Monthly Chat Agenda April (2020-04-06)

[dune73]

This is the Agenda for the Monthly CRS Chat.

The chat is going to happen on https://owasp.slack.com in the channel #coreruleset on Monday, April 6, at 20:30 CET.

Items on the Agenda:

Previous Meetings decisions: here

PRs

• 1707 New ldap injection rule 921200 (fixes issue #276)

• 1708 Perf issue with regexes that start with repeating digits

• 1710 Add word boundaries around values in SQL tautologies (942130)

• 1717 Remove MIME Attribute from application/soap+xml Rule 900220

• 1721 Add Content-Type: multipart/related as allowed default

• 1732 Make severities and scores consistent

• 1734 Fix content type whitelist

PRs on hold

• 1602 932200: PL1 RCE bypass uninitialized variable (DRAFT) (Has been in need of action for a long time)

• 1616 Revert #578 (Needs action)

• 1663 RE2 compatibility for 920120 (no feedback from CDN unfortunately)

• 1667 Remove /util/docker folder from v3.3/dev branch (now in dedicated repo) (In progress)

• 1674 Extend sql having in rule 942230 (no feedback from CDN unfortunately)

• 1690 Update REQUEST-920-PROTOCOL-ENFORCEMENT.conf (Needs action)

Other items

• GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi.
• HAProxy Layered Security Guide recomments CRS: https://www.haproxy.com/content-library/the-haproxy-guide-to-multi-layer-security/
• Release schedule for 3.3

Feel free to add items as you see fit either above, or below as comments.

Open Issues

In January 2020, we decided to look into 10 issues at the chat every month. But only after the Other items. Pick the issues before the meeting and list them below.

Issue slot 1:
Issue slot 2:
Issue slot 3:
Issue slot 4:
Issue slot 5:
Issue slot 6:
Issue slot 7:
Issue slot 8:
Issue slot 9:
Issue slot 10:

If you are not yet on the OWASP Slack, here is your invite: https://join.slack.com/t/owasp/shared_invite/enQtNjExMTc3MTg0MzU4LWQ2Nzg3NGJiZGQ2MjRmNzkzN2Q4YzU1MWYyZTdjYjA2ZTA5M2RkNzE2ZjdkNzI5ZThhOWY5MjljYWZmYmY4ZjM . Everybody is welcome to join our community chat.

[franbuehler]

Decisions

PRs

• 1707 - @lifeforms did not have the time. This issue remains open.

• 1708 - no relevant progress here

• 1710 - @franbuehler will review this PR

• 1717 - @franbuehler did not have the time. This issue remains open.

• 1721 - merged

• 1732 - merged

• 1734 - @franbuehler and @lifeforms will test this rule in production.

PRs on hold

• 1602 - we will ask @theMiddleBlue what the matter with his PR is

• 1663 - on hold with @dune73

• 1674 - on hold with @dune73

• 1667 - on hold on request of @fzipi

Other Items

• Travis doesn't run on new PRs. @theMiddleBlue will troubleshoot this.
• GitHub migration scheduled for March 18 had to be cancelled / postponed. TW and CRS do not agree on the procedure. Migration team: @dune73, @lifeforms and @fzipi: "We think we are almost there with the migration script."
• HAProxy Layered Security Guide recommends CRS: https://www.haproxy.com/content-library/the-haproxy-guide-to-multi-layer-security/
• Release schedule for 3.3: @lifeforms was thinking of RCs around 23 May, 6 June, then release 16 June for instance. @dune73: "So let's see one month from now, confirm your schedule or we re-schedule. I think June makes a lot of sense in the long run. Close to a 9 month schedule, also if we do 3.4 for Dublin next winter." So we will see.

Issues

It was already late. We did not talk about new issues.