Skip to content

blog: publish v4.28.0, v4.25.1 LTS, and v3.3.10 release post#523

Merged
fzipi merged 8 commits into
mainfrom
blog/releases-2026-07-01
Jul 3, 2026
Merged

blog: publish v4.28.0, v4.25.1 LTS, and v3.3.10 release post#523
fzipi merged 8 commits into
mainfrom
blog/releases-2026-07-01

Conversation

@fzipi

@fzipi fzipi commented Jul 2, 2026

Copy link
Copy Markdown
Member

Publishes the coordinated release blog post for today's three releases.

Covers:

  • Two HIGH security fixes: GHSA-6jp8-c2w2-x7wr (XML attribute bypass) and GHSA-f5qm-3h4p-8qhg (Unix RCE ReDoS)
  • v4.28.0 new features and changes
  • v4.25.1 LTS backports
  • v3.3.10 security-only release notes
  • Engine version requirements and known limitations (ModSec v2 opt-out, libmodsecurity3 v3.0.16)

Summary by CodeRabbit

  • Security Fixes
    • Announced releases v4.28.0, v4.25.1 LTS, and v3.3.10 LTS with fixes for two high-severity issues, including an XML attribute value bypass (with an LTS runtime gate enabled by default) and a Unix RCE ReDoS that could impair detection and increase CPU usage.
  • Documentation
    • Added release notes with upgrade guidance, mitigation steps for delayed patching, and compatibility details for applying LTS security gate changes.

fzipi and others added 4 commits July 2, 2026 22:11
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new CRS release announcement covering v4.28.0, v4.25.1 LTS, and v3.3.10, with summaries of two shared security fixes, release-specific notes, and upgrade guidance.

Changes

Blog post content

Layer / File(s) Summary
Front-matter and introduction
content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md
Adds front-matter, the release announcement intro, and the shared security-fixes section.
Vulnerability documentation
content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md
Documents the XML attribute bypass and Unix RCE ReDoS, including scope, affected rules, gates, engine behavior, and mitigations.
Per-version release notes
content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md
Lists the v4.28.0 changes, v4.25.1 LTS backports, and v3.3.10 security-only notes.
Upgrading guidance
content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md
Adds upgrade instructions, engine version requirements, and the closing contact section.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Suggested reviewers: theseion, franbuehler

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes publishing the coordinated release blog post for v4.28.0, v4.25.1 LTS, and v3.3.10.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch blog/releases-2026-07-01

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploying website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 3c985da
Status: ✅  Deploy successful!
Preview URL: https://bcf8e63e.website-1u6.pages.dev
Branch Preview URL: https://blog-releases-2026-07-01.website-1u6.pages.dev

View logs

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md`:
- Around line 1-12: The blog post front matter date is out of sync with the
release announcement, so update the published date in the post metadata to the
actual coordinated release day. Adjust the `date` field in this markdown file so
the value matches the July 2 release referenced by the body text, ensuring the
`.Date`-based render and syndication use the correct day.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: f7b37eda-dff7-40bf-a04d-56480045b94f

📥 Commits

Reviewing files that changed from the base of the PR and between 609d046 and 34ba0b1.

📒 Files selected for processing (1)
  • content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md

Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
fzipi and others added 3 commits July 2, 2026 22:20
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

@EsadCetiner EsadCetiner left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated

@dune73 dune73 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good. Thanks.

Feel free to implement proposals - or leave it as is.

Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Comment thread content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md Outdated
Co-authored-by: Felipe Zipitría <3012076+fzipi@users.noreply.github.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md`:
- Around line 165-167: The release note text in this section uses inconsistent
gate terminology for the CRS XML inspection behavior. Update the wording in the
affected paragraph to match the surrounding release notes by referring to the
feature as an opt-out gate or runtime gate instead of an opt-in gate, keeping
the references to the v4.25.1 and v3.3.10 branches and the libmodsecurity3
requirement intact.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 14ef5ee7-8100-4215-b093-0ecef0aefd60

📥 Commits

Reviewing files that changed from the base of the PR and between 34ba0b1 and 3c985da.

📒 Files selected for processing (1)
  • content/blog/2026-07-01-crs-versions-4-28-0-4-25-1-lts-3-3-10-released.md

@fzipi fzipi merged commit 6577b67 into main Jul 3, 2026
3 checks passed
@fzipi fzipi deleted the blog/releases-2026-07-01 branch July 3, 2026 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants