Changelog:
"6.0.8 -- 2022-09-27
Task #5552: libhtp 0.5.41
6.0.7 -- 2022-09-27
Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport)
Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport)
Bug #5549: Failed assert DeStateSearchState (6.0.x)
Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x)
Bug #5547: rules: less strict parsing of unexpected flowbit options
Bug #5546: rules: don't error on bad hex in content
Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6
Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6]
Bug #5471: Reject action is no longer working (6.0.x backport)
Bug #5467: rules: more graceful handling of anomalies for stable versions
Bug #5459: Counters are not initialized in all places. (6.0.x backport)
Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport)
Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports)
Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport)
Bug #4421: flow manager: using too much CPU during idle (6.0.x backport)
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)
Task #5551: doc: add exception policy documentation (6.0.x)
Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport)
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)
Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport)
Task #5328: python: distutils deprecation warning (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Changelog:
"5.0.10 -- 2022-07-12
Bug #5429: TCP flow that retransmits the SYN with a newer TSval not properly tracked (5.0.x backport)
[Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch' could be removed]
Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport)
Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport)
Bug #5404: detect: will still inspect packets of a "dropped" flow for non-TCP (5.0.x backport)
Bug #5388: detect/threshold: offline time handling issue (5.0.x backports)
Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport)
Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails (5.0.x backport)
Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backport)
Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0.x backport)
Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.0.x backport)
Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x backport)
Bug #5325: FTP: expectation created in wrong direction (5.0.x backport)
Bug #5305: cppcheck: various static analyzer "warning"s
Bug #5302: Failed assert DeStateSearchState
Bug #5301: eve: payload field randomly missing even if the packet field is present
Bug #5289: Remove unneeded stack-on-signal initialization.
Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length
Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Bug #5113: Off-by-one in flow-manager flow_hash row allocation
Bug #5055: Documentation copyright years are invalid
Bug #5021: dataset: error with space in rule language
Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport)
Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)
Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport)
Task #5322: stats/alert: log out to stats alerts that have been discarded from packet queue (5.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog:
"5.0.9 -- 2022-04-21
Security #4889: ftp: SEGV at flow cleanup due to protocol confusion
Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input
Security #5253: Infinite loop in JsonFTPLogger
Feature #4644: pthreads: set minimum stack size
Bug #4466: dataset file not written when run as user
Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4745: Absent app-layer protocol is always enabled by default
Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4823: conf: quadratic complexity
Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4838: af-packet: cluster_id is not used when trying to set fanout support
Bug #4878: datasets: memory leak in 5.0.x
Bug #4887: dnp3: buffer over read in logging base64 empty objects
Bug #4891: protodetect: SMB vs TLS protocol detection in midstream
Bug #4893: TFTP: memory leak due to missing detect state
Bug #4895: Memory leak with signature using file_data and NFS
Bug #4897: profiling: Invalid performance counter when using sampling
Bug #4901: eve: memory leak related to dns
Bug #4932: smtp: smtp transaction not logged if no email is present
Bug #4955: stream: too aggressive pruning in lossy streams
Bug #4957: SMTP assertion triggered
Bug #4959: suricatasc loop if recv returns no data
Bug #4961: dns: transaction not created when z-bit set
Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet
Bug #5058: dns: probing/parser can return error when it should return incomplete
Bug #5063: Not keyword matches in Kerberos requests
Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5099: htp: server personality radix handling issue
Bug #5101: defrag: policy config can setup radix incorrectly
Bug #5103: Application log cannot to be re-opened when running as non-root user
Bug #5105: iprep: cidr support can set up radix incorrectly
Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5109: swf: coverity warning
Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string
Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #5137: smb: excessive memory use during file transfer
Bug #5150: nfs: Integer underflow in NFS
Bug #5157: xbits: noalert is allowed in rule language with other commands
Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree
Bug #5193: SSL : over allocation for certificates
Bug #5213: content:"22 2 22"; is parsed without error
Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow.
Bug #5251: smb: integer underflows and overflows
Task #5006: libhtp 0.5.40"
Additionally, I moved the 'suricata' patch files into a separate directory.
Apart from some line numbers, nothing else was changed.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
