Hello Steve, vendors, as brought to me by Athmane, ModSecurity upstream has release v2.7.4 version: [1] http://sourceforge.net/mailarchive/message.php?msg_id=30900019 correcting one security NULL pointer dereference flaw (CVE-2013-2765) - from [2]: * Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used, mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI). References: [2] https://raw.github.com/SpiderLabs/ModSecurity/master/CHANGES [3] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2765 Relevant upstream patch (seems to be the following): [4] https://github.com/SpiderLabs/ModSecurity/commit/0840b13612a0b7ef1ce7441cf811dcfc6b463fba apache2/msc_reqbody.c @@ -170,6 +170,7 @@ static apr_status_t modsecurity_request_body_store_memory(modsec_rec *msr, /* Would storing this chunk mean going over the limit? */ if ((msr->msc_reqbody_spilltodisk) + && (msr->txcfg->reqbody_buffering != REQUEST_BODY_FORCEBUF_ON) && (msr->msc_reqbody_length + length > (apr_size_t)msr->txcfg->reqbody_inmemory_limit)) { msc_data_chunk **chunks; Thank you && Regards, Jan.