Apache ModSecurity firewall can be disabled
The ModSecurity web application firewall for the Apache web server can be disabled by doctored HTTP queries. The new version (2.5.9), which is now available to download, has eliminated a problem that can crash the firewall while it's processing multi-part HTTP packets. If ModSecurity crashes, the Apache server process will also crash and may cease to respond to HTTP queries for some time.
ModSecurity version 2.5.8 had been issued just a few hours previously in order to fix a potential DoS vulnerability when PDF documents were requested. However, the problem only occurs if the PDF XSS module is enabled (by default it's disabled). Apache administrators who use ModSecurity are advised to update to version 2.5.9 as soon as possible.
- File release notes and changelog for 2.5.9, details from ModSecurity.
- File release notes and changelog for 2.5.8, details from ModSecurity.