Modsecurity has a vulnerability in the rule engine that could allow certain attacks to bypass some rules. This is not a rule flaw, its a flaw in the engine itself.

We've put out an update to the rules to catch and stop these evasion attempts so even if you are running a vulnerable version of the engine you are still safe. Yes, a virtual patch for the engine itself without patching the engine.

We'll also put out an update for modsecurity (defense in depth), but these rules stop the evasions cold.

You can force an update right now by running this command as root:

asl -u

Or, if your system is configured to update automatically then you can wait for your next update.