[1/2] suricata: Update to 5.0.8

Message ID 20211120124732.30431-1-matthias.fischer@ipfire.org
State Accepted
Commit 58d399710b5cf73f15e5ea6b7cd34717cc5f0a45
Headers show
Series [1/2] suricata: Update to 5.0.8 | expand

Commit Message

Matthias Fischer Nov. 20, 2021, 12:47 p.m. UTC
For details see:
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942

"Various security, performance, accuracy and stability issues have been fixed,
including two TCP evasion issues. CVE 2021-37592 was assigned."

Changelog:

"5.0.8 -- 2021-11-16

Security #4635: tcp: crafted injected packets cause desync after 3whs
Security #4727: Bypass of Payload Detection on TCP RST with options of MD5header
Bug #4345: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL
Bug #4382: fileinfo "stored: false" even if the file is kept on disk
Bug #4626: DNP3: intra structure overflow in DNP3DecodeObjectG70V6
Bug #4628: alert count shows up as 0 when stats are disabled
Bug #4631: Protocol detection : confusion with SMB in midstream
Bug #4639: Failed assertion in SMTP SMTPTransactionComplete
Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Bug #4647: rules: Unable to find the sm in any of the sm lists
Bug #4674: rules: mix of drop and pass rules issues
Bug #4676: rules: drop rules with noalert not fully dropping
Bug #4688: detect: too many prefilter engines lead to FNs
Bug #4690: nfs: failed assert self.tx_data.files_logged > 1
Bug #4691: IPv6 : decoder event on invalid fragment length
Bug #4696: lua: file info callback returns wrong value
Bug #4718: protodetect: SEGV due to NULL ptr deref
Bug #4729: ipv6 evasions : fragmentation
Bug #4788: Memory leak in SNMP with DetectEngineState
Bug #4790: af-packet: threads sometimes get stuck in capture
Bug #4794: loopback: different AF_INET6 values per OS
Bug #4816: flow-manager: cond_t handling in emergency mode is broken
Bug #4831: SWF decompression overread
Bug #4833: Wrong list_id with transforms for http_client_body and http file_data
Optimization #3429: improve err msg for dataset rules parsing
Task #4835: libhtp 0.5.39"

Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
 lfs/suricata | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Michael Tremer Nov. 20, 2021, 12:53 p.m. UTC | #1
Hello Matthias,

This perfectly compliments my suricata patchset from yesterday :)

Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

-Michael

> On 20 Nov 2021, at 12:47, Matthias Fischer <matthias.fischer@ipfire.org> wrote:
> 
> For details see:
> https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
> 
> "Various security, performance, accuracy and stability issues have been fixed,
> including two TCP evasion issues. CVE 2021-37592 was assigned."
> 
> Changelog:
> 
> "5.0.8 -- 2021-11-16
> 
> Security #4635: tcp: crafted injected packets cause desync after 3whs
> Security #4727: Bypass of Payload Detection on TCP RST with options of MD5header
> Bug #4345: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL
> Bug #4382: fileinfo "stored: false" even if the file is kept on disk
> Bug #4626: DNP3: intra structure overflow in DNP3DecodeObjectG70V6
> Bug #4628: alert count shows up as 0 when stats are disabled
> Bug #4631: Protocol detection : confusion with SMB in midstream
> Bug #4639: Failed assertion in SMTP SMTPTransactionComplete
> Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
> Bug #4647: rules: Unable to find the sm in any of the sm lists
> Bug #4674: rules: mix of drop and pass rules issues
> Bug #4676: rules: drop rules with noalert not fully dropping
> Bug #4688: detect: too many prefilter engines lead to FNs
> Bug #4690: nfs: failed assert self.tx_data.files_logged > 1
> Bug #4691: IPv6 : decoder event on invalid fragment length
> Bug #4696: lua: file info callback returns wrong value
> Bug #4718: protodetect: SEGV due to NULL ptr deref
> Bug #4729: ipv6 evasions : fragmentation
> Bug #4788: Memory leak in SNMP with DetectEngineState
> Bug #4790: af-packet: threads sometimes get stuck in capture
> Bug #4794: loopback: different AF_INET6 values per OS
> Bug #4816: flow-manager: cond_t handling in emergency mode is broken
> Bug #4831: SWF decompression overread
> Bug #4833: Wrong list_id with transforms for http_client_body and http file_data
> Optimization #3429: improve err msg for dataset rules parsing
> Task #4835: libhtp 0.5.39"
> 
> Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
> ---
> lfs/suricata | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/lfs/suricata b/lfs/suricata
> index c7f189bf4..700556dd2 100644
> --- a/lfs/suricata
> +++ b/lfs/suricata
> @@ -24,7 +24,7 @@
> 
> include Config
> 
> -VER        = 5.0.7
> +VER        = 5.0.8
> 
> THISAPP    = suricata-$(VER)
> DL_FILE    = $(THISAPP).tar.gz
> @@ -41,7 +41,7 @@ objects = $(DL_FILE)
> 
> $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
> 
> -$(DL_FILE)_MD5 = f6ff77e4dcf8035853209ceeba9b530c
> +$(DL_FILE)_MD5 = d48387c2e0b5e502852b077369d947c5
> 
> install : $(TARGET)
> 
> -- 
> 2.18.0
>
Matthias Fischer Nov. 20, 2021, 1:16 p.m. UTC | #2
On 20.11.2021 13:53, Michael Tremer wrote:
> Hello Matthias,
> 
> This perfectly compliments my suricata patchset from yesterday :)
> 
> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
> ...

I hoped it would. ;-)

BTW:
I also tested 6.0.4, but this version still has problems with cpu load,
so I sticked with 5.0.8.

Best,
Matthias

Patch

diff --git a/lfs/suricata b/lfs/suricata
index c7f189bf4..700556dd2 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -24,7 +24,7 @@ 
 
 include Config
 
-VER        = 5.0.7
+VER        = 5.0.8
 
 THISAPP    = suricata-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -41,7 +41,7 @@  objects = $(DL_FILE)
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
 
-$(DL_FILE)_MD5 = f6ff77e4dcf8035853209ceeba9b530c
+$(DL_FILE)_MD5 = d48387c2e0b5e502852b077369d947c5
 
 install : $(TARGET)