Why are we still using an old version of modsecurity for WAF?

It is almost end of 2018 and we are still using an old version of mod security?

 

The version in 9.6 is

ModSecurity for Apache/2.9.1 

 

There is mod security version 2.9.2 and even 3.0 out now.

 

2.9.1 release date: 10/March/2016

2.9.2 release date: 19/July/2017

3.0.0 release date: 15/Dec/2017

3.0.1 release date: 2/April/2018

3.0.2 release date 4/April 2018

 

At the very least why wouldn't we be using version 2.9.2?? One would hope we would be using version 3 as it contains newer rules and reduces a lot of false positives.

Parents
  • Hardening and integrating a newer version of any component isn't easy, so it's likely that the developers will continue to patch the version they know.  Have you suggested version 3 in Ideas or added a comment and a vote on a similar suggestion there?  Please come back here and link to that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hardening and integrating a newer version of any component isn't easy, so it's likely that the developers will continue to patch the version they know.  Have you suggested version 3 in Ideas or added a comment and a vote on a similar suggestion there?  Please come back here and link to that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data