Message ID | 20241002134150.3420653-2-matthias.fischer@ipfire.org |
---|---|
State | Staged |
Commit | 252a5d4d06c4eefd102502a175bbc5264553002f |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4XJbZk5f8Qz3wxp for <patchwork@web04.haj.ipfire.org>; Wed, 2 Oct 2024 13:42:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4XJbZf6Y5vz34q; Wed, 2 Oct 2024 13:42:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4XJbZf28zYz34Mh; Wed, 2 Oct 2024 13:42:02 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4XJbZb5Pkpz32sr for <development@lists.ipfire.org>; Wed, 2 Oct 2024 13:41:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4XJbZb3z7nz1FW for <development@lists.ipfire.org>; Wed, 2 Oct 2024 13:41:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1727876519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=95Ogq15kEK08Mu7OmOrDtLpU/VA3td6MsL6JtYVvFOA=; b=80jZh0AYWDz+v23eMZ4Rr6sxf23R8wJAjc+7Onrn9oDHuIFGQYxN+pcsSkbi5mEc1+TucN lSbZUd+0tGtdSNCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1727876519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=95Ogq15kEK08Mu7OmOrDtLpU/VA3td6MsL6JtYVvFOA=; b=qeSv3HmWMu2wekf5EVy0KQNJHSSFGIZFXe3YPc1cwh+iAuVm50wiKcs9fY1aZNwIpb5ZJu ixXYodGcJRKkUVrhC6xe2HSwpNj9w77QwzLIsxVA3kF5CTg+1M/RFUCXn6Utfx6kPmLdkh 3qL4f/iuVPswSi4VeD6RP7ZhDTEg8nBSjkBu3cdjVkBeIMi/d8q+3f6Qfjb2Wr+7HD4bO1 JceQ3ucKDH2aOTWLlr4CHTx1LyxaSV5oLt1NtDTtGc+EnNKrZMO3X40XflO3198h/4HScG 2A57+iItbfkuAP6bu+mKpEdZqcMR4lxJOnaFXIeAJt+lFSssx2OQd3f8cuPTyQ== From: Matthias Fischer <matthias.fischer@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH 2/2] suricata: Update to 7.0.7 Date: Wed, 2 Oct 2024 15:41:33 +0200 Message-ID: <20241002134150.3420653-2-matthias.fischer@ipfire.org> In-Reply-To: <20241002134150.3420653-1-matthias.fischer@ipfire.org> References: <20241002134150.3420653-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID-Hash: 6ZYYHW7URQE4TLLMVQL2E73RRLAOJW2B X-Message-ID-Hash: 6ZYYHW7URQE4TLLMVQL2E73RRLAOJW2B X-MailFrom: matthias.fischer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> Archived-At: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/6ZYYHW7URQE4TLLMVQL2E73RRLAOJW2B/> List-Archive: <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Owner: <mailto:development-owner@lists.ipfire.org> List-Post: <mailto:development@lists.ipfire.org> List-Subscribe: <mailto:development-join@lists.ipfire.org> List-Unsubscribe: <mailto:development-leave@lists.ipfire.org> |
Series |
[1/2] libhtp: Update to 0.5.49
|
|
Commit Message
Matthias Fischer
Oct. 2, 2024, 1:41 p.m. UTC
Exerpt from changelog:
"7.0.7 -- 2024-10-01
Security #7289: http: missing hashtable random seed leads to potential DoS(CRITICAL - CVE 2024-47188)
Security #7268: ja4: non alphanumeric characters in alpn lead to panic (7.0.x backport)(HIGH - CVE 2024-47522)
Security #7258: thash: random factor not used; possible abusive hash collisions (7.0.x backport)(CRITICAL - CVE 2024-47187)
Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)(HIGH - CVE 2024-45796)
Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)(HIGH - CVE 2024-45795)
Security #7192: http: quadratic complexity in headers processing/finding (7.0.x backport)(CRITICAL - CVE 2024-45797)
Bug #7290: tls: a rule stops working since 7.0.5 (7.0.x backport)
Bug #7286: eve/tls: enabling JA4 breaks custom field selection
Bug #7276: ja3: Error: ja3: Buffer should not be NULL (7.0.x backport)
Bug #7271: pgsql: track 'progress' in tx per direction (7.0.x backport)
Bug #7265: detect/flow: ACK with data on 3whs fails to match 'flow:established' (7.0.x backport)
Bug #7257: fuzz: CIFuzz is not fuzzing PRs as it is supposed to (7.0.x backport)
Bug #7242: app-layer-protocol: negated matching false positive (7.0.x backport)
Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport)
Bug #7225: dataset: lookup function is not working with ip type (7.0.x backport)
Bug #7214: frames: stream frame is not always the first one registered (7.0.x backport)
Bug #7207: cbindgen: comptability with newer version 0.27 (7.0.x backport)
Bug #7198: log/rfb: inconsistent key value security_result or security-result
Bug #7194: output: jb context not closed on error in EvePacket
Bug #7188: detect: dcerpc logging and matching issues (7.0.x backport)
Bug #7182: fuzz: File confyaml.c is missing (7.0.x backport)
Bug #7173: detect/integers: do not bother to free NULL pointer on setup/parse failure (7.0.x backport)
Bug #7166: profiling: rule profiling doesn't support absolute paths (7.0.x backport)
Bug #7159: tcp: 'broken ack' event set on flow timeout (7.0.x backport)
Bug #7136: util/thash: debug assertion for memuse (7.0.x backport)
Bug #7122: smb/ntlmssp: nonsense smb.ntlmssp.version values (7.0.x backport)
Bug #7116: dpdk: timestamping packets through TSC does not yield the same time as kernel time (7.0.x backport)
Bug #7066: alert/metadata: no pgsql object encapsulation (7.0.x backport)
Bug #7054: bypass: cannot bypass udp flow from first packet (7.0.x backport)
Bug #7001: pgsql: trigger raw stream reassembly (7.0.x backport)
Bug #6608: file: do not store if filestore:both,flow is triggered after the file was set to nostore (7.0.x backport)
Bug #6555: eve/alert: payload/payload_printable misrepresent data in case of overlaps (7.0.x backport)
Bug #6541: landlock: coverity warnings (7.0.x backport)
Optimization #7134: detect/snmp.version: do not free NULL pointer
Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport)
Feature #7102: iprep: support seeing if rule is part of a rep list (7.0.x backport)
Feature #6674: detect: allow alert-then-pass logic (7.0.x backport)
Task #7249: libhtp 0.5.49 (7.0.x backport)
Task #7168: dns: make the version field in a dns object required (7.0.x backport)
Documentation #6641: doc: add tcp timeout fix to upgrade guide (7.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
---
lfs/suricata | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> On 02/10/2024 15:41, Matthias Fischer wrote: > Exerpt from changelog: > "7.0.7 -- 2024-10-01 > > Security #7289: http: missing hashtable random seed leads to potential DoS(CRITICAL - CVE 2024-47188) > Security #7268: ja4: non alphanumeric characters in alpn lead to panic (7.0.x backport)(HIGH - CVE 2024-47522) > Security #7258: thash: random factor not used; possible abusive hash collisions (7.0.x backport)(CRITICAL - CVE 2024-47187) > Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)(HIGH - CVE 2024-45796) > Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)(HIGH - CVE 2024-45795) > Security #7192: http: quadratic complexity in headers processing/finding (7.0.x backport)(CRITICAL - CVE 2024-45797) > Bug #7290: tls: a rule stops working since 7.0.5 (7.0.x backport) > Bug #7286: eve/tls: enabling JA4 breaks custom field selection > Bug #7276: ja3: Error: ja3: Buffer should not be NULL (7.0.x backport) > Bug #7271: pgsql: track 'progress' in tx per direction (7.0.x backport) > Bug #7265: detect/flow: ACK with data on 3whs fails to match 'flow:established' (7.0.x backport) > Bug #7257: fuzz: CIFuzz is not fuzzing PRs as it is supposed to (7.0.x backport) > Bug #7242: app-layer-protocol: negated matching false positive (7.0.x backport) > Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport) > Bug #7225: dataset: lookup function is not working with ip type (7.0.x backport) > Bug #7214: frames: stream frame is not always the first one registered (7.0.x backport) > Bug #7207: cbindgen: comptability with newer version 0.27 (7.0.x backport) > Bug #7198: log/rfb: inconsistent key value security_result or security-result > Bug #7194: output: jb context not closed on error in EvePacket > Bug #7188: detect: dcerpc logging and matching issues (7.0.x backport) > Bug #7182: fuzz: File confyaml.c is missing (7.0.x backport) > Bug #7173: detect/integers: do not bother to free NULL pointer on setup/parse failure (7.0.x backport) > Bug #7166: profiling: rule profiling doesn't support absolute paths (7.0.x backport) > Bug #7159: tcp: 'broken ack' event set on flow timeout (7.0.x backport) > Bug #7136: util/thash: debug assertion for memuse (7.0.x backport) > Bug #7122: smb/ntlmssp: nonsense smb.ntlmssp.version values (7.0.x backport) > Bug #7116: dpdk: timestamping packets through TSC does not yield the same time as kernel time (7.0.x backport) > Bug #7066: alert/metadata: no pgsql object encapsulation (7.0.x backport) > Bug #7054: bypass: cannot bypass udp flow from first packet (7.0.x backport) > Bug #7001: pgsql: trigger raw stream reassembly (7.0.x backport) > Bug #6608: file: do not store if filestore:both,flow is triggered after the file was set to nostore (7.0.x backport) > Bug #6555: eve/alert: payload/payload_printable misrepresent data in case of overlaps (7.0.x backport) > Bug #6541: landlock: coverity warnings (7.0.x backport) > Optimization #7134: detect/snmp.version: do not free NULL pointer > Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport) > Feature #7102: iprep: support seeing if rule is part of a rep list (7.0.x backport) > Feature #6674: detect: allow alert-then-pass logic (7.0.x backport) > Task #7249: libhtp 0.5.49 (7.0.x backport) > Task #7168: dns: make the version field in a dns object required (7.0.x backport) > Documentation #6641: doc: add tcp timeout fix to upgrade guide (7.0.x backport)" > > Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> > --- > lfs/suricata | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/suricata b/lfs/suricata > index dcee61ea1..b563ff9da 100644 > --- a/lfs/suricata > +++ b/lfs/suricata > @@ -24,7 +24,7 @@ > > include Config > > -VER = 7.0.6 > +VER = 7.0.7 > > THISAPP = suricata-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = e031eda35913f0db553ae68e6fc4173db2f0a87b2f2c60141edf09abba3eef44cdba6cca1db039c8814525ff803dd60ea13cbba7b66e57fed3ae5297f90c7b18 > +$(DL_FILE)_BLAKE2 = dc39279b99880762bee2b1788fea9046dc63c01560332ffc167844673314165456dcbff3b0d05d32c931741b397fd68e9e294d2ee6c526a3d286445c2a83b789 > > install : $(TARGET) >
diff --git a/lfs/suricata b/lfs/suricata index dcee61ea1..b563ff9da 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 7.0.6 +VER = 7.0.7 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e031eda35913f0db553ae68e6fc4173db2f0a87b2f2c60141edf09abba3eef44cdba6cca1db039c8814525ff803dd60ea13cbba7b66e57fed3ae5297f90c7b18 +$(DL_FILE)_BLAKE2 = dc39279b99880762bee2b1788fea9046dc63c01560332ffc167844673314165456dcbff3b0d05d32c931741b397fd68e9e294d2ee6c526a3d286445c2a83b789 install : $(TARGET)