From patchwork Wed Oct 2 13:41:33 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 8160 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4XJbZk5f8Qz3wxp for ; Wed, 2 Oct 2024 13:42:06 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E6" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4XJbZf6Y5vz34q; Wed, 2 Oct 2024 13:42:02 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4XJbZf28zYz34Mh; Wed, 2 Oct 2024 13:42:02 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4XJbZb5Pkpz32sr for ; Wed, 2 Oct 2024 13:41:59 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4XJbZb3z7nz1FW for ; Wed, 2 Oct 2024 13:41:59 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1727876519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=95Ogq15kEK08Mu7OmOrDtLpU/VA3td6MsL6JtYVvFOA=; b=80jZh0AYWDz+v23eMZ4Rr6sxf23R8wJAjc+7Onrn9oDHuIFGQYxN+pcsSkbi5mEc1+TucN lSbZUd+0tGtdSNCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1727876519; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=95Ogq15kEK08Mu7OmOrDtLpU/VA3td6MsL6JtYVvFOA=; b=qeSv3HmWMu2wekf5EVy0KQNJHSSFGIZFXe3YPc1cwh+iAuVm50wiKcs9fY1aZNwIpb5ZJu ixXYodGcJRKkUVrhC6xe2HSwpNj9w77QwzLIsxVA3kF5CTg+1M/RFUCXn6Utfx6kPmLdkh 3qL4f/iuVPswSi4VeD6RP7ZhDTEg8nBSjkBu3cdjVkBeIMi/d8q+3f6Qfjb2Wr+7HD4bO1 JceQ3ucKDH2aOTWLlr4CHTx1LyxaSV5oLt1NtDTtGc+EnNKrZMO3X40XflO3198h/4HScG 2A57+iItbfkuAP6bu+mKpEdZqcMR4lxJOnaFXIeAJt+lFSssx2OQd3f8cuPTyQ== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH 2/2] suricata: Update to 7.0.7 Date: Wed, 2 Oct 2024 15:41:33 +0200 Message-ID: <20241002134150.3420653-2-matthias.fischer@ipfire.org> In-Reply-To: <20241002134150.3420653-1-matthias.fischer@ipfire.org> References: <20241002134150.3420653-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: 6ZYYHW7URQE4TLLMVQL2E73RRLAOJW2B X-Message-ID-Hash: 6ZYYHW7URQE4TLLMVQL2E73RRLAOJW2B X-MailFrom: matthias.fischer@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Exerpt from changelog: "7.0.7 -- 2024-10-01 Security #7289: http: missing hashtable random seed leads to potential DoS(CRITICAL - CVE 2024-47188) Security #7268: ja4: non alphanumeric characters in alpn lead to panic (7.0.x backport)(HIGH - CVE 2024-47522) Security #7258: thash: random factor not used; possible abusive hash collisions (7.0.x backport)(CRITICAL - CVE 2024-47187) Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)(HIGH - CVE 2024-45796) Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)(HIGH - CVE 2024-45795) Security #7192: http: quadratic complexity in headers processing/finding (7.0.x backport)(CRITICAL - CVE 2024-45797) Bug #7290: tls: a rule stops working since 7.0.5 (7.0.x backport) Bug #7286: eve/tls: enabling JA4 breaks custom field selection Bug #7276: ja3: Error: ja3: Buffer should not be NULL (7.0.x backport) Bug #7271: pgsql: track 'progress' in tx per direction (7.0.x backport) Bug #7265: detect/flow: ACK with data on 3whs fails to match 'flow:established' (7.0.x backport) Bug #7257: fuzz: CIFuzz is not fuzzing PRs as it is supposed to (7.0.x backport) Bug #7242: app-layer-protocol: negated matching false positive (7.0.x backport) Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport) Bug #7225: dataset: lookup function is not working with ip type (7.0.x backport) Bug #7214: frames: stream frame is not always the first one registered (7.0.x backport) Bug #7207: cbindgen: comptability with newer version 0.27 (7.0.x backport) Bug #7198: log/rfb: inconsistent key value security_result or security-result Bug #7194: output: jb context not closed on error in EvePacket Bug #7188: detect: dcerpc logging and matching issues (7.0.x backport) Bug #7182: fuzz: File confyaml.c is missing (7.0.x backport) Bug #7173: detect/integers: do not bother to free NULL pointer on setup/parse failure (7.0.x backport) Bug #7166: profiling: rule profiling doesn't support absolute paths (7.0.x backport) Bug #7159: tcp: 'broken ack' event set on flow timeout (7.0.x backport) Bug #7136: util/thash: debug assertion for memuse (7.0.x backport) Bug #7122: smb/ntlmssp: nonsense smb.ntlmssp.version values (7.0.x backport) Bug #7116: dpdk: timestamping packets through TSC does not yield the same time as kernel time (7.0.x backport) Bug #7066: alert/metadata: no pgsql object encapsulation (7.0.x backport) Bug #7054: bypass: cannot bypass udp flow from first packet (7.0.x backport) Bug #7001: pgsql: trigger raw stream reassembly (7.0.x backport) Bug #6608: file: do not store if filestore:both,flow is triggered after the file was set to nostore (7.0.x backport) Bug #6555: eve/alert: payload/payload_printable misrepresent data in case of overlaps (7.0.x backport) Bug #6541: landlock: coverity warnings (7.0.x backport) Optimization #7134: detect/snmp.version: do not free NULL pointer Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport) Feature #7102: iprep: support seeing if rule is part of a rep list (7.0.x backport) Feature #6674: detect: allow alert-then-pass logic (7.0.x backport) Task #7249: libhtp 0.5.49 (7.0.x backport) Task #7168: dns: make the version field in a dns object required (7.0.x backport) Documentation #6641: doc: add tcp timeout fix to upgrade guide (7.0.x backport)" Signed-off-by: Matthias Fischer Reviewed-by: Adolf Belka --- lfs/suricata | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/suricata b/lfs/suricata index dcee61ea1..b563ff9da 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 7.0.6 +VER = 7.0.7 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = e031eda35913f0db553ae68e6fc4173db2f0a87b2f2c60141edf09abba3eef44cdba6cca1db039c8814525ff803dd60ea13cbba7b66e57fed3ae5297f90c7b18 +$(DL_FILE)_BLAKE2 = dc39279b99880762bee2b1788fea9046dc63c01560332ffc167844673314165456dcbff3b0d05d32c931741b397fd68e9e294d2ee6c526a3d286445c2a83b789 install : $(TARGET)