ChangeLog

Version 1.2.2 (2026-05-13)

• Update the vendored ModSecurity library to 3.0.15. This addresses CVE-2026-42268 (integer underflow in the verify* operators), along with a number of other upstream stability fixes.
• Drop the local HexDecode patch shipped in 1.2.1 in favor of the equivalent upstream fix for CVE-2026-30923 in ModSecurity 3.0.15.
• Add packaging for Ubuntu 26.04 (Resolute Raccoon).

Version 1.2.1 (2026-03-23)

• Fix a buffer overflow in the HexDecode transformation, discovered independently and later assigned CVE-2026-30923 upstream.
• Add packaging for Debian 13 (Trixie)

Version 1.2.0 (2026-03-19)

• Allow the init object to be NULL: methods now fail gracefully with VRT_fail instead of asserting when called on a NULL object.

Version 6.0.12r6 (2024-01-31)

• Update the vendored ModSecurity library to address vulnerability CVE-2024-1019.

Version 6.0.9r7 (2022-05-20)

• Add function to skip rules by id or tag.

Version 6.0.8r4 (2021-08-26)

• Update the OWASP CRS install helper script to install a newer version of OWASP CRS by default (CVE-2021-35368). This script is for convenience. The user is responsible for managing the rule set.

Version 6.0.8r2 (2021-06-02)

• Fix a crash caused by calling .check_req() with a NULL string.

Version 6.0.6r1 (2019-02-19)

• Patch cookie handling in ModSecurity (CVE-2019-19886).

Version 6.0.5r1 (2019-10-21)

• Initial Release.