Exerpt from changelog:
"7.0.7 -- 2024-10-01
Security #7289: http: missing hashtable random seed leads to potential DoS(CRITICAL - CVE 2024-47188)
Security #7268: ja4: non alphanumeric characters in alpn lead to panic (7.0.x backport)(HIGH - CVE 2024-47522)
Security #7258: thash: random factor not used; possible abusive hash collisions (7.0.x backport)(CRITICAL - CVE 2024-47187)
Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)(HIGH - CVE 2024-45796)
Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)(HIGH - CVE 2024-45795)
Security #7192: http: quadratic complexity in headers processing/finding (7.0.x backport)(CRITICAL - CVE 2024-45797)
Bug #7290: tls: a rule stops working since 7.0.5 (7.0.x backport)
Bug #7286: eve/tls: enabling JA4 breaks custom field selection
Bug #7276: ja3: Error: ja3: Buffer should not be NULL (7.0.x backport)
Bug #7271: pgsql: track 'progress' in tx per direction (7.0.x backport)
Bug #7265: detect/flow: ACK with data on 3whs fails to match 'flow:established' (7.0.x backport)
Bug #7257: fuzz: CIFuzz is not fuzzing PRs as it is supposed to (7.0.x backport)
Bug #7242: app-layer-protocol: negated matching false positive (7.0.x backport)
Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport)
Bug #7225: dataset: lookup function is not working with ip type (7.0.x backport)
Bug #7214: frames: stream frame is not always the first one registered (7.0.x backport)
Bug #7207: cbindgen: comptability with newer version 0.27 (7.0.x backport)
Bug #7198: log/rfb: inconsistent key value security_result or security-result
Bug #7194: output: jb context not closed on error in EvePacket
Bug #7188: detect: dcerpc logging and matching issues (7.0.x backport)
Bug #7182: fuzz: File confyaml.c is missing (7.0.x backport)
Bug #7173: detect/integers: do not bother to free NULL pointer on setup/parse failure (7.0.x backport)
Bug #7166: profiling: rule profiling doesn't support absolute paths (7.0.x backport)
Bug #7159: tcp: 'broken ack' event set on flow timeout (7.0.x backport)
Bug #7136: util/thash: debug assertion for memuse (7.0.x backport)
Bug #7122: smb/ntlmssp: nonsense smb.ntlmssp.version values (7.0.x backport)
Bug #7116: dpdk: timestamping packets through TSC does not yield the same time as kernel time (7.0.x backport)
Bug #7066: alert/metadata: no pgsql object encapsulation (7.0.x backport)
Bug #7054: bypass: cannot bypass udp flow from first packet (7.0.x backport)
Bug #7001: pgsql: trigger raw stream reassembly (7.0.x backport)
Bug #6608: file: do not store if filestore:both,flow is triggered after the file was set to nostore (7.0.x backport)
Bug #6555: eve/alert: payload/payload_printable misrepresent data in case of overlaps (7.0.x backport)
Bug #6541: landlock: coverity warnings (7.0.x backport)
Optimization #7134: detect/snmp.version: do not free NULL pointer
Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport)
Feature #7102: iprep: support seeing if rule is part of a rep list (7.0.x backport)
Feature #6674: detect: allow alert-then-pass logic (7.0.x backport)
Task #7249: libhtp 0.5.49 (7.0.x backport)
Task #7168: dns: make the version field in a dns object required (7.0.x backport)
Documentation #6641: doc: add tcp timeout fix to upgrade guide (7.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this remove a warning at boot that user and group should
seperated by ":" and not by "."
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.9.4 to 1.9.6
- Tested building on riscv64 and it built without issues and rootfile is sam as for
x86_64 & aarch64. So supported architectures has been removed and dnsdist is available
on all three architectures.
- Update of rootfile not required
- Changelog
1.9.6
New Features
Add support for a callback when a new tickets key is added
References: pull request 14449
Improvements
Make the logging functions available to all Lua environments
References: pull request 14438
Handle Quiche >= 0.22.0
References: pull request 14450
Don’t include openssl/engine.h if it’s not going to be used (Sander Hoentjen)
References: pull request 14452
Bug Fixes
Dedup Prometheus help and type lines for custom metrics with labels¶
References: #14395, pull request 14439
Fix a race in the XSK/AF_XDP backend handling code
References: pull request 14436
dns.cc: use pdns::views::UnsignedCharView
References: pull request 14437
1.9.5
New Features
Add a Lua FFI function to set proxy protocol values
References: pull request 14338
Add Lua FFI bindings to generate SVC responses
References: pull request 14339
Bug Fixes
Use the correct source IP for outgoing QUIC datagrams
References: pull request 14166
Reply to HTTP/2 PING frames immediately
References: pull request 14163
Log the correct amount of bytes sent for DoH w/ nghttp2
References: pull request 14332
Prevent a race when calling registerWebHandler at runtime
References: pull request 14170
Enforce a maximum number of HTTP request fields and a maximum HTTP request line size
References: pull request 14333
Fix a race condition with custom Lua web handlers
References: pull request 14342
Syslog should be enabled by default
References: pull request 14331
Fix a warning when compiling the unit tests without XSK¶
References: pull request 14334
autoconf: allow prerelease systemd versions (Chris Hofstaedtler)
References: pull request 14335
Edit the systemd unit file, CAP_BPF is no longer enough
References: #14279, pull request 14336
Fix ‘Error creating TCP worker’ error message
References: pull request 14337
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- miniupnpc is required for the build of transmiossion but the bundled version was not
working properly with version 4.0.6 and we prefer to not use bundled versions.
- Only used for the build so rootfile is 100% commented out. No miniupnpc installed
on IPFire.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.0.5 to 4.0.6
- Update of rootfile not required
- Bundled miniupnpc not working with build of 4.0.6 As we prefer not to use bundled
packages where possible, this patch set builds miniupnpc prior to transmission. As
miniupnpc is only required for the build of transmission, nothing is installed from
miniupnpc.
- miniupnpc-2.2.8 has a problem with transmission and needs a patch to fix it. Added
into the transmission lfs file
- Changelog
4.0.6
All Platforms
Improved parsing HTTP tracker announce response. (#6223)
Fixed 4.0.0 bug that caused some user scripts to have an invalid TR_TORRENT_TRACKERS environment variable. (#6434)
Fixed 4.0.0 bug where alt-speed-enabled had no effect in settings.json. (#6483)
Fixed 4.0.0 bug where the GTK client's "Use authentication" option was not saved between's sessions. (#6514)
Fixed 4.0.0 bug where the filename for single-file torrents aren't sanitized. (#6846)
macOS Client
Fix: Sparkle support for handling beta version updates. (#5263)
Fixed app unable to start when having many torrents and TimeMachine enabled. (#6523)
Fix: Sparkle Version Comparator. (#6623)
Qt Client
Fixed 4.0.0 bug where piece size description text and slider state in torrent creation dialog are not always up-to-date. (#6516)
GTK Client
Fixed build when compiling with GTKMM 4. (#6393)
Added developer name to metainfo files. (#6598)
Added the launchable desktop-id to metainfo files. (#6779)
Fixed build when compiling on BSD. (#6812)
Web Client
Fixed a 4.0.0 bug where the infinite ratio symbol was displayed incorrectly in the WebUI. (#6491, #6500)
Fixed layout issue in speed display. (#6570)
General UI improvement related to filterbar and fixes download/upload speed info wrap. (#6761)
Daemon
Fixed a couple of logging issues. (#6463)
Everything Else
Updated flatpak release metainfo. (#6357)
Fixed libtransmission build on very old cmake versions. (#6418)
UTP peer connections follow user-defined speed limits better now. (#6551)
Only use a single concurrent queue for timeMachineExclude instead of one queue per torrent (#6523). (#6558)
Fixed 4.0.5 bug where svg and png icons in the WebUI might not be displayed. (#6563)
Fixed 4.0.0 bug where alt-speed-enabled had no effect in settings.json. (#6564)
Fixed 4.0.0 bugs where some RPC methods don't put torrents in recently-active anymore. (#6565)
Improved parsing HTTP tracker announce response. (#6567)
Fixed compatibility with clang-format 18. (#6690)
Fixed build when compiling with mbedtls 3.x . (#6823)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Even if there are no rules, if this does not exist, collectd will be
unhappy and we cannot generate the graph.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We cannot use the PREROUTING/POSTROUTING chains here because Suricata
will fail to track NAT-ed connections.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This graph is split into three parts. One shows bypassed packets, the
next one shows the actually scanned packets and lastly we show the total
throughput.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The PID file does not get written when Suricata is not being started in
daemon mode and therefore we need to pass it as a command line
parameter.
The initscript should not deal with the PID file when starting but needs
it to terminate the process and to check the process status.
The web UI can use the PID file again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.
Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds a watcher process that will restart suricata when it is
being killed by SIGKILL (e.g. by the OOM killer) or after a SEGV.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch changes that we introduce a new mark which allows us to
identify any newly bypassed connections and permanently store the bypass
flag.
We also only restore marks from the connection tracking when a packet
has no marks, yet.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This allows us to workaround better against any problems in Suricata
because we never send any whitelisted packets to the IPS in the first
place.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
