* tag '0.8.11':
DOC: finalise 0.8.11 release
BF/ENH: DoS resistant roundcube-auth with test cases and more variation in IMAP error given
BF: exim filter to be DoS resistant
ENH: DoS resistant dropbear filter
BF/ENH: asterisk connection ID is a hex not decimal number. Add "Rejecting unknown SIP connection from <HOST>" regex thanks to Jonathan Lanning
ENH: apache-2.4 message IDs for filter apache-noscript
TST: change source URL
ENH: apache-overflow filter to have HTTP-2.4 message IDs and test samples
ENH: apache-overflows - more detail on "request failed: URI too long (longer than %d)" with test case
TST: end of json in sshd sample log
TST: fix space in sshd sample log
TST: test case that shows injection
DOC: more on filter regexes - DEVELOP
DOC: filter regex debugging
BF: anchor introduced nginx-http-auth at the end
* commit '0.8.11.pre1-29-gccd2657': (363 commits)
DOC: minor typos in ChangeLog
DOC: adding DEV Notes for for non-greedy matchin within sshd.conf
BF: disallow exploiting of non-greedy .* in previous fix by providing too long rhost -- do not impose length limits for user-provided input
BF: fixing injection for OpenSSH 6.3 -- making .* before <HOST> non-greedy
Changelog for prior changes (gen_buildbots)
ENH: condense asterisk regexs for speed
BF: missed action in nginx-http-auth
ENH: add filter.d/nginx-http-auth. Partially forfills #405
ENH: regenerated config/filter.d/apache-badbots.conf
NF: gen_badbots script to (re)generate/update config/filter.d/apache-badbots.conf
DOC: keeping Changelog release-phrases uniform, simplified intro, unified
DOC: Untabifying and reindenting a bit ChangeLog
DOC: few more links for DEVELOP
BF: fix dovecot filter for newer failure message. Closes Debian bug #709324
BF: fix to filter.d/wuftp to support pam authentication - Debian bug #665925
Add Fedora git repo of fail2ban package to DEVELOP
firewalld-0.3.8 release that support --remove-rules out so documenting this.
BF: remove duplication definition secion in webmin-auth
DOC: alter release notes a bit more and versions in README.md
BF/DOC: fix hopefully final MANIFEST and release instructions
...
needed since request probably could be not a correct HTTP statement but continue with
all those to match till the end and then injected ", client: VICTIM, server..." thus allowing
injection. We better anchor at the end then
since daemon might eventually change reported length and we would need to adjust anyways. So limiting
in length does not provide additional security but allows for a possible injection vector
Yaroslav Halchenko