For details see:
https://downloads.isc.org/isc/bind9/9.16.49/doc/arm/html/notes.html#notes-for-bind-9-16-49
"Bug Fixes
A regression in cache-cleaning code enabled memory use to grow
significantly more quickly than before, until the configured
max-cache-size limit was reached. This has been fixed. [GL #4596]
Using rndc flush inadvertently caused cache cleaning to become
less effective. This could ultimately lead to the configured
max-cache-size limit being exceeded and has now been fixed. [GL #4621]
The logic for cleaning up expired cached DNS records was tweaked to be
more aggressive. This change helps with enforcing max-cache-ttl and
max-ncache-ttl in a timely manner. [GL #4591]
It was possible to trigger a use-after-free assertion when the overmem
cache cleaning was initiated. This has been fixed. [GL #4595]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this feature should not used by IPFire and there
is a possible unfixed race condition that can
used for a privilege elevation attack.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- I checked out doing a fresh install of CU184 and found that although the
LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not
in the /var/ipfire/optionsfw/settings file.
- After some investigfation I realised that when I created the LOGDROPHOSTILE split into
incoming and outgoing I had not added them into the configroot lfs file.
- This patch adds the two entries and this was tested out with a fresh install and
confirmed to update the settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We require this because Suricata might be restarted due to development
or rule refreshment purposes. We should then try to resume any
decoders/app-layers wherever possible.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Set this value to the same as the exception-policy to keep in sync and
hopefully have the same behaviour. In case this option is not set an
ugly message about a not correctly set value will be logged to syslog
during startup.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This will limit the suricata process to only read and write to a certain
files/directories.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This simply will skip processing a packet that caused an exception and will
allow Suricata to process all following packets of a flow.
Reference: #13638
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Updata the configuration file for suricata 7.
This includes:
* Default values for newly introduced features and parsers
* Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent
* Update of URL for documentation
* Fixes of various typos and other clarifications
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.
If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.
Fixes: #13642
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
the kernel doesn't allow to read the frequency of a offline virtual core
if smt is disabled so now no error is reported in this case and NaN submited to the
database.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
grub-btrfs try to reconfigure grub in the buildsystem and print always the bugtracker url on every error even when its not a bug
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
because if this file exist the cleanap script will remove the older version after downgrade
and the system still use the malewared version.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This gives us a lot of benefits:
* Speed up the extraction process
* More supported archive types due the power of libarchive
* Support of passphrase protected archives
It also fixes a problem with non extracted files next to a zero sized
file inside an archive.
Fixes#13632.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
As very simple XS based perl binding for libarchive
to get header data and extract files.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is only a build dependency for perl-Arhive-Peek-Libarchive and
will not be installed on a system
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is only a build dependency for perl-Config-AutoConf and
will not be installed on a system
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
