8000 Monthly Chat Agenda January 2024 (2024-01-08 and 2024-01-22) · Issue #3466 · coreruleset/coreruleset · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Monthly Chat Agenda January 2024 (2024-01-08 and 2024-01-22) #3466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dune73 opened this issue Jan 8, 2024 · 2 comments
Closed

Monthly Chat Agenda January 2024 (2024-01-08 and 2024-01-22) #3466

dune73 opened this issue Jan 8, 2024 · 2 comments
Labels
🔖 Meeting Agenda

Comments

@dune73
Copy link
Member
dune73 commented Jan 8, 2024
edited
Loading

This is the Agenda for the two Monthly CRS Chats.

The general chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, 2024-02-05, at 20:30 CET. That's the 1st Monday of the month. A separate issue chat is happening at the same location, same time on Monday, 2023-02-19. That's the 3rd Monday of the month. Please note that we have a CRS calendar (maintained by @fzipi).

Archived previous meetings and their decision are here.

What happened in the meantime since the chat last month

Outside development

  • Trustwave is now actively seeking to hand over ModSecurity to an open source community. Trustwave is handing over ModSecurity to OWASP. See announcement.

Inside development

Rules

  • Slowly working towards CRS v4.

CRS Sandbox

  • No news here.

Security

  • There is an upcoming ModSecurity release announced later this month.

Plugins

  • Development continues

Documentation and Public Relations

  • no news

Project Administration and Sponsor relationships

  • CRS has closed the financial accounts for 2023 with a small plus.
  • CRS GOLD sponsor F5 / NGINX stop their commitment and will not sponsor CRS in 2024.

Tools

  • Changelog automation is in effect

Testing incl. Seaweed and many future plans

  • No news here.

Containers

  • New version will be out today, notable changes:
    • Lua support
    • Nginx version updated to 1.25
  • There is a proposal to merge a new version with OpenResty support

CRS Status Page

  • No further development since the last meeting.

Project discussions and decisions

Rules development, key project numbers

PRs that have been merged since the last meeting

We merged 30 PRs since the last monthly project chat.

Open PRs

Open PRs marked DRAFT or work in progress or needs action

Separate 2nd Meeting (Monday, 2024-01-22)

How to get to our slack and join the meeting?

If you are not yet on the OWASP Slack, here is your invite: https://owasp.org/slack/invite .

Everybody is welcome to join our community chat.
@dune73 dune73 changed the title Monthly Chat Agenda December 2024 (2024-01-08 and 2024-01-22) Monthly Chat Agenda January 2024 (2024-01-08 and 2024-01-22) Jan 8, 2024
@franbuehler
Copy link
Contributor
franbuehler commented Jan 8, 2024
edited by theseion
Loading

Decisions January 8

multi-byte character handling:

🔵 Decisions:

  • Options:
    • use t:utf8toUnicode -> no! It doesn't scale (e.g., more than 3 bytes). It would be supported by all engines that support the transformation
    • use PCRE specific escapes -> no! PCRE specific, not Hyperscan and RE2 compatible
    • use PCRE Unicode support -> no! PCRE specific, not Hyperscan and RE2 compatible
  • For option 1:
    • theseion will add some numbers on required changes and performance in the issue
    • We'll maintain excellent documentation what is happening in these regexes
    • Solution can be implemented after v4

v4 and 15 open issues (plus 2-3 bypasses in the private security tracker

🔵 Decisions:

  • We don't assign the issues, but we want to have a commitment from the whole team
  • We won't release a RC3

@dune73 dune73 mentioned this issue Jan 9, 2024
Open
@franbuehler
Copy link
Contributor
franbuehler commented Jan 22, 2024
edited
Loading

Decisions January 22

Status of ModSec3 release

🔵 no answer from TW yet

920220 PL1 - encoding

🔵 Decision: @theseion opened a PR to move the rule to PL2 (#3506) and we'll revisit dropping the rule after v4

Only 5 v4 rule issue

🔵 Decisions:

Security tracker issues:

🔵 Decisions:

  • JX9 -> @theseion will test Jit's 6 payloads again vs v4 and the individual status
  • KK4 -> @theMiddleBlue's proposal is great. But we don't think we need this in v4..
  • 9KH -> ?
  • R4A -> ?
  • -> we need to get an overview of the remaining bypasses in the security tracker

Preparing a release plan

🔵 Decision: Feb 14th

@dune73 dune73 closed this as completed Feb 5, 2024
@EsadCetiner EsadCetiner mentioned this issue Apr 5, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🔖 Meeting Agenda
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dune73 @franbuehler
0