From patchwork Tue May 23 11:50:07 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Fischer X-Patchwork-Id: 6899 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QQXgZ1rWzz3wlf for ; Tue, 23 May 2023 11:50:18 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QQXgW6jvMzyH; Tue, 23 May 2023 11:50:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QQXgW4Y82z2ydF; Tue, 23 May 2023 11:50:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QQXgV23RTz2xdh for ; Tue, 23 May 2023 11:50:14 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QQXgT011wzfB for ; Tue, 23 May 2023 11:50:12 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1684842613; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=fI2W+76l7N/7IzXukvJAAttyWHlD5uXxZjMBhJtnztQ=; b=DAGOudcvJn04Z0W0/mWg4shhnDT3G1E2XV/BIyxrwnIssLDFn1mVwNNIxuNqITDOp0RZak 5SJE9jX6MJxVKQDw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1684842613; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=fI2W+76l7N/7IzXukvJAAttyWHlD5uXxZjMBhJtnztQ=; b=OsOGEZY4ZzqawDhFbHEV+tf0d4c7/DAcMwmQohkOi5ciLY16rTgtz5/5Ai3YRWUBo234T3 pGW1NAWoTdXfMhy4nYEdHoQ8ZRoI5jTcnNvVol4J+myXdH4huTryln6QnuyUUsBmYKG0VP HYES6d4xFFDz0yxboniAmbcy9dHw02oaAIrlY3VCSxnj9ylg3PVwLtrHw/7wNWjZmJXbtF YlMrZPkzkXrBkdBCSKGQEFpV5bJlXh+hzZj+xvi9mVhj5IEUWzQUMl+AYDno8pnAkBetYc IBNd7LyyCngI05pgPg/aSTucbFEpcuIVf71U2RT2kgC+GW2YA4NwNvysx6h7ZQ== From: Matthias Fischer To: development@lists.ipfire.org Subject: [PATCH] suricata: Update to 6.0.12 Date: Tue, 23 May 2023 13:50:07 +0200 Message-Id: <20230523115007.3452154-1-matthias.fischer@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" "6.0.12 -- 2023-05-08 Bug #6040: tcp: failed assertion ASSERT: !(ssn->state != TCP_SYN_SENT) (6.0.x backport) Bug #6039: TCP resets have incorrect len, nh in IPv6 (6.0.x backport) Bug #6034: time: integer comparison with different signs (6.0.x backport) Bug #6031: af-packet: reload not occurring until packets are seen (6.0.x backport) Bug #6020: smtp: fuzz debug assertion trigger (6.0.x backport) Bug #6018: scan-build warning for mime decoder (6.0.x backport) Bug #6017: scan-build warnings for ac implementations (6.0.x backport) Bug #6016: scan-build warnings in radix implementation (6.0.x backport) Bug #6015: scan-build warning for detect sigordering (6.0.x backport) Bug #6014: scan-build warnings for detect address handling (6.0.x backport) Bug #6013: scan-build warning for detect port handling (6.0.x backport) Bug #6007: Unexpected behavior of `endswith` in combination with negated content matches (6.0.x backport) Bug #5999: exception/policy: make work with simulated flow memcap (6.0.x backport) Bug #5997: perf shows excessive time in IPOnlyMatchPacket (6.0.x backport) Bug #5980: rust: warning for future compile errors Bug #5961: smb: wrong endian conversion when parse NTLM Negotiate Flags (6.0.x backport) Bug #5958: bpf: postpone IPS check after IPS runmode is determined from the configuration file (6.0.x backport) Bug #5934: app-layer-htp: Condition depending on enabled IPS mode never true (6.0.x backport) Optimization #6033: detect using uninitialized engine mode (6.0.x backport) Feature #5996: Add support for 'inner' PF_RING clustering modes (6.0.x backport) Task #6052: github-ci: add windows + windivert build (6.0.x backport)" Signed-off-by: Matthias Fischer --- lfs/suricata | 4 ++-- .../suricata-5.0.8-fix-level1-cache-line-size-detection.patch | 2 +- src/patches/suricata/suricata-disable-sid-2210059.patch | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/suricata b/lfs/suricata index 75698b0b1..b28d5e3e7 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@ include Config -VER = 6.0.11 +VER = 6.0.12 THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 41b37168e6c50b32971ad8c0541f3bc1981152c8360bbfc261a9abab5dc229425bef92fe19db5d0ec7cf32abff71acca62934c411aea79f5c8f9b38bd6422ee4 +$(DL_FILE)_BLAKE2 = 3cd16072014e814ec116bbde6649a0230200e447884028fef0440cbbc38a36b28c1edb39098e4089ee966890464bcd2573ea82d3e35e6d034ad465ac20c4c0b6 install : $(TARGET) diff --git a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch index 5aaabb167..f1529812d 100644 --- a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch +++ b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch @@ -2,7 +2,7 @@ diff --git a/configure.ac b/configure.ac index d56d3a550..81abf8f00 100644 --- a/configure.ac +++ b/configure.ac -@@ -2390,7 +2390,7 @@ fi +@@ -2424,7 +2424,7 @@ fi AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no") if test "$HAVE_GETCONF_CMD" != "no"; then CLS=$(getconf LEVEL1_DCACHE_LINESIZE) diff --git a/src/patches/suricata/suricata-disable-sid-2210059.patch b/src/patches/suricata/suricata-disable-sid-2210059.patch index 54747dfd2..8955eec5e 100644 --- a/src/patches/suricata/suricata-disable-sid-2210059.patch +++ b/src/patches/suricata/suricata-disable-sid-2210059.patch @@ -1,7 +1,7 @@ diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules --- a/rules/stream-events.rules 2021-11-17 16:55:12.000000000 +0100 +++ b/rules/stream-events.rules 2021-12-08 18:12:39.850189502 +0100 -@@ -89,7 +89,7 @@ +@@ -97,7 +97,7 @@ # rule to alert if a stream has excessive retransmissions alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;) # Packet on wrong thread. Fires at most once per flow.