue #1069 - Marc Stern]
  213  * Allow drop to work with mod_http2
  214    [Issue #1308, #992 - @bazzadp]
  215  * Fix SecConn(Read|Write)StateLimit on Apache 2.4
  216    [Issue #1340, #1337, #786 - Sander Hoentjen]
  217  * {dis|en}able-stopwatch-logging: Option to disable logging of stopwatches
  218    in audit log.
  219    [Issue #1067 - Marc Stern]
  220  * {dis|en}able-dechunk-logging: Option to disable logging of
  221    dechunking in audit log when log level < 9.
  222    [Issue #1068 - Marc Stern]
  223  * Updates libinjection to: da027ab52f9cf14401dd92e34e6683d183bdb3b4
  224    [ModSecurity team]
  225  * {dis|en}able-handler-logging: Option to disable logging of Apache handler
  226    in audit log
  227    [Issue #1070, #1381 - Marc Stern]
  228  * {dis|en}able-collection-delete-problem-logging: Option to disable logging of
  229    collection delete problem in audit log when log level < 9.
  230    [Issue #1380 - Marc Stern]
  231  * Adds rule id in logs whenever a rule fail.
  232    [Issue #1379, #391 - Marc Stern]
  233  * {dis|en}able-server-logging: Option to disable logging of
  234    "Server" in audit log when log level < 9.
  235    [Issue #1070 - Marc Stern]
  236  * {dis|en}able-filename-logging: Option to disable logging of filename
  237    in audit log.
  238    [Issue #1065 - Marc Stern]
  239  * Reads fuzzy hash databases on init
  240    [Issue #1339 - Robert Paprocki and @Rendername]
  241  * Changes the configuration to recognize soap+xml as XML
  242    [Issue #1374 - @emphazer and Chaim Sanders]
  243  * Fix building with nginx >= 1.11.11
  244    [Issue #1373, #1359 - Andrei Belov and Thomas Deutschmann]
  245  * Using Czechia instea of Czech Republic
  246    [Issue #1258 - Michael Kjeldsen]
  247  * {dis|en}able-rule-id-validation: Option to disable rule id validation
  248    [Issue #1150 - Marc Stern and ModSecurity team]
  249  * JSON Log: Append a newline to concurrent JSON audit logs
  250    [Issue #1233 - Robert Paprocki]
  251  * JSON Log: Don't unnecessarily rename request body parts in cleanup
  252    [Issue #1223 - Robert Paprocki]
  253  * Fix error message inside audit logs
  254    [Issue #1216 and #1073 - Armin Abfalterer]
  255  * Remove port from IPV4 address when running under IIS.
  256    [Issue #1220, #1109 and #734  - Robert Culyer]
  257  * Remove logdata and msg fields from JSON audit log rule.
  258    [Issue #1190 and #1174 - Robert Paprocki]
  259  * Better handle the json parser cleanup
  260    [Issue #1204 - Ephraim Vider]
  261  * Fix status failing to report in Nginx auditlogs
  262    [Issue #977, #1171 - @charlymps and Chaim Sanders]
  263  * Fix file upload JSON audit log entry
  264    [Issue #1181 and #1173 - Robert Paprocki and Christian Folini]
  265  * configure: Fix detection whether libcurl is linked against gnutls and,
  266    move verbose_output declaration up to the beginning.
  267    [Issue #1158 - Thomas Deutschmann (@Whissi)]
  268  * Treat APR_INCOMPLETE as APR_EOF while receiving the request body.
  269    [Issue #1060, #334 - Alexey Sintsov]
  270 
  271 
  272 Security issues
  273 
  274  * Allan Boll reported an uninitialized variable that may lead to a crash on
  275    Windows platform.
  276  * Brian Adeloye reported an infinite loop on the version of libinjection used
  277    on ModSecurity 2.9.1.
  278 
  279 
  280 09 Mar 2016 - 2.9.1
  281 -------------------
  282 
  283  * No changes.
  284 
  285 03 Feb 2016 - 2.9.1-RC1
  286 -----------------------
  287 
  288  * Added support to generate audit logs in JSON format.
  289    [Issue #914, #897, #656 - Robert Paprocki]
  290  * Creating AuditLog serial file (or parallel index) respecting the
  291    permission configured with SecAuditLogFileMode. Previously, it was
  292    used only to save the transactions while in parallel mode.
  293    [Issue #852 - @littlecho and ModSecurity team]
  294  * Checking for hashing injection response, to report in case of failure.
  295    [Issue #1041 - ModSecurity team]
  296  * Stop buffering when the request is larger than SecRequestBodyLimit
  297    in ProcessPartial mode
  298    [Issue #709, #705, #728 - Justin Gerace and ModSecurity team]
  299  * Extended Lua support to include version 5.3
  300    [Issue #837, #762, #814 - Athmane Madjoudj and ModSecurity team]
  301  * mlogc: Allows user to choose between TLS versions (TLSProtocol option
  302    introduced).
  303    [Issue #881 - Ishwor Gurung]
  304  * Allows mod_proxy's "nocanon" behavior to be specified in proxy actions
  305    [Issue #1031, #961, #763 - Mario D. Santana and ModSecurity team]
  306  * Refactoring conditional #if/#defs directives.
  307    [Issue #996 - Wesley M and ModSecurity team]
  308  * mlogc-batch-load.pl.in: fix searching SecAuditLogStorageDir
  309    files with Apache 2.4
  310    [Issue #775 - Elia Pinto]
  311  * Understands IIS 10 as compatible on Windows installer.
  312    [Issue #931 - Anton Serbulov, Pavel Vasilevich and ModSecurity team]
  313  * Fix apache logging limitation by using correct Apache call.
  314    [Issue #840 - Christian Folini]
  315  * Fix apr_crypto.h check on 32-bit Linux platform
  316    [Issue #882, #883 - Kurt Newman]
  317  * Fix variable resolution duration (Content of the DURATION variable).
  318    [Issue #662 - Andrew Elble]
  319  * Fix crash while adding empty keys to persistent collections.
  320    [Issue #927 - Eugene Alekseev, Marc Stern and ModSecurity team]
  321  * Remove misguided call to srand()
  322    [Issues #778, #781 and #836 - Michael Bunk, @gilperon]
  323  * Fix compilation problem while ssdeep is installed in non-standard
  324    location.
  325    [Issue #872 - Kurt Newman]
  326  * Fix invalid storage reference by apr_psprintf at msc_crypt.c
  327    [Issue #609 - Jeff Trawick]
  328 
  329 12 Feb 2015 - 2.9.0
  330 -------------------
  331 
  332  * Fix apr_crypto.h include, now checking if apr_crypto.h is available by
  333    checking the definition WITH_APU_CRYPTO.
  334    [martinjina and ModSecurity team]
  335 
  336 15 Dez 2014 - 2.9.0-RC2
  337 -----------------------
  338 
  339  * OpenSSL dependency was removed on MS Windows builds. ModSecurity is now using
  340    the Windows certificate storage.
  341    [Gregg Smith, Steffen and ModSecurity team]
  342  * Informs about external resources loaded/failed while reloading Apache.
  343    [ModSecurity team]
  344  * Adds missing 'ModSecurity:' prefix in some warnings messages.
  345    [Walter Hop and ModSecurity team]
  346  * Refactoring external resources download warn messages. Holding the message
  347    to be displayed when Apache is ready to write on the error_log.
  348    [ModSecurity team]
  349  * Remote resources loading process is now failing in case of HTTP error.
  350    [Walter Hop and ModSecurity team]
  351  * Fixed start up crash on Apache with mod_ssl configured. Crash was happening
  352    during the download of remote resources.
  353    [Christian Folini, Walter Hop and ModSecurity team]
  354  * Curl is not a mandatory dependency to ModSecurity core anymore.
  355    [Rainer Jung and ModSecurity team]
  356 
  357 18 Nov 2014 - 2.9.0-RC1
  358 -----------------------
  359 
  360  * `pmFromFile' and `ipMatchFromFile' operators are now accepting HTTPS served
  361     files as parameter.
  362  * `SecRemoteRules' directive - allows you to specify a HTTPS served file that
  363     may contain rules in the SecRule format to be loaded into your ModSecurity
  364     instance.
  365  * `SecRemoteRulesFailAction' directive - allows you to control whenever the
  366     user wants to Abort or just Warn when there is a problem while downloading
  367     rules specified with the directive: `SecRemoteRules'.
  368  * `fuzzyHash' operator - allows to match contents using fuzzy hashes.
  369  * `FILES_TMP_CONTENT' collection - make available the content of uploaded
  370     files.
  371  * InsecureNoCheckCert - option to validate or not a chain of SSL certificates
  372    on mlogc connections.
  373  * ModSecurityIIS: ModSecurity event ID was changed from 0 to 0x1.
  374    [Issue #676 - Kris Kater and ModSecurity team]
  375  * Fixed signature on "status call": ModSecurity is now using the original
  376    server signature.
  377    [Issues #702 - Linas and ModSecurity team]
  378  * YAJL version is printed while ModSecurity initialization.
  379    [Issue #703 - Steffen (Apache Lounge) and Mauro Faccenda]
  380  * Fixed subnet representation using slash notation on the @ipMatch operator.
  381    [Issue #706 - Walter Hop and ModSecurity team]
  382  * Limited the length of a status call.
  383    [Issue #714 - 'cpanelkurt' and ModSecurity team]
  384  * Added the missing -P option to nginx regression tests.
  385    [Issue #720 - Paul Yang]
  386  * Fixed automake scripts to do not use features which will be deprecated in
  387    the upcoming releases of automake.
  388    [Issue #760 - ModSecurity team]
  389  * apr-utils's LDFALGS is now considered while building ModSecurity.
  390    [Issue #782 - Daniel J. Luke]
  391  * IIS installer is not considering IIS 6 as compatible anymore.
  392    [Issue #790 - ModSecurity team]
  393  * Fixed yajl build script: now looking for the correct header file.
  394    [Issue #804 - 'rpfilomeno' and ModSecurity team]
  395  * mlgoc is now forced to use TLS 1.x.
  396    [Issue #806 - Josh Amishav-Zlatin and ModSecurity team]
  397 
  398 
  399 14 Apr 2014 - 2.8.0
  400 -------------------
  401 
  402 Bug fix
  403  * Build issue: Now using autotools to idenfiy if sys/utsname.h is present.
  404  * Change configure.ac version to 2.8
  405 
  406 31 Mar 2014 - 2.8.0-RC1
  407 -----------------------
  408 
  409 New features
  410  * JSON Parser is no longer under tests. Now it is part of our mainline;
  411  * Connection limits (SecConnReadStateLimit/SecConnWriteStateLimit) now support white and suspicious list;
  412  * New variables: FULL_REQUEST and FULL_REQUEST_LENGTH were added, allowing the rules to access the full content of a request;
  413  * ModSecurity status is now part of our mainline;
  414  * New operator: @detectXSS was added. It makes usage of the newest libinjection XSS detection functionality;
  415  * Append and prepend are now supported on nginx (Ref: #635);
  416  * SecServerSignature is now available on nginx (Ref: #637).
  417 
  418 Improvements 
  419  * Regression tests are not able to expect different values according to the platform;
  420  * Visual C++ 12/10 runtime dependencies are now part of the IIS installer, no need to have it installed prior ModSecurity installation (Ref: #627);
  421  * New script was added to the IIS versions to identify whenever there is a missing dependency (available through the Application Menu);
  422  * Memory usage improvement: using correct memory pools according to the context (Ref: #618, #620, #619);
  423  * Independent API call to free the connection allocations, independently from the request objects, improvements on Nginx performance, vide issue for more information (Ref: #620, #648);
  424  * IIS installer is now using the correct 32/64bits folders to install;
  425  * IIS Installer 32bits now refuses to install on 64bits environments;
  426  * IIS: Using new WiX options to build the package in the correct architecture;
  427  * While installing IIS version the installer will remove old ModSecurityIIS configuration or files before proceed with the installation, avoiding further errors;
  428  * CRS from IIS version was upgraded to 2.2.9;
  429  * IIS installer does not support repair anymore, in fact it was not working already and it is now disabled;
  430  * ModSecurity now warns the user who tries to use "proxy" in IIS or Nginx. Proxy is Apache only;
  431  * Remove warnings from the build process (Ref: #617);
  432  * Apache configuration in regression tests was changed making it more platform independent;
  433  * Reduced the amount of warnings during the compilation (Ref: #385a2828e87897bd611bd2a519727ef88dc6d632, #1e63e49db4a592d28e08a33fc60750c37a3886fe);
  434  * Regression tests were refactored to be more Nginx friendly;
  435  * Fixed some regression tests that were not being flexible to handle multiple platforms: (Ref #636)
  436         - Fixed config/00-load-modsec.t test case. Now it expects for Nginx loaded message as it does for Apache. (Ref: #643);
  437         - Fixed mixed/10-misc-directives.t. Now it does not expect for SecServerSignature on the logs, just in the headers as the Nginx does in silence.
  438         - Fixed tnf/10-tfn-cache.t, action/10-logging.t, config/10-misc-directives.t, config/10-request-directives.t, misc/00-multipart-parser.t , misc/10-tfn-cache.t, rule/20-exceptions.t, rule/00-basics.t, rule/10-xml.t;
  439         - Increased the timeout while reading the auditlog;
  440         - SecAuditLogType Concurrent was removed from the regression test case, not compatible with all ports yet;
  441         - Regression tests were speeded up, as the number of tests are growing it is impossible to have it slow;
  442         - Fixed regression tests scripts paths, to make it MacOS friendly;
  443         - Avoiding dead locks on Nginx regression tests by enforcing a timeout whenever a request appears to fail; 
  444  * Updates to fix errors found by Parfait static code analysis (Ref: #612);
  445  * Cleaning up on the repository, by removing unused files;
  446  * IIS installer now supports to perform the installation without register the DLL on the system. It means that the user can download our MSI installer as it was a tarball archive (Ref #629, #624);
  447  * IIS now support 32bits and 64bits pools, both are registered on IIS (Ref #628).
  448 
  449 Bug fix
  450  * Correctly handling inet_pton in IIS version;
  451  * Nginx was missing a terminator while the charset string was mounted (Ref: #148);
  452  * Added mod_extract_forwarded.c to run before mod_security2.c (Ref: #594);
  453  * Added missing environment variables to regression tests;
  454  * Build system is now more flexible by looking at liblua at: /usr/local/lib;
  455  * Fixed typo in README file.
  456  * Removed the non standard compliant HTTP response status code 44 from modsecurity recommended file (Ref: #665);
  457  * Fixed segmentation fault if it fails to write on the audit log (Ref: #668);
  458  * Not rejecting a larger request with ProcessPartial. Regression tests were also added (Ref: #597);
  459  * Fixed UF8 to unicode conversion. Regression tests were also added(Ref: #672);
  460  * Avoiding segmentation fault by checking if a structure is null before access its members;
  461  * Removed double charset-header that used happen due a hardcoded charset in Nginx implementation (Ref: #650);
  462  * Now alerting the users that there is no memory to proceed loading the configuration instead of just die;
  463  * If SecRuleEngine is set to Off and SecRequestBodyAccess On Nginx returns error 500. Standalone is now capable to identify whenever ModSecurity is enabled or disabled, independently of ModSecurity core (Ref: #645); 
  464  * Fixed missing headers on Nginx whenever SecResponseBodyAccess was set to On and happens to be a filter on phase equals or over 3. (Ref #634);
  465  * IIS is now picking the correct version of AppCmd while uninstalling or installing ModSecurityISS. (Ref #632).
  466 
  467 
  468 
  469 17 Dec 2013 - 2.7.7
  470 -------------------
  471 Fixes:
  472 
  473 - Changed release version to 2.7.7
  474 - Got the configure scripts inside the release tarball
  475 
  476 
  477 16 Dec 2013 - 2.7.6 
  478 -------------------
  479 Improvements:
  480 
  481 - Organizes all Makefile.am - 1cde4d2dd9d96747536c1c25d06ba0677069477f
  482   Now using one file per line (sorted). This is the better way to handle it, since it reduces the possibility of merge conflicts.
  483 
  484 - nginx: generates config file using configure input. - 351b9cc357d439e30ebd61d89a9e38ecf55c6827
  485   The nginx config file was looking for depedencies by its own, by doing that it was ignoring the options that were passed to configure script. This commit deletes this config file and adds a meta-config which is populated by configure whenever the standalone-module is enabled.
  486 
  487 - nginx: adds lua support - da16d9e5d51d4ef8734687514a4e1368e7fb4284
  488 
  489 - iis: Cosmetics fixies on sqli. - 5046c8327ea21c69b4c0d0c0057c692b05b09fef
  490   This is needed to get it compiled with VS2011 on Windows8
  491 
  492 - Regression tests: makes configuration compatible with 2.2 and 2.4 (try 2) - ae252ee8767069363906e5a611dff487b799b839
  493 
  494 - nginx: Trying apxs and apxs2 while compiling nginx module - 65d9272fdc353e1263567b60604542d377d19672
  495 
  496 - nginx: Trying apxs and apxs2 while compiling nginx module - 35fd75d859e4a8873b8843da1db13e04a1b08140
  497 
  498 - macos: Using glibtoolize instead of libtoolize - 751a9f4e45213cd69f00c62c71edc9d7ad99b82d
  499 
  500 - regression-tests: makes configuration compatible with 2.2 and 2.4 - 6fc4cac37ab1be8d1232140042b58fe4bd93ee17
  501 
  502 - Regression test: get it working with apache 2.4 - e9813cd0d9bfc5b0c9aa5832634ec1b39b805108
  503   Changes in httpd.conf.in to get it working with apache 2.4
  504 
  505 - Code cosmetics. - 7366f35c1d80772d739b35da8faa972f92a72b97
  506   Changed to reduce the number of possible fails during Build Bot compilation.
  507 
  508 - iis: Waiting for 5 seconds before move curl directory - 9bf2959c919587ebc63f5a1b8c0785da8927bff5
  509   Testing buildbot.
  510 
  511 - Redefines unixd_set_global_mutex_perms on tests - f70f6f4281b806627e0cf0dbb9c84ae5864bdb16
  512   Avoding conflicts with the standalone implementation
  513 
  514 - Adds verbose quality check - 388943440cc9b8c6fdea09f5e365a2e5a3e792e2
  515   Vera++ and ccpcheck are not outputing to the stderr instead stdout allowing the buildbot to extract some numbers about it.
  516 
  517 - Adds support for coding style and quality check - b77e90152d119609ac78a7028383c3b79898b2cf
  518   Initial effort to get the code on shape. This will be executed by the buildbots as soon as they get ready for it.
  519 
  520 - iis: New improvements on the Wix installer - 2ea5a74a7bfb00f21312e51e48aa6dac03d84600
  521   * Now the installation is divided in modules: ModSecurity and CRS.
  522   * Added default configuration
  523   * Configuration was moved to "Program Files" folder
  524   * Build_msi script now using candle available in %PATH%
  525 
  526 - iis: Removes the installer helper dependency - 1a12648c9f6028f251af0f03c889397c7954b74c
  527   Now using appcmd directly with WiX instead of calling the installer helper.
  528 
  529 - iis: Remove readme.html - 550d5aae21cba696cac1ce75ab8113e5255d5a59
  530   This HTML is about "Creating a Native Module for IIS7" not straight related to ModSecurity itself.
  531 
  532 - iis: Adds batch script to compile Wix - a2c5fc831baf0b324ebb66b0f878dacf1ec2f808
  533   This batch script can be used to generate our msi installer.
  534 
  535 - iis: Adds Wix installer resources - 3604763e15a665eb7a6ecae1f7e7c65cebbb1d17
  536   This is all about cosmetic changes.
  537 
  538 - iss: Removes Post-Build event. - 28bbde1bb218b004654cb865fc8563d69b848dc2
  539   There was a copy on Post-Build event using a hard coded path. This patch removes this Post-Build event.
  540 
  541 - iis: Relative paths on the VS project file - 368617ddb2443f9b6036f80a648d467d07c9a054
  542   There are a ModSecurityIIS solution and project files, those were using hard coded paths to meet the dependencies. As consequence of the last update in our build scripts, now we are able to built the dependencies and load it to our Visual Studio project using relative paths.
  543 
  544 - iis: Adds release script - 9477118903861ce80c4c27cb581bf3462315e98e
  545 
  546 - iis: fixies the Installer.cpp coding style - 79875b1af8e8571098345b91557bab9c06eb7c88
  547 
  548 - iis: Removes AppWizard remade file - 91738f93bcc82b6ab756c550a66b6cf6af2fa9f8
  549   Apparently the AppWizard was used to generate part of this Installer, the ReadMe.txt created by the AppWizard was removed by this commit
  550 
  551 - iss: Removes pre-compiled headers - adfbeb85dcfa9466b72eebb8d1bd8eb7728bab79
  552   No need to use the pre-compiled headers in InstallerHelper, removing it, in order to keep the project lean.
  553 
  554 - iis: Moves installer to InstallerHelper - 6adf25667dd4bfa33010bd6d8ae3d35046a69967
  555   To organize the folder the Installer application was renamed to installer helper. It is not the real installer, it is just an helper which is executed during the installation phase.
  556 
  557 - iss: Removes fart dependencies - 8c3b8d81b613aaa38f28472af1eb26c90c7fc9da
  558   This commit removes the dependency of the fart.exe utility. The utility was responsible to rename contents inside some dependencies build files. Those modifications are not longer needed.
  559 
  560 - iss: Better err handling in build scripts. - 192599bf63b6ae5aa08e4536a90d5d0a17f969f7
  561   Now checking for errors in every step of the build phase
  562 
  563 - iis: Moves build_module.bat to build_modsecurity.bat - e25c6b2e85ced7beba4d41867dbdf30e9c1286d3
  564   The build_modsecurity.bat is now on the iis sub-directory, not in the dependencies anymore. Its content was also changed fixing all the paths.
  565 
  566 
  567 - iis: Identifies arch before unzip apache - cf5de78dfb9fffd21edf17af9e1db8f2fd83c804
  568   Currently we need the Apache binary which could be used in 32 or 64 bits. This patch makes usage of 'cl' to identify which architecture is set.
  569 
  570 - iis: Renamves winbuild to dependencies - 1447766e816a896e88c9c8f053fcc3f62797bac1
  571   Since the directory becomes all about dependencies there is no need to call it winbuild anymore.
  572 
  573 - iis: Removes unnecessary files from winbuild dir - 9f8cbf6ed8034ba42aa4967699308df09864fd18
  574   Those .mak files seems to be part of an old build system. Since the script are now working fine, this commit removes all those .mac files and also a CMakeList.txt and the Makefile.win.
  575 
  576 - iis: Improves the iis build system - b277e538f28c87c81c1b50925dd8b82996b88294
  577   Now checking for common errors while building. Refactoring on the build scripts, now there is this build_dependencies.bat script on the iis sub-folder. By calling this script all the dependencies should be build under the winbuild/. This commit also removes build scripts that were not needed anymore.
  578 
  579 - iis: Fixes the vcxproj file - a946a163f0ad822c760af80ca32dda61f0e6b2a9
  580   Versions of the dependencies were changed, as long as the version of the Visual Studio, now 12.
  581 
  582 - iis: Removes unecessary files from the build system - 26738d2e34bcc7620047bd23180e0e26a64c71ee
  583   The following files were removed:
  584   * VCVarsQueryRegistry.bat
  585   * vcvars64.bat
  586   * vsvars32.bat
  587 The visual studio files can be called direcltly, not necessary to distribute those files, at least in VS12.
  588 
  589 - iss: Changes httpd version 2.4.6 - 0a772cb0748aa51a01800e0473309b9de792b456
  590   Apache version was changed to 2.4.6 to sync with the current apache lounge version.
  591 
  592 - iis: Changes the version of the dependencies - 3e6fb41d36b7a5e98a55d8f52b88b29d1bd50b64
  593   * pcre from 8.30 to 8.33
  594   * zlib from 1.2.7 to 1.2.8
  595   * libxml2 from 2.7.7 to 2.9.1
  596   * curl from 7.24 to 7.33.0
  597 
  598 - Removes standalone/Makefile.in - e3c19d53d23c48fea337aae76a87b2a85c36a1f1
  599   Makefile.in is recommended to be in the repository whenever it is edit manually, in our case the automatically generated Makefile.in is ok.
  600 
  601 
  602 Bug Fixes:
  603 
  604 - test: Avoids conflict of fuctions definition - cef72855e4106ce29e1d39103ebf9eb9ab28f17e
  605 
  606 - test: Makes the unit tests to work again - cc982ae42ec86c79a67be1a01c6ee35fb06c272c
  607   The unit tests was not working due to lack update. This patch adds the necessary stuff to have it work again.
  608 
  609 - iis: Avoids directory link while building - ad330a44bfa39430cf6340cb52971568cccdf1d6
  610   Build scripts was creating links allowing the project to be loaded into Visual Studio without care about the dependencies versions. Sometimes windows refuse to delete those links leading the script to fail. This patch moves the sources directories instead of create links to it.
  611 
  612 - QA: Avoids the utilization of 3rd filedescriptor - 69c5ccac662f4e11a6eefd54a3e912583c067b9d
  613   No need to use a 3rd description on the quality check scripts. Stderr is now redirected to stdout and filtered as needed.
  614 
  615 - Supports WarningCountingShellCommand in cppcheck and vera - baaf502363e68c3240b60adb7f7c91f5b4f0ba03
  616   WarningCountingShellCommand allow us to have some measurements on the buildbot waterfall.
  617 
  618 - iis: Using base_rules instead of activated_rules - 7b1537058fa451e0df7098cd907ef19f04102f9d
  619 
  620 - iis: Fix inet_pton build problem - a4202146b8d26b6615bbab986383fe0afae60d77
  621   There is a function named inet_pton on windows API, with different signature. This patch just override the windows function and point the inet_pton to our implementation.
  622 
  623 - iis: Adds Wix installer xml file.c - b32cb7d9ab397160f0154aa4bd4e9638658b41e6
  624   This commit adds the Wix template to our git repository.
  625 
  626 - iis: build_modsecurity.bat fixies - 7e03e3f840375ed682c35a5bb67932461cc77013
  627   This commit enable a cleanup on the mod_security build directory avoiding symbols with different architectures.
  628 
  629 - iis: Fix mlogc build on windows - 9b7663fa79377a0685130a019916d810f31e7478
  630   The libcurl path was not pointing to the correct directory
  631 
  632 - Fix #154, Uses addn instead of apr_table_setn - 1734221d9d3a78f9aafd68e35717da9ee1a4fe51
  633   The headers are represented in the format of an apr_table, which is able to handle elements with the same key, however the function apr_table_setn checks if the key exists before add the element, if so it replaces the old value with the new one. This was making our implementation to just keep the last added Cookie. The apr_table_addn function, which is now used, just add a new item without check for olders one.
  634 
  635 - Merge pull request #579 from zimmerle/revert_139 - 61e54f2067ae760808359926ff91d57275df1aac
  636   Revert merge request #139
  637 
  638 - Revert "Merge pull request #139 from chaizhenhua/remotes/trunk" - 7f7d00fa2c364716691df1b45779304b24a0debb
  639   This reverts commit 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b, reversing changes made to 414033aafa94cd50c9b310afd3f164740caccc94.
  640 
  641 - Merge pull request #578 from client9/remotes/trunk - b0c3977845f60747b15ae10531b7d20355a22627
  642   libinjection sync to v3.8.0
  643 
  644 - libinjection sync - a5f175d79fac1e69124da4e1e227b622e7e233d7
  645 
  646 - Merge pull request #152 from client9/remotes/trunk - 88ebf8a0bdbc4db1be76f3a2e70df77cc52a5925
  647   Sync to libinjection v3.7.1
  648 
  649 - libinjection sync - fcb6dc13ed6efb066fb9b70405eecab8b83a2d96
  650 
  651 - libinjection sync - f52242a013f301ca5c17e59b662124833cb7cc6d
  652 
  653 - Merge pull request #148 from zimmerle/bugfix_charset_missing_string_terminator - b76e26d81ddafc2b99bffad53d1426f8fd33080a
  654   Bugfix: missing string terminator while mounting the charset (nginx)
  655 
  656 - Bugfix: missing string terminator while mounting the charset (nginx) - ff19dcd5c53d4af61d0a9397d4616f47f80ee207
  657   The charset in headers is mounted using ngx_snprintf which does not place the string terminator. This patch adds the terminator at the end of the string. The size was correctly allocated, just missing the terminator.
  658 
  659 - Merge pull request #141 from client9/remotes/trunk - 9a630eea23a7ead4e77617c86dc937fd7a421a57
  660   libinjection sync to v3.6.0
  661 
  662 - libinjection sync - 11217207e8f2e0cf15742273836399866971071a
  663 
  664 - Merge pull request #139 from chaizhenhua/remotes/trunk - 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b
  665   Fixed fd leackage after reload
  666 
  667 - Merge pull request #138 from client9/remotes/trunk - 414033aafa94cd50c9b310afd3f164740caccc94
  668   libinjection sync
  669 
  670 - Fixed fd leackage after reload - e0993fcd7a166ce9e1a279a47d050af1311d9001
  671 
  672 - libinjection sync - 2268626c20260e88cab9b7830f8a06101fa7172a
  673 
  674 - Fix logical disjunction and conjunction issues - 7e0a9ecf7d492e85650671a0cfcfd53e5f15df2c
  675 
  676 Security Issues:
  677 
  678 - Fix Chunked string case sensitive issue - CVE-2013-5705 - f8d441cd25172fdfe5b613442fedfc0da3cc333d
  679   (Thanks Martin Holst Swende - @mhswende)
  680 
  681 - Revert "Fix Chuncked string case sensitive issue" - 3901128f17e0763ac1a260106b79859d2aad6d90
  682   This reverts commit 16a815a3c2735f62238ef99af26090a2b8430d3d.
  683 
  684 - Fix Chuncked string case sensitive issue - 16a815a3c2735f62238ef99af26090a2b8430d3d
  685 
  686 
  687 
  688 23 Jul 2013 - 2.7.5
  689 -------------------
  690 Improvements:
  691 
  692     * SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter.
  693 
  694     * Updated Libinjection to version 3.4.1. Many improvements were made.
  695 
  696     * Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug).
  697 
  698 Bug Fixes:
  699 
  700     * Fixed utf8toUnicode tfn null byte conversion.
  701 
  702     * Fixed NGINX crash when issue reload command.
  703 
  704     * Fixed flush output buffer before inject modified hashed response body.
  705 
  706     * Fixed url normalization for Hash Engine.
  707 
  708     * Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files.
  709 
  710 Security Issues:
  711 
  712 10 May 2013 - 2.7.4
  713 -------------------
  714 Improvements:
  715 
  716     * Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
  717 
  718     * Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
  719 
  720     * NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.
  721 
  722 Bug Fixes:
  723 
  724     * Fixed SecRulePerfTime storing unnecessary rules performance times.
  725 
  726     * Fixed Possible SDBM deadlock condition.
  727 
  728     * Fixed Possible @rsub memory leak.
  729 
  730     * Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
  731 
  732     * Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
  733 
  734     * Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.
  735 
  736 Security Issues:
  737 
  738     * Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
  739       mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
  740 
  741 28 Mar 2013 - 2.7.3
  742 -------------------
  743 
  744   * Fixed IIS version race condition when module is initialized.
  745 
  746   * Fixed IIS version failing config commands in libapr.
  747 
  748   * Nginx version is now RC quality. The rule engine should works for all phases.
  749     We fixed many issues and missing features (for more information please check jira).
  750     Code is running well with latest Nginx 1.2.7 stable.
  751     Thanks chaizhenhua for your help.
  752 
  753   * Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS
  754     and will help prevent attacks using multipart data.
  755 
  756   * Added --enable-htaccess-config configure option. It will allow the follow directives
  757     to be used into .htaccess files when AllowOverride Options is set:
  758 
  759         - SecAction
  760         - SecRule
  761 
  762         - SecRuleRemoveByMsg
  763         - SecRuleRemoveByTag
  764         - SecRuleRemoveById
  765 
  766         - SecRuleUpdateActionById
  767         - SecRuleUpdateTargetById
  768         - SecRuleUpdateTargetByTag
  769         - SecRuleUpdateTargetByMsg
  770 
  771   * Improvements in the ID duplicate code checking. Should be faster now.
  772 
  773   * SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable
  774     by default the external entity load task executed by LibXml2. This is a security issue
  775     [CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
  776 
  777 21 Jan 2013 - 2.7.2
  778 -------------------
  779 
  780   * IIS version is now stable.
  781 
  782   * Fixed IIS version does not pass through POST data to ASP.NET when SecRequestBodyAccess
  783     is set to On (MODSEC-372).
  784 
  785   * Fixed IIS version HTTP Request Smuggling protection does not work (MODSEC-344).
  786 
  787   * Fixed IIS version PHP Injection Attack (958976) protection does not work (MODSEC-346).
  788 
  789   * Fixed IIS version Request limit protections are not working (MODSEC-349).
  790 
  791   * Fixed IIS version Outbound protections are not working (MODSEC-350).
  792 
  793   * Added IIS version better installer.
  794 
  795   * NGINX version removed ModSecurityPassCommand (Thanks chaizhenhua).
  796 
  797   * Fixed NGINX version ngx_http_read_client_request_body returned unexpected buffer type (Thanks chaizhenhua).
  798 
  799   * Fixed NGINX version INCS config directories on fedora (Thanks chaizhenhua).
  800 
  801   * Added NGINX version Added drop action for nginx (Thanks chaizhenhua).
  802 
  803   * Fixed bug in cpf_verify operator (Thanks Hideaki Hayashi).
  804 
  805   * Fixed build modsecurity under Arch Linux.
  806 
  807   * Fixed make test crashing when JIT pcre is enabled.
  808 
  809   * Fixed better cookie separator detection code.
  810 
  811   * Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip.
  812 
  813   * Fixed mod_security was not compiling when use apr without ipv6 support.
  814 
  815   * Fixed mod_security was not compiling when use lua 5.2.
  816 
  817   * Fixed issue when execute make install under Solaris.
  818 
  819   * Fixed ipmatchf operator was not working as expected.
  820 
  821 01 Nov 2012 - 2.7.1
  822 -------------------
  823 
  824   * Changed "Encryption" name of directives and options related to hmac feature to "Hash".
  825 
  826     SecEncryptionEngine       to SecHashEngine
  827     SecEncryptionKey          to SecHashKey
  828     SecEncryptionParam        to SecHashParam
  829     SecEncryptionMethodRx     to SecHashMethodRx
  830     SecEncryptionMethodPm     to SecHashMethodPm
  831     @validateEncryption       to @validateHash
  832     ctl:EncryptionEnforcement to ctl:HashEnforcement
  833     ctl:EncryptionEngine      to ctl:HashEngine
  834 
  835   * Added a better random bytes generator using apr_generate_random_bytes() to create
  836     the HMAC key.
  837 
  838   * Fixed byte conversion issue during logging under Linux s390x platform.
  839 
  840   * Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj).
  841 
  842   * Fixed parsing error with modsecurity-recommended.conf and Apache 2.4.
  843 
  844   * Fixed DROP action was disabled for Apache 2 module by mistake.
  845 
  846   * Fixed bug when use ctl:ruleRemoveTargetByTag.
  847 
  848   * Fixed IIS and NGINX modules bugs.
  849 
  850   * Fixed bug when @strmatch patterns use invalid escape sequence (Thanks Hideaki Hayashi).
  851 
  852   * Fixed bugs in @verifySSN (Thanks Hideaki Hayashi).
  853 
  854   * The doc/ directory now contains the instructions to access online documentation.
  855 
  856 15 Oct 2012 - 2.7.0
  857 -------------------
  858 
  859   * Fixed Pause action should work as a disruptive action (MODSEC-297).
  860 
  861   * Fixed Problem loading mod_env variables in phase 2 (MODSEC-226).
  862 
  863   * Fixed Detect cookie v0 separator and use it for parsing (MODSEC-261).
  864 
  865   * Fixed Variable REMOTE_ADDR with wrong IP address in NGINX version (MODSEC-337).
  866 
  867   * Fixed Errors compiling NGINX version.
  868 
  869   * Added Include directive into standalone module. IIS and NGINX module should
  870     support Include directive like Apache2.
  871 
  872   * Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
  873     validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt).
  874 
  875   * Updated Reference Manual.
  876 
  877 25 Sep 2012 - 2.6.8
  878 -------------------
  879 
  880   * Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae.
  881 
  882   * Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic.
  883 
  884 10 Sep 2012 - 2.7.0-rc3
  885 -------------------
  886 
  887  * Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only.
  888 
  889  * Fixed double close() for multipart temporary files (Thanks Seema Deepak).
  890 
  891  * Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek).
  892 
  893  * Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov).
  894 
  895  * Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg.
  896 
  897  * Added IIS and Ngnix platform code.
  898 
  899  * Added new transformation utf8toUnicode.
  900 
  901 23 Jul 2012 - 2.6.7
  902 -------------------
  903 
  904  * Fixed explicit target replacement using SecUpdateTargetById was broken.
  905 
  906  * The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
  907    there is no safe way to use it per-request.
  908 
  909  * Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request.
  910 
  911 22 Jun 2012 - 2.7.0-rc2
  912 -------------------
  913 
  914  * Fixed compilation errors and warnings under Windows platform.
  915 
  916  * Fixed SecEncryptionKey was not working as expected.
  917 
  918 08 Jun 2012 - 2.7.0-rc1
  919 -------------------
  920 
  921  * Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html
  922    and Response Header options.
  923 
  924  * Added SecEncryptionKey to define the a rand or static key for crypt engine.
  925 
  926  * Added SecEncryptionParam to define the new parameter name.
  927 
  928  * Added SecEncryptionMethodRx used with a regular expression to inspect the html in response
  929    body/header and decide what to protect.
  930 
  931  * Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response
  932    body/header and decide what to protect.
  933 
  934  * Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive.
  935 
  936  * Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is
  937    disabled.
  938 
  939  * Added validateEncryption operator to enforce the signed elements.
  940 
  941  * Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r.
  942 
  943  * Added SecRuleUpdateTargetById now supports id range.
  944 
  945  * Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford).
  946 
  947  * Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford).
  948 
  949  * Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE
  950    and log id=usec information in the new Perf-rule-info: line in part H.
  951 
  952  * Added PERF_RULES variable that contains rule execution time.
  953 
  954  * Added Engine-mode: section in part H.
  955 
  956  * Added ruleRemoveByMsg ctl version.
  957 
  958  * Added removeCommentsChar and removeComments now can work with <!-- --> style.
  959 
  960  * Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations.
  961 
  962  * Added Rules must have ID action and must be numeric.
  963 
  964  * Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future.
  965 
  966  * Added Macro expansion support to the action pause.
  967 
  968  * Added IpmatchFromFile/IpmatchF operator.
  969 
  970  * Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space
  971 
  972  * Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction.
  973    It will only take any effect when ModSecurity has multiple scripts to run per transaction.
  974 
  975  * Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support.
  976 
  977  * Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook.
  978 
  979  * Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php).
  980 
  981  * Added SecHttpBlKey to be used with httpBl api.
  982 
  983  * Added SecSensorId will specify the modsecurity sensor name into audit log part H.
  984 
  985  * Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging).
  986 
  987  * Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
  988    client ip address.
  989 
  990  ^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.
  991 
  992  * Updated Reference manual into doc/ directory.
  993 
  994  * Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
  995    other variables.
  996 
  997  * Fixed Preserve names/identity of the variables going into MATCHED_VARS.
  998 
  999  * Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action.
 1000 
 1001  * Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger).
 1002 
 1003  * Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow
 1004    anymore the malware database for download.
 1005 
 1006 08 Jun 2012 - 2.6.6
 1007 -------------------
 1008 
 1009  * Added build system support for KfreeBSD and HURD.
 1010 
 1011  * Fixed a multipart bypass issue related to quote parsing
 1012    Credits to  Qualys Vulnerability & Malware Research Labs (VMRL).
 1013 
 1014 20 Mar 2012 - 2.6.5
 1015 -------------------
 1016 
 1017  * Fixed increased a specific message debug level in SBDM code (MODSEC-293).
 1018 
 1019  * Cleanup build system.
 1020 
 1021 09 Mar 2012 - 2.6.4
 1022 -------------------
 1023 
 1024  * Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh).
 1025 
 1026  * Fixed ModSecurity cannot load session and user sdbm data.
 1027 
 1028  * Fixed updateTargetById was creating rule unparsed content making apache memory grow.
 1029 
 1030  * Code cleanup.
 1031 
 1032 23 Feb 2012 - 2.6.4-rc1
 1033 -------------------
 1034 
 1035  * Fixed @rsub adding garbage data into stream variables.
 1036 
 1037  * Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh).
 1038 
 1039  * Fixed logdata cuts message without closing it with final chars.
 1040 
 1041  * Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN.
 1042 
 1043 
 1044 06 Dec 2011 - 2.6.3-rc1
 1045 -------------------
 1046 
 1047 * Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name.
 1048 
 1049 * Fixed SDBM garbage collection was not working as expected, increasing the size of files.
 1050 
 1051 * Fixed wrong timestamp calculation for some time zones in log files.
 1052 
 1053 * Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270).
 1054 
 1055 * Fixed Reverted hexDecode for hexEncode compatibility reason.
 1056 
 1057 * Added SecCollectionTimeout to set collection timeout, default is 3600.
 1058 
 1059 * Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern.
 1060 
 1061 30 Sep 2011 - 2.6.2
 1062 -------------------
 1063 
 1064  * Fixed hexDecode test during make.
 1065 
 1066  * Updated the reference manual into doc/ directory.
 1067 
 1068 5 Sep 2011 - 2.6.2-rc1
 1069 -------------------
 1070 
 1071  * Added support to macro expansion for rx operator.
 1072 
 1073  * Added new transformations removeComments and removeCommentsChars
 1074 
 1075  * Fixed colletion names are not case-sensitive anymore.
 1076 
 1077  * Fixed compilation errors with apache 2.0.
 1078 
 1079  * Fixed build system was not using some libraries CFLAGS.
 1080 
 1081  * Fixed check for valid hex values into hexDecode transformation.
 1082 
 1083  * Fixed ctl:ruleUpdateTargetById appending multiple targets.
 1084 
 1085 18 Jun 2011 - 2.6.1
 1086 -------------------
 1087 
 1088  * Updated the reference manual into doc/ directory.
 1089 
 1090 11 Jul 2011 - trunk
 1091 -------------------
 1092 
 1093  * Add HttpBl support to rbl operator.
 1094 
 1095 30 Jun 2011 - 2.6.1-rc1
 1096 -------------------
 1097 
 1098  * Fixed SecUploadFileMode doesn't work with the new build system.
 1099 
 1100  * Fixed building with Lua library (Thanks Diego Elio).
 1101 
 1102  * Fixed some ./configure --enable* features not being enabled in compilation time.
 1103 
 1104  * Improvements on GSB database add/search operations.
 1105 
 1106  * Log part K was removed from modsecurity.conf-recommended.
 1107 
 1108  * Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file.
 1109 
 1110  * Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available:
 1111 
 1112     1250  (ANSI - Central Europe)
 1113     1251  (ANSI - Cyrillic)
 1114     1252  (ANSI - Latin I)
 1115     1253  (ANSI - Greek)
 1116     1254  (ANSI - Turkish)
 1117     1255  (ANSI - Hebrew)
 1118     1256  (ANSI - Arabic)
 1119     1257  (ANSI - Baltic)
 1120     1258  (ANSI/OEM - Viet Nam)
 1121     20127 (US-ASCII)
 1122     20261 (T.61)
 1123     20866 (Russian - KOI8)
 1124     28591 (ISO 8859-1 Latin I)
 1125     28592 (ISO 8859-2 Central Europe)
 1126     28605 (ISO 8859-15 Latin 9)
 1127     37    (IBM EBCDIC - U.S./Canada)
 1128     437   (OEM - United States)
 1129     500   (IBM EBCDIC - International)
 1130     850   (OEM - Multilingual Latin I)
 1131     860   (OEM - Portuguese)
 1132     861   (OEM - Icelandic)
 1133     863   (OEM - Canadian French)
 1134     865   (OEM - Nordic)
 1135     874   (ANSI/OEM - Thai)
 1136     932   (ANSI/OEM - Japanese Shift-JIS)
 1137     936   (ANSI/OEM - Simplified Chinese GBK)
 1138     949   (ANSI/OEM - Korean)
 1139     950   (ANSI/OEM - Traditional Chinese Big5)
 1140 
 1141     Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1
 1142 
 1143  * Fixed SecRequestBodyLimit was truncating the real request body.
 1144 
 1145 18 May 2011 - 2.6.0
 1146 -------------------
 1147 
 1148  * Added SecWriteStateLimit for Slow Post DoS mitigation.
 1149 
 1150  * Fix problem when buffering in input filter.
 1151 
 1152  * Fix memory leak when use MATCHED_VAR_NAMES.
 1153 
 1154 
 1155 2 May 2011 - 2.6.0-rc2
 1156 -------------------
 1157 
 1158  * Added code optimizations - thanks Diego Elio.
 1159 
 1160  * Added support to AIX and HPUX in the build system (untested).
 1161 
 1162  * Renamed decodeBase64Ext to base64DecodeExt.
 1163 
 1164  * Build system improvements - thanks Diego Elio.
 1165 
 1166  * Improvements on gsblookup parser.
 1167 
 1168  * Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled.
 1169 
 1170  * Logging improvements and bug fix.
 1171 
 1172  * Remove extra useless files when make clean and maintainer-clean
 1173 
 1174 18 Apr 2011 - 2.6.0-rc1
 1175 -------------------
 1176 
 1177  * Replaced previous GPLv2 License to Apachev2.
 1178 
 1179  * Added Google Safe Browsing lookups operator and directive. It should be
 1180    used to extract and lookup urls from http packets.
 1181 
 1182  * Added Data Modification operator. It must be used with STREAM_* variables
 1183    to replace/add/edit any data from http bodies.
 1184 
 1185  * Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
 1186    modification operators.
 1187 
 1188  * Added fast ip address operator. It supports partial ip address, cidr for
 1189    IPv4 and IPv6. Thanks Tom Donovan.
 1190 
 1191  * Added new sensitive data tracking verifyCPF and verifySSN.
 1192 
 1193  * Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR,
 1194    but now we should see all matched variables.
 1195 
 1196  * Added UNIQUE_ID variable. It holds the data created my mod_unique_id.
 1197 
 1198  * Added new tranformation cmdline. Thanks Marc Stern.
 1199 
 1200  * Added new exception handling operators and directives. It should help users
 1201    reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag
 1202    and its ctl actions were included.
 1203 
 1204  * Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_*
 1205    variables.
 1206 
 1207  * Added SecGsbLookupDB used to load Google Safe Browsing malware databse into
 1208    memory.
 1209 
 1210  * Added the directive SecInterceptOnError to control what to do if a rule returns
 1211    values less than zero.
 1212 
 1213  * Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction
 1214    to control what to do if the engine receive a http request over a hard limit.
 1215    Note that there is now many combinations with SecRuleEngine and the limit action
 1216    directives for response and request data. Please see the reference manual.
 1217 
 1218  * Improvements under RBL operator. It now will parse return code values for some
 1219    RBL lists.
 1220 
 1221  * Added new Log Part J. It should log some informations about uploaded files.
 1222 
 1223  * Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize
 1224    logged data, also improving peformance when sanitize big amount of data.
 1225 
 1226  * Improvements on Logging phase. It is possible now see full chains, distinguish between
 1227    simple rules, chain starters and chain nodes.
 1228 
 1229  * Improvements on AutoTools usage.
 1230 
 1231  * Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible
 1232    input data allowing any kind of special char.
 1233 
 1234  * Improvements on SecRuleUpdateActionById to update chain nodes.
 1235 
 1236  * Many bugs were fixed. Please see the ModSecurity Jira for more details
 1237 
 1238 
 1239 19 Mar 2010 - trunk
 1240 -------------------
 1241 
 1242  * Added SecDisableBackendCompression, which disabled backend compression
 1243    while keeping the frontend compression enabled (assuming mod_deflate
 1244    in installed and configured in the proxy). [Ivan Ristic]
 1245 
 1246  * Added REQUEST_BODY_LENGTH, which contains the number of request body
 1247    bytes read. [Ivan Ristic]
 1248 
 1249  * Integrate with mod_log_config using the %{VARNAME}M format string.
 1250    (MODSEC-108) [Ivan Ristic]
 1251 
 1252  * Replaced the previous time-measuring mechanism with a new one, which
 1253    provides the following information: request time, request duration,
 1254    phase duration (for all 5 phases), time spent dealing with persistent
 1255    storage, and time spent on audit logging. The new information is now
 1256    available in the Stopwatch2 audit log header. The Stopwatch header
 1257    remains for backward compatiblity, although it now only includes
 1258    the request time and request duration values. Added the following
 1259    variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
 1260    PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
 1261    PERF_GC. [Ivan Ristic]
 1262 
 1263  * Added DURATION, which contains the time ellapsed since the beginning
 1264    of the current transaction, in milliseconds. [Ivan Ristic]
 1265 
 1266  * Adjusted phase 5 to execute just prior to mod_log_config. This should
 1267    allow phase 5 rules to to implement conditional logging, as well as
 1268    pave support for allowing access to all ModSecurity variables from
 1269    mog_log_config. [Ivan Ristic]
 1270 
 1271  * Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
 1272    encoding is encountered in the query string or in the request body
 1273    (but only if URLENCODED request body processor is used). (MODSEC-111)
 1274    [Ivan Ristic]
 1275 
 1276  * Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]
 1277 
 1278  * Renamed normalisePath to normalizePath and normalisePathWin to
 1279    normalizePathWin. Kept the previous names for backward compatibility.
 1280    (MODSEC-103) [Ivan Ristic]
 1281 
 1282  * Moved phase 1 to be run in the same Apache hook as phase 2. This means
 1283    that you can now have phase 1 rules in <Location> tags and, more
 1284    importantly, override server configuration in <Location> and others.
 1285    (MODSEC-98) [Ivan Ristic]
 1286 
 1287  * Renamed the sanitise family of actions to sanitize. Kept the old variants
 1288    for backward compatibility. (MODSEC-95) [Ivan Ristic]
 1289 
 1290  * Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]
 1291 
 1292  * Cleanup build files that were from the Apache source.
 1293 
 1294 
 1295 14 Feb 2010 - 2.5.13-dev1
 1296 -------------------------
 1297 
 1298  * Cleaned up some mlogc code and debugging output.
 1299 
 1300  * Remove the ability to use a relative path to a piped audit logger
 1301    (i.e. mlogc) as Apache does not support it in their piped loggers
 1302    and it was breaking Windows and probably other platforms that
 1303    use spaces in filesystem paths.  Discovered by Tom Donovan.
 1304 
 1305  * Fix memory leak freeing regex.  Discovered by Tom Donovan.
 1306 
 1307  * Fix some portability issues on Windows.
 1308 
 1309 
 1310 04 Feb 2010 - 2.5.12
 1311 --------------------
 1312 
 1313  * Fixed SecUploadFileMode to set the correct mode.
 1314 
 1315  * Fixed nolog,auditlog/noauditlog/nolog controls for disruptive actions.
 1316 
 1317  * Added additional file info definitions introduced in APR 0.9.5 so that
 1318    build will work with older APRs (IBM HTTP Server v6).
 1319 
 1320  * Added SecUploadFileLimit to limit the number of uploaded file parts that
 1321    will be processed in a multipart POST.  The default is 100.
 1322 
 1323  * Fixed path normalization to better handle backreferences that extend
 1324    above root directories.  Reported by Sogeti/ESEC R&D.
 1325 
 1326  * Trim whitespace around phrases used with @pmFromFile and allow
 1327    for both LF and CRLF terminated lines.
 1328 
 1329  * Allow for more robust parsing for multipart header folding.  Reported
 1330    by Sogeti/ESEC R&D.
 1331 
 1332  * Fixed failure to match internally set TX variables with regex
 1333    (TX:/.../) syntax.
 1334  
 1335  * Fixed failure to log full internal TX variable names and populate
 1336    MATCHED_VAR* vars.
 1337 
 1338  * Enabled PCRE "studying" by default.  This is now a configure-time option.
 1339 
 1340  * Added PCRE match limits (SecPcreMatchLimit/SecPcreMatchLimitRecursion) to
 1341    aide in REDoS type attacks.  A rule that goes over the limits will set
 1342    TX:MSC_PCRE_LIMITS_EXCEEDED.  It is intended that the next major release
 1343    of ModSecurity (2.6.x) will move these flags to a dedicated collection.
 1344 
 1345  * Reduced default PCRE match limits reducing impact of REDoS on poorly
 1346    written regex rules.  Reported by Sogeti/ESEC R&D.
 1347 
 1348  * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.
 1349 
 1350  * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
 1351 
 1352  * Update copyright to 2010.
 1353 
 1354  * Reserved 700,000-799,999 IDs for Ivan Ristic.
 1355 
 1356  * Fixed SecAction not working when CONNECT request method is used
 1357    (MODSEC-110). [Ivan Ristic]
 1358 
 1359  * Do not escape quotes in macro resolution and only escape NUL in setenv
 1360    values.
 1361 
 1362 
 1363 04 Nov 2009 - 2.5.11
 1364 --------------------
 1365 
 1366  * Added a new multipart flag, MULTIPART_INVALID_QUOTING, which will be
 1367    set true if any invalid quoting is found during multipart parsing.
 1368 
 1369  * Fixed parsing quoted strings in multipart Content-Disposition headers.
 1370    Discovered by Stefan Esser.
 1371 
 1372  * Cleanup persistence database locking code.
 1373 
 1374  * Added warning during configure if libcurl is found linked against
 1375    gnutls for SSL.  The openssl lib is recommended as gnutls has
 1376    proven to cause issues with mutexes and may crash.
 1377 
 1378  * Cleanup some mlogc (over)logging.
 1379 
 1380  * Do not log output filter errors in the error log.
 1381 
 1382  * Moved output filter to run before other stock filters (mod_deflate,
 1383    mod_cache, mod_expires, mod_filter) to avoid analyzing modified data
 1384    in the response. Patch originally submitted by Ivan Ristic.
 1385 
 1386 
 1387 18 Sep 2009 - 2.5.10
 1388 --------------------
 1389 
 1390  * Cleanup mlogc so that it builds on Windows.
 1391 
 1392  * Added more detailed messages to replace "Unknown error" in filters.
 1393 
 1394  * Added SecAuditLogDirMode and SecAuditLogFileMode to allow fine tuning
 1395    auditlog permissions (especially with mpm-itk).
 1396 
 1397  * Cleanup SecUploadFileMode implementation.
 1398 
 1399  * Cleanup build scripts.
 1400 
 1401  * Fixed crash on configuration if SecMarker is used before any rules.
 1402 
 1403  * Fixed SecRuleUpdateActionById so that it will work on chain starters.
 1404 
 1405  * Cleanup build system for mlogc.
 1406 
 1407  * Allow mlogc to periodically flush memory pools.
 1408 
 1409  * Using nolog,auditlog will now log the "Message:" line to the auditlog, but
 1410    nothing to the error log.  Prior versions dropped the "Message:" line from
 1411    both logs.  To do this now, just use "nolog" or "nolog,noauditlog".
 1412 
 1413  * Forced mlogc to use SSLv3 to avoid some potential auto negotiation
 1414    issues with some libcurl versions.
 1415 
 1416  * Fixed mlogc issue seen on big endian machines where content type
 1417    could be listed as zero.
 1418 
 1419  * Removed extra newline from audit log message line when logging XML errors.
 1420    This was causing problems parsing audit logs.
 1421 
 1422  * Fixed @pm/@pmFromFile case insensitivity.
 1423 
 1424  * Truncate long parameters in log message for "Match of ... against ...
 1425    required" messages.
 1426 
 1427  * Correctly resolve chained rule actions in logs.
 1428 
 1429  * Cleanup some code for portability.
 1430 
 1431  * AIX does not support hidden visibility with xlc compiler.
 1432 
 1433  * Allow specifying EXTRA_CFLAGS during configure to override gcc specific
 1434    values for non-gcc compilers.
 1435 
 1436  * Populate GEO:COUNTRY_NAME and GEO:COUNTRY_CONTINENT as documented.
 1437 
 1438  * Handle a newer geo database more gracefully, avoiding a potential crash for
 1439    new countries that ModSecurity is not yet aware.
 1440 
 1441  * Allow checking &GEO "@eq 0" for a failed @geoLookup.
 1442 
 1443  * Fixed mlogc global mutex locking issue and added more debugging output.
 1444 
 1445  * Cleaned up build dependencies and configure options.
 1446 
 1447 
 1448 05 Mar 2009 - 2.5.9
 1449 -------------------
 1450 
 1451  * Fixed parsing multipart content with a missing part header name which
 1452    would crash Apache.  Discovered by "Internet Security Auditors"
 1453    (isecauditors.com).
 1454 
 1455  * Added ability to specify the config script directly using --with-apr
 1456    and --with-apu.
 1457 
 1458  * Updated copyright year to 2009.
 1459 
 1460  * Added macro expansion for append/prepend action.
 1461 
 1462  * Fixed race condition in concurrent updates of persistent counters.  Updates
 1463    are now atomic.
 1464 
 1465  * Cleaned up build, adding an option for verbose configure output and making
 1466    the mlogc build more portable.
 1467 
 1468  
 1469 21 Nov 2008 - 2.5.8
 1470 -------------------
 1471 
 1472  * Fixed PDF XSS issue where a non-GET request for a PDF file would crash the
 1473    Apache httpd process.  Discovered by Steve Grubb at Red Hat.
 1474 
 1475  * Removed an invalid "Internal error: Issuing "%s" for unspecified error."
 1476    message that was logged when denying with nolog/noauditlog set and
 1477    causing the request to be audited.
 1478  
 1479   
 1480 24 Sep 2008 - 2.5.7
 1481 -------------------
 1482 
 1483  * Fixed XML DTD/Schema validation which will now fail after request body
 1484    processing errors, even if the XML parser returns a document tree.
 1485 
 1486  * Added ctl:forceRequestBodyVariable=on|off which, when enabled, will force
 1487    the REQUEST_BODY variable to be set when a request body processor is not set.
 1488    Previously the REQUEST_BODY target was only populated by the URLENCODED
 1489    request body processor.
 1490 
 1491  * Integrated mlogc source.
 1492 
 1493  * Fixed logging the hostname in the error_log which was logging the
 1494    request hostname instead of the Apache resolved hostname.
 1495 
 1496  * Allow for disabling request body limit checks in phase:1.
 1497 
 1498  * Added transformations for processing parity for legacy protocols ported
 1499    to HTTP(S): t:parityEven7bit, t:parityOdd7bit, t:parityZero7bit
 1500 
 1501  * Added t:cssDecode transformation to decode CSS escapes.
 1502 
 1503  * Now log XML parsing/validation warnings and errors to be in the debug log
 1504    at levels 3 and 4, respectivly.
 1505 
 1506 
 1507 31 Jul 2008 - 2.5.6
 1508 -------------------
 1509   
 1510  * Transformation caching has been deprecated, and is now off by default. We
 1511    now advise against using transformation caching in production.
 1512    
 1513  * Fixed two separate transformation caching issues that could cause incorrect
 1514    content inspection in some circumstances.
 1515    
 1516  * Fixed an issue with the transformation cache using too much RAM, potentially
 1517    crashing Apache with a large number of cache entries. Two new configuration
 1518    options have been added to allow for a finer control of caching:
 1519    
 1520      maxitems: Max number of items to cache (default 1024)
 1521      incremental: Whether to cache incrementally (default off)
 1522 
 1523  * Added an experimental regression testing suite. The regression suite may
 1524    be executed via "make test-regression", however it is strongly advised 
 1525    to only be executed on a non-production machine as it will startup the
 1526    Apache web server that ModSecurity is compiled against with various
 1527    configurations in which it will run tests.
 1528 
 1529  * Added a licensing exception so that ModSecurity can be used in a derivative
 1530    work when that derivative is also under an approved open source license.
 1531 
 1532  * Updated mlogc to version 1.4.5 which adds a LockFile directive and fixes an
 1533    issue in which the configuration file may be deleted.
 1534 
 1535 
 1536 05 Jun 2008 - 2.5.5
 1537 -------------------
 1538 
 1539  * Fixed an issue where an alert was not logged in the error log
 1540    unless "auditlog" was used.
 1541 
 1542  * Enable the "auditlog" action by default to help prevent a misconfiguration.
 1543    The new default is now: "phase:2,log,auditlog,pass"
 1544 
 1545  * Improve request body processing error messages.
 1546 
 1547  * Handle lack of a new line after the final boundary in a multipart request.
 1548    This fixes the reported WordPress Flash file uploader problem.
 1549 
 1550  * Fixed issue with multithreaded servers where concurrent XML processing
 1551    could crash the web server (at least under Windows).
 1552 
 1553  * Fixed blocking in phase 3.
 1554 
 1555  * Force modules "mod_rpaf-2.0.c" and "mod_custom_header.c" to run before
 1556    ModSecurity so that the correct IP is used.
 1557 
 1558 
 1559 07 May 2008 - 2.5.4
 1560 -------------------
 1561 
 1562  * Fixed issue where transformation cache was using the SecDefaultAction
 1563    value even when t:none was used within a rule.
 1564 
 1565 
 1566 24 Apr 2008 - 2.5.3
 1567 -------------------
 1568 
 1569  * Fixed issue where the exec action may not be able to execute shell scripts.
 1570 
 1571  * Macros are now expanded in expirevar and deprecatevar.
 1572 
 1573  * Fixed crash if a persistent variable name was more than 126 characters.
 1574 
 1575  * Updated included Core Ruleset to version 1.6.1 which fixes some
 1576    false negative issues in the migration to using some 2.5 features.
 1577 
 1578 
 1579 02 Apr 2008 - 2.5.2
 1580 -------------------
 1581 
 1582  * Allow HTTP_* targets as an alias for REQUEST_HEADERS:*.
 1583 
 1584  * Make sure temporary filehandles are closed after a transaction.
 1585 
 1586  * Make sure the apache include directory is included during build.
 1587 
 1588 
 1589 02 Apr 2008 - 2.1.7
 1590 -------------------
 1591 
 1592  * Make sure temporary filehandles are closed after a transaction.
 1593 
 1594 
 1595 14 Mar 2008 - 2.5.1
 1596 -------------------
 1597 
 1598  * Fixed an issue where a match would not occur if transformation caching
 1599    was enabled.
 1600 
 1601  * Using "severity" in a default action is now just a warning.
 1602 
 1603  * Cleaned up the "make test" target to better locate headers/libraries.
 1604 
 1605  * Now search /usr/lib64 and /usr/lib32 for lua libs.
 1606 
 1607  * No longer treat warnings as errors by default (use --enable-strict-compile).
 1608 
 1609 
 1610 19 Feb 2008 - 2.5.0
 1611 -------------------
 1612 
 1613  * Updated included Core Ruleset to version 1.6.0 which uses 2.5 features.
 1614 
 1615  * Cleaned up and clarified some documentation.
 1616 
 1617  * Updated code to be more portable so it builds with MS VC++.
 1618 
 1619  * Added unit tests for most operators and transformations.
 1620 
 1621  * Fixed crash on startup when ENV is improperly used without a parameter.
 1622 
 1623  * Allow macro resolution in setenv action.
 1624 
 1625  * The default action is now a minimal "phase:2,log,pass" with no default
 1626    transformations performed.
 1627 
 1628  * Implemented SecUploadFileMode to allow setting the mode for uploaded files.
 1629 
 1630  * Implemented "block" action.
 1631 
 1632  * Implemented SecRuleUpdateActionById.
 1633 
 1634  * Fixed removal of phase 5 rules via SecRuleRemoveBy* directives.
 1635 
 1636  * No longer log the query portion of the URI in the error log as
 1637    it may contain sensitive data.
 1638 
 1639  * Build is now 'configure' based: ./configure && make && make install
 1640 
 1641  * Added support for Lua scripting in the following ways: SecRuleScript
 1642    can be used to specify a script to execute as a rule, the exec
 1643    action processes Lua scripts internally, as does the @inspectFile
 1644    operator. Refer to the documentation for more details.
 1645 
 1646  * Changed how allow works. Used on its own it now allows phases 1-4. Used
 1647    with parameter "phase" (e.g. SecAction allow:phase) it only affects
 1648    the current phase. Used with parameter "request" it allows phases
 1649    1-2.
 1650 
 1651  * Fixed issue where only the first phase 5 rule would run when the
 1652    request was intercepted in an earlier phase.
 1653 
 1654  * Stricter configuration parsing.  Disruptive actions, meta actions and
 1655    phases are no longer allowed in a chained rule.  Disruptive actions,
 1656    are no longer allowed in a logging phase (phase 5) rule, including
 1657    inheriting from SecDefaultAction.
 1658 
 1659  * More efficient collection persistance.
 1660 
 1661  * Fixed t:escapeSeqDecode to better follow ANSI C escapes.
 1662 
 1663  * Added t:jsDecode to decode JavScript escape sequences.
 1664 
 1665  * Added IS_NEW built-in collection variables.
 1666 
 1667  * New audit log part 'K' logs all matching rules.
 1668 
 1669  * Implemented SecRequestBodyNoFilesLimit.
 1670 
 1671  * Enhance handling of the case where we run out of disk space while
 1672    writing to audit log entry.
 1673 
 1674  * Added SecComponentSignature to allow other components the ability
 1675    to append to the logged signature.
 1676 
 1677  * Added skipAfter:<id> action to allow skipping all rules until a rule
 1678    with a specified ID is reached.  Rule execution then continues after
 1679    the specified rule.
 1680 
 1681  * Added SecMarker <id> directive to allow a fixed target for skipAfter.
 1682 
 1683  * Added ctl:ruleRemoveById action to allow rule removal on a match.
 1684 
 1685  * Added a @containsWord operator that will match a given string anywhere in
 1686    the target value, but only on word boundaries.
 1687 
 1688  * Added a MATCHED_VAR_NAME variable to store the last matched variable name
 1689    so that it can be more easily used by rules.
 1690 
 1691  * Added a MATCHED_VAR variable to store the last matched variable value
 1692    so that it can be more easily used by rules.
 1693 
 1694  * Fixed expansion of macros when using relative changes with setvar.  In
 1695    addition, added support for expanding macros in the variable name.
 1696 
 1697  * Situations where ModSecurity will intercept, generate an error or log
 1698    a level 1-3 message to the debug log are now marked as 'relevant' and may
 1699    generate an audit log entry.
 1700 
 1701  * Fixed deprecatevar:var=N/S action so that it decrements N every S seconds
 1702    as documented instead of decrementing by a rate.
 1703 
 1704  * Enable ModSecurity to look at partial response bodies. In previous
 1705    versions, ModSecurity would respond with status code 500 when the
 1706    response body was too long. Now, if SecResponseBodyLimitAction is
 1707    set to "ProcessPartial", it will process the part of the response
 1708    body received up until that point but send the rest without buffering.
 1709 
 1710  * ModSecurity will now process phases 3 and 4 even when request processing
 1711    is interrupted (either by Apache - e.g. by responding with 400, 401
 1712    or 403, or by ModSecurity itself).
 1713 
 1714  * Fixed the base64decode transformation function to not return extra
 1715    characters at the end.
 1716 
 1717  * Return from the output filter with an error in addition to setting
 1718    up the HTTP error status in the output data.
 1719 
 1720  * Used new Apache API calls to get the server version/banner when available.
 1721 
 1722  * Added "logdata" meta action to allow logging of raw transaction data.
 1723 
 1724  * Added TX_SEVERITY that keeps track of the highest severity
 1725    for any matched rules so far.
 1726 
 1727  * Added ARGS_GET, ARGS_POST, ARGS_GET_NAMES, ARGS_POST_NAMES variables to
 1728    allow seperation of GET and POST arguments.
 1729 
 1730  * Added an Apache define (MODSEC_2.5) so that you can conditionally include
 1731    directives based on the ModSecurity major/minor versions with IfDefine.
 1732 
 1733  * Added MODSEC_BUILD variable that contains the numeric build value based
 1734    on the ModSecurity version.
 1735 
 1736  * Enhanced debug logging by displaying more data on rule execution.  All
 1737    invoked rules are now logged in the debug log at level 5.
 1738 
 1739  * Stricter validation for @validateUtf8Encoding.
 1740 
 1741  * No longer process Apache internal subrequests.
 1742 
 1743  * Fixed warnings on Solaris and/or 64bit builds.
 1744 
 1745  * Added @within string comparison operator with support for macro expansion.
 1746 
 1747  * Do not trigger "pause" action for internal requests.
 1748 
 1749  * Added matching rule filename and line number to audit log.
 1750 
 1751  * Added new phrase matching operators, @pm and @pmFromFile.  These use
 1752    an alternate set based matching engine (Aho-Corasick) to perform faster
 1753    phrase type matches such as black/white lists, spam keywords, etc.
 1754 
 1755  * Allow caching transformations per-request/phase so they are not repeated.
 1756 
 1757  * Added Solaris and Cygwin to the list of platforms not supporting the hidden
 1758    visibility attribute.
 1759 
 1760  * Fixed decoding full-width unicode in t:urlDecodeUni.
 1761 
 1762  * Add SecGeoLookupDB, @geoLookups and GEO collection to support
 1763    geographical lookups by IP/host.
 1764 
 1765  * Do not try to intercept a request after a failed rule.  This fixes the
 1766    issue associated with an "Internal Error: Asked to intercept request
 1767    but was_intercepted is zero" error message.
 1768 
 1769  * Removed extraneous exported symbols.
 1770 
 1771  * Merged the PDF XSS protection functionality into ModSecurity.
 1772 
 1773  * Exported API for registering custom variables.  Example in api directory.
 1774 
 1775  * Added experimental support for content injection. Directive
 1776    SecContentInjection (On|Off) controls whether injection is taking place.
 1777    Actions "prepend" and "append" inject content when executed. Do note that
 1778    it is your responsibility to make sure the response is of the appropriate
 1779    content type (e.g. HTML, plain text, etc).
 1780 
 1781  * Added string comparison operators with support for macro expansion:
 1782    @contains, @streq, @beginsWith and @endsWith.
 1783 
 1784  * Enhanced debug log output to log macro expansion, quote values and
 1785    correctly display values that contained NULs.
 1786 
 1787  * Removed support for %0 - %9 capture macros as they were incorrectly
 1788    expanding url encoded values.  Use %{TX.0} - %{TX.9} instead.
 1789 
 1790  * Added t:length to transform a value to its character length.
 1791 
 1792  * Added t:trimLeft, t:trimRight, t:trim to remove whitespace
 1793    from a value on the left, right or both.
 1794 
 1795  * Added SecAuditLog2 directive to allow redundent concurrent audit log
 1796    index files.  This will allow sending audit data to two consoles, etc.
 1797 
 1798  * Removed CGI style HTTP_* variables in favor of REQUEST_HEADERS:Header-Name.
 1799 
 1800  * Store filename/line for each rule and display it and the ID (if available)
 1801    in the debug log when invoking a rule.  Thanks to Christian Bockermann
 1802    for the idea.
 1803 
 1804  * Do not log 'allow' action as intercepted in the debug log.
 1805 
 1806  * Fixed some collection variable names not printing with the parameter
 1807    and/or counting operator in the debug log.
 1808 
 1809 
 1810 19 Feb 2008 - 2.1.6
 1811 -------------------
 1812 
 1813  * Fixed crash on startup when ENV is improperly used without a parameter.
 1814 
 1815  * Allow macro resolution in setenv action.
 1816 
 1817  * Implemented SecUploadFileMode to allow setting the mode for uploaded files.
 1818 
 1819  * No longer log the query portion of the URI in the error log as
 1820    it may contain sensitive data.
 1821 
 1822 
 1823 10 Jan 2008 - 2.1.5
 1824 -------------------
 1825 
 1826  * Updated included Core Ruleset to version 1.5.1.
 1827 
 1828  * Phase 5 rules can now be removed via SecRuleRemoveBy* directives.
 1829 
 1830  * Fixed issue where only the first phase 5 rule would run when the
 1831    request was intercepted in an earlier phase.
 1832 
 1833  * Fixed configuration parsing so that disruptive actions, meta actions
 1834    and phases are not allowed in a chained rule (as originally intended).
 1835 
 1836  * Fixed t:escapeSeqDecode to better follow ANSI C escapes.
 1837 
 1838 
 1839 27 Nov 2007 - 2.1.4
 1840 -------------------
 1841 
 1842  * Updated included Core Ruleset to version 1.5 and noted in the docs that
 1843    XML support is required to use the rules without modification.
 1844 
 1845  * Fixed an evasion FP, mistaking a multipart non-boundary for a boundary.
 1846 
 1847  * Fixed multiple warnings on Solaris and/or 64bit builds.
 1848 
 1849  * Do not process subrequests in phase 2-4, but do hand off the request data.
 1850 
 1851  * Fixed a blocking FP in the multipart parser, which affected Safari.
 1852 
 1853 
 1854 11 Sep 2007 - 2.1.3
 1855 -------------------
 1856 
 1857  * Updated multipart parsing code adding variables to allow checking
 1858    for various parsing issues (request body abnormalities).
 1859 
 1860  * Allow mod_rpaf and mod_extract_forwarded2 to work before ModSecurity.
 1861 
 1862  * Quiet some compiler warnings.
 1863 
 1864  * Do not block internal ErrorDocument requests after blocking request.
 1865 
 1866  * Added ability to compile without an external API (use -DNO_MODSEC_API).
 1867 
 1868 
 1869 27 Jul 2007 - 2.1.2
 1870 -------------------
 1871 
 1872  * Cleaned up and clarified some documentation.
 1873 
 1874  * Update included core rules to latest version (1.4.3).
 1875 
 1876  * Enhanced ability to alert/audit failed requests.
 1877 
 1878  * Do not trigger "pause" action for internal requests.
 1879 
 1880  * Fixed issue with requests that use internal requests.  These had the
 1881    potential to be intercepted incorrectly when other Apache httpd modules
 1882    that used internal requests were used with mod_security.
 1883 
 1884  * Added Solaris and Cygwin to the list of platforms not supporting the hidden
 1885    visibility attribute.
 1886 
 1887  * Fixed decoding full-width unicode in t:urlDecodeUni.
 1888 
 1889  * Lessen some overhead of debugging messages and calculations.
 1890 
 1891  * Do not try to intercept a request after a failed rule.  This fixes the
 1892    issue associated with an "Internal Error: Asked to intercept request
 1893    but was_intercepted is zero" error message.
 1894 
 1895  * Added SecAuditLog2 directive to allow redundent concurrent audit log
 1896    index files.  This will allow sending audit data to two consoles, etc.
 1897 
 1898  * Small performance improvement in memory management for rule execution.
 1899 
 1900 
 1901 11 Apr 2007 - 2.1.1
 1902 -------------------
 1903 
 1904  * Add the PCRE_DOLLAR_ENDONLY option when compiling regular expression
 1905    for the @rx operator and variables.
 1906  
 1907  * Really set PCRE_DOTALL option when compiling the regular expression
 1908    for the @rx operator as the docs state.
 1909  
 1910  * Fixed potential memory corruption when expanding macros.
 1911 
 1912  * Fixed error when a collection was retrieved from storage in the same second
 1913    as creation by setting the rate to zero.
 1914 
 1915  * Fixed ASCIIZ (NUL) parsing for application/x-www-form-urlencoded forms.
 1916 
 1917  * Fixed the faulty REQUEST_FILENAME variable, which used to change
 1918    the internal Apache structures by mistake.
 1919 
 1920  * Updates to quiet some compiler warnings.
 1921 
 1922  * Fixed some casting issues for compiling on NetWare (patch from Guenter Knauf).
 1923 
 1924 
 1925 23 Feb 2007 - 2.1.0
 1926 -------------------
 1927 
 1928  * Removed the "Connection reset by peer" message, which has nothing
 1929    to do with us. Actually the message was downgraded from ERROR to
 1930    NOTICE so it will still appear in the debug log.
 1931 
 1932  * Removed the (harmless) message mentioning LAST_UPDATE_TIME missing.
 1933 
 1934  * It was not possible to remove a rule placed in phase 4 using
 1935    SecRuleRemoveById or SecRuleRemoveByMsg. Fixed.
 1936 
 1937  * Fixed a problem with incorrectly setting requestBodyProcessor using
 1938    the ctl action.
 1939 
 1940  * Bundled Core Rules 2.1-1.3.2b4.
 1941 
 1942  * Updates to the reference manual.
 1943 
 1944  * Reversed the return values of @validateDTD and @validateSchema, to
 1945    make them consistent with other operators.
 1946 
 1947  * Added a few helpful debug messages in the XML validation area.
 1948 
 1949  * Updates to the reference manual.
 1950 
 1951  * Fixed the validateByteRange operator.
 1952 
 1953  * Default value for the status action is now 403 (as it was supposed to
 1954    be but it was effectively 500).
 1955 
 1956  * Rule exceptions (removing using an ID range or an regular expression)
 1957    is now applied to the current context too. (Previously it only worked
 1958    on rules that are inherited from the parent context.)
 1959 
 1960  * Fix of a bug with expired variables.
 1961 
 1962  * Fixed regular expression variable selectors for many collections.
 1963 
 1964  * Performance improvements - up to two times for real-life work loads!
 1965 
 1966  * Memory consumption improvements (not measured but significant).
 1967 
 1968  * The allow action did not work in phases 3 and 4. Fixed.
 1969 
 1970  * Unlocked collections GLOBAL and RESOURCE.
 1971 
 1972  * Added support for variable expansion in the msg action.
 1973 
 1974  * New feature: It is now possible to make relative changes to the
 1975    audit log parts with the ctl action. For example: "ctl:auditLogParts=+E".
 1976 
 1977  * New feature: "tag" action. To be used for event categorisation.
 1978 
 1979  * XML parser was not reporting errors that occured at the end
 1980    of XML payload.
 1981 
 1982  * Files were not extracted from request if SecUploadKeepFiles was
 1983    Off. Fixed.
 1984 
 1985  * Regular expressions that are too long are truncated to 256
 1986    characters before used in error messages. (In order to keep
 1987    the error messages in the log at a reasonable size.)
 1988 
 1989  * Fixed the sha1 transformation function.
 1990 
 1991  * Fixed the skip action.
 1992 
 1993  * Fixed REQUEST_PROTOCOL, REMOTE_USER, and AUTH_TYPE.
 1994 
 1995  * SecRuleEngine did not work in child configuration contexts
 1996    (e.g. <Location>).
 1997 
 1998  * Fixed base64Decode and base64Encode.
 1999 
 2000 
 2001 15 Nov 2006 - 2.0.4
 2002 -------------------
 2003 
 2004  * Fixed the "deprecatevar" action.
 2005 
 2006  * Decreasing variable values did not work.
 2007 
 2008  * Made "nolog" do what it is supposed to do - cause a rule match to
 2009    not be logged. Also "nolog" now implies "noauditlog" but it's
 2010    possible to follow "nolog" with "auditlog" and have the match
 2011    not logged to the error log but logged to the auditlog. (Not
 2012    something that strikes me as useful but it's possible.)
 2013 
 2014  * Relative paths given to SecDataDir will now be treated as relative
 2015    to the Apache server root.
 2016 
 2017  * Added checks to make sure only correct actions are specified in
 2018    SecDefaultAction (some actions are required, some don't make any
 2019    sense) and in rules that are not chain starters (same). This should
 2020    make the unhelpful "Internal Error: Failed to add rule to the ruleset"
 2021    message go away.
 2022 
 2023  * Fixed the problem when "SecRuleInheritance Off" is used in a context
 2024    with no rules defined.
 2025 
 2026  * Fixed a problem of lost input (request body) data on some redirections,
 2027    for example when mod_rewrite is used.
 2028 
 2029 
 2030 26 Oct 2006 - 2.0.3
 2031 -------------------
 2032 
 2033  * Fixed a memory leak (all platforms) and a concurrency control
 2034    problem that could cause a crash (multithreaded platforms only).
 2035 
 2036  * Fixed a SecAuditLogRelevantStatus problem, which would not work
 2037    properly unless the regular expression contained a subexpression.
 2038 
 2039 
 2040 19 Oct 2006 - 2.0.2
 2041 -------------------
 2042 
 2043  * Fixed incorrect permissions on the global mutex, which prevented
 2044    the mutex from working properly.
 2045 
 2046  * Fixed incorrect actionset merging where the status was copied from
 2047    the child actionset even though it was not defined.
 2048 
 2049  * Fixed missing metadata information (in the logs) for warnings.
 2050 
 2051 
 2052 16 Oct 2006 - 2.0.1
 2053 -------------------
 2054 
 2055  * Rules that used operator negation did not work. Fixed.
 2056 
 2057  * Fixed bug that prevented invalid regular expressions from being reported.
 2058 
 2059 
 2060 16 Oct 2006 - 2.0.0
 2061 -------------------
 2062 
 2063  * First stable 2.x release.
 2064