
21/10/2003 1.7.1
----------------

  * Fixed a mutex leak in Apache 2.x version of the module

  * Fixed a bug in the output scanning code of the Apache 2.x
    version of the module

  * Fixed a bug where SecAuditLog wouldn't work when set
    to "On"

18/10/2003 1.7
--------------

  * Fixed mod_security not to attempt to do any work if
    the context is not initialised properly.


24/9/2003 1.7RC1
----------------

  * Added output filtering to Apache 2.x

  * Removed the two-stage filtering process that used to take
    place in Apache 2.x (if you know what I'm talking about fine,
    if not ignore this)

  * Added the ability to filter cookies (names, values, etc) directly

  * Added SecServerSignature to mask the web server

  * Added new action, allow, to finish filter processing and let the
    request through

  * Added new action, chain, to chain several filter together (logical
    AND)

  * Added new action, skipnext, to skip over filters

  * New anti-evasion technique to fight null-byte attacks

  * Netware support (with help from Guenter Knauf)


17/8/2003 1.6
-------------

 * Windows compatibility. As this is the first Windows
   release the code should be considered of beta quality.

 * Unicode encoding validation

 * New action, pause, enables you to slow down, or completely
   confuse web vulnerability scanners

 * Switch that optimises request filtering, allowing you
   to only implement scanning on relevant resources

 * Internal chroot feature added to Apache 2

 * Fixed a POST variables parsing bug


10/7/2003 1.5.1
---------------

 * POST payload processing code for Apache 2 version
   completely rewritten.

 * Changed the SecAuditEngine parameter to take the
   following options: On, Off, DynamicOrRelevant,
   RelvantOnly. This new feature allows you to log only
   what you really need.

 * New internal chroot option available in the Apache 1
   version.

 * Fixed a problem where "+" was not decoded properly.

 * Fixed a problem where you could not use PHP CLI
   scripts in combination with the "exec" action.

 * Fixed a problem where zombie processes would remain
   after external binaries were executed using the
   "exec" action.

 * Fixed other bugs, two of which are security issues.


26/5/2003 1.5
-------------

 * Apache 2.x compatibility

 * Added SecFilterInheritance

 * Added SecFilterByteRange

 * Added SecFilterCheckURLEncoding 

 * A few bug fixes

 * New web site @ www.modsecurity.org

 * Comprehensive manual


08/2/2003 1.4.2
---------------

 * Got rid of the Apache patch, the module now works
   without it!


30/1/2003 1.4.1
---------------

 * The default method of locking is now FCNTL. It
   appears that FLOCK does not work well on Solaris.
   FCNTL seems to work fine on both platforms.

 * Fixed the bug with improper calling of the
   ap_pstrcat function, which could result in
   segfaults on some platforms (Solaris)


24/1/2003 1.4
-------------

 * Several bug fixes

 * Execute an external script on pattern match

 * Perform custom redirect on pattern match

 * Added a separate debug file with configurable
   log levels

 * Cleaned up the source code, added comments and
   removed TAB characters

 * Fixed the audit logger to log complete requests

 * mod_security now creates custom headers when
   a pattern match occurs, access is denied or
   an action is taken (external script execution)

 * Introduced the ability to test for a match against
   variable names only

 * Introduced the ability to test for a match against
   variable values only

 * Added the test script in Perl for automated testing,
   plus tests for most (all) features

 * Enhanced event logging, messages are now much
   more descriptive and helpful

 * mod_security can now appear as a token in the
   server signature ("Off" by default)


09/12/2002 1.3b
---------------

Introduced selective filtering (SecFilterSelective) where you
can choose which part of the request to observe. Fixed a couple
of bugs. Added inverted filters (when the regular expression
begins with an exclamation mark) where the regular expression
must be satisfied to proceed.


22/11/2002 1.2b
---------------

Changed the approach from using mod_proxy to patching the
core server. The software is usable now. Performed some tests
and it all looks fine.


21/11/2002 1.1b
---------------

Fixed the audit part of the module to log relevant request
information, and to ignore requests to which responses are
not dynamic.
