From patchwork Thu Sep 29 20:21:56 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 6025 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MdlC343K0z3wbw for ; Thu, 29 Sep 2022 20:22:07 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MdlC06kyDzx6; Thu, 29 Sep 2022 20:22:04 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MdlC067mHz2ypl; Thu, 29 Sep 2022 20:22:04 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MdlBz6B5Zz2xGC for ; Thu, 29 Sep 2022 20:22:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MdlBz081ZzCl for ; Thu, 29 Sep 2022 20:22:02 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1664482923; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=vn0w7axFSLJq9aYEm2vOVavURwHsaf+b7ejndoTw7iA=; b=lzKx5Z8rIMrN6ZSUadrkMkO6cabCGu/WNNjGOncg6NYIqaij8KS4GY/zvB3XTAwX7nbn7Y 7hAtTrWDGh38vmCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1664482923; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=vn0w7axFSLJq9aYEm2vOVavURwHsaf+b7ejndoTw7iA=; b=dCjOSdpK61Xi386JVBicri4MAxVTNq4DX71ys0nHyXnaA1jqVxxM5rIqdGcifsblBETNS7 Sw6qCvno5oPXIA856zMmuz/rKrKZ8+lKNWFcvgrICLVVA/9s4lHo6Wy25bQkkPAfkvoXZX tdOq740l2+c3lFBd32vJg4n8BJBy0DgVx+A6/6shewCEzYDBZOEB1EetpJDrLhMS+izHQc 4wUR5w/FWHjfPA8ucef4UP2cmn65CAUqCLCbbGrT7BqG1cuzaGsUl8HyPyNCbzstnSvR4u xQm0E0TuT+WIdf65O5Mk3y4mNH1sDbY3NE/AEj/f8j450aAqTVBcvUXTrdMqNg== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH 1/2] suricata: Update to 6.0.8 Date: Thu, 29 Sep 2022 22:21:56 +0200 Message-Id: <20220929202157.3683814-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Changelog: "6.0.8 -- 2022-09-27 Task #5552: libhtp 0.5.41 6.0.7 -- 2022-09-27 Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport) Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport) Bug #5549: Failed assert DeStateSearchState (6.0.x) Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x) Bug #5547: rules: less strict parsing of unexpected flowbit options Bug #5546: rules: don't error on bad hex in content Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6 Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6] Bug #5471: Reject action is no longer working (6.0.x backport) Bug #5467: rules: more graceful handling of anomalies for stable versions Bug #5459: Counters are not initialized in all places. (6.0.x backport) Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport) Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports) Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport) Bug #4421: flow manager: using too much CPU during idle (6.0.x backport) Feature #5535: ips: add "reject" action to exception policies (6.0.x backport) Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport) Task #5551: doc: add exception policy documentation (6.0.x) Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport) Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport) Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport) Task #5328: python: distutils deprecation warning (6.0.x backport)" Signed-off-by: Matthias Fischer Reviewed-by: Peter Müller --- config/rootfiles/common/suricata | 4 ++++ lfs/suricata | 4 ++-- .../suricata-5.0.8-fix-level1-cache-line-size-detection.patch | 2 +- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata index 043aba072..df297ebd6 100644 --- a/config/rootfiles/common/suricata +++ b/config/rootfiles/common/suricata @@ -1,6 +1,7 @@ etc/suricata etc/suricata/suricata.yaml usr/bin/suricata +#usr/include/suricata-plugin.h usr/sbin/convert-ids-backend-files #usr/share/doc/suricata #usr/share/doc/suricata/AUTHORS @@ -29,13 +30,16 @@ usr/share/suricata #usr/share/suricata/rules/dns-events.rules #usr/share/suricata/rules/files.rules #usr/share/suricata/rules/http-events.rules +#usr/share/suricata/rules/http2-events.rules #usr/share/suricata/rules/ipsec-events.rules #usr/share/suricata/rules/kerberos-events.rules #usr/share/suricata/rules/modbus-events.rules +#usr/share/suricata/rules/mqtt-events.rules #usr/share/suricata/rules/nfs-events.rules #usr/share/suricata/rules/ntp-events.rules #usr/share/suricata/rules/smb-events.rules #usr/share/suricata/rules/smtp-events.rules +#usr/share/suricata/rules/ssh-events.rules #usr/share/suricata/rules/stream-events.rules #usr/share/suricata/rules/tls-events.rules #usr/share/suricata/threshold.config diff --git a/lfs/suricata b/lfs/suricata index 1fbc2c185..857fb4e7b 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 5.0.10 +VER = 6.0.8 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = b5c83b9882e89894c3dedb7f536d584a20bbeab24236752e528171db6589a6308422c8b0be4f433fc63b8cfc227aa0b67935a4aece943b10f4577398ea9ed467 +$(DL_FILE)_BLAKE2 = 1e445885f3a672081cbb8f17de9fb0fa21a2c618b80ea8d3d9362c0475149d833986cac047ad90b1c1a5b5b19025ff501a695e0f197c00457859b3858f51ecba install : $(TARGET) diff --git a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch index 68a21f1e9..5aaabb167 100644 --- a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch +++ b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch @@ -2,7 +2,7 @@ diff --git a/configure.ac b/configure.ac index d56d3a550..81abf8f00 100644 --- a/configure.ac +++ b/configure.ac -@@ -2318,7 +2318,7 @@ fi +@@ -2390,7 +2390,7 @@ fi AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no") if test "$HAVE_GETCONF_CMD" != "no"; then CLS=$(getconf LEVEL1_DCACHE_LINESIZE) From patchwork Thu Sep 29 20:21:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 6026 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4MdlC42r2nz3wcK for ; Thu, 29 Sep 2022 20:22:08 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4MdlC13tN2z2RK; Thu, 29 Sep 2022 20:22:05 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4MdlC10DtXz30Mv; Thu, 29 Sep 2022 20:22:05 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4MdlBz6t4dz2ykJ for ; Thu, 29 Sep 2022 20:22:03 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4MdlBz5QR7zx6 for ; Thu, 29 Sep 2022 20:22:03 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1664482923; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=42hRRnd0vgk8j+ImQiZ4qNr2nwRc4bp9j9KKg6egkng=; b=fAP7PMEgKWFJyRYxZ3AI3FIkNo2wQS7VWKogrdaWYMCCazmDIroOW7IBGKiAMGbacUkYqo odXX7IzLrqTwcMCA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1664482923; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=42hRRnd0vgk8j+ImQiZ4qNr2nwRc4bp9j9KKg6egkng=; b=liW0T7Ga0NbgZ15MveTPqDStuskv5zr8qdcXVxIHTlXQwTRnXgMY2L9zLnolAh8kBcyDLE hcgnFVX68PRUde92tI5dev85IP1ghUdAdmYVsovvOkheyZOUY1bM+GRa+yuX22N4aL9NOW 2qgzOw2ODlomSjxObgv429+4PgiCgX6ZEas9j9g5suGVk2tC8fNUVX9N/6cgMA9eqKEde4 bzII3UyJ4Zcmda1vZFKe25Mu2vOFFVJO+LQMQ6gZMzTaGTyvgAeourM6iC5ual3px2Cs4N daXghbDTt+ri3bhtRzZ0DgTeptPHmp7Ti311tvfwLwkQtPihgeenD9s3l6tm8A== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH 2/2] libhtp: Update to 0.5.41 Date: Thu, 29 Sep 2022 22:21:57 +0200 Message-Id: <20220929202157.3683814-2-matthias.fischer@ipfire.org> In-Reply-To: <20220929202157.3683814-1-matthias.fischer@ipfire.org> References: <20220929202157.3683814-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" Needed for 'suricata 6.0.8' For details see: https://github.com/OISF/libhtp/releases/tag/0.5.41 "trim white space of invalid folding for first header clear buffered data for body data minor optimization for decompression code" Signed-off-by: Matthias Fischer Reviewed-by: Peter Müller --- lfs/libhtp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lfs/libhtp b/lfs/libhtp index ffc82f8cd..e3be4a73a 100644 --- a/lfs/libhtp +++ b/lfs/libhtp @@ -24,7 +24,7 @@ include Config -VER = 0.5.40 +VER = 0.5.41 THISAPP = libhtp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 37239d8d0afb6841c54bab1669a17ec7336b10998f8835ef91cf9556dd7449991ce6fb04a408d16b431ba6327b32f6f509a79a4c79ffc6e88e555fcf2e9f2cce +$(DL_FILE)_BLAKE2 = e6e790f76b8d08b89ffc483a218dd1b3a6f910ff1fe8e44d48bfaae2189d9df567c0199e9f20fde05dc4059f75a1e3c34f4f76f2c8818dc7ca4111538095e16d install : $(TARGET)