Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is the first release after Suricata joined the Oss-Fuzz program, leading to
discovery of a number of (potential) security issues. We expect that in the coming
months we’ll fix more such issues, as the fuzzers increase their coverage and we
continue to improve the seed corpus.
Feature #3481: GRE ERSPAN Type 1 Support
Feature #3613: Teredo port configuration
Feature #3673: datasets: add ‘dataset-remove’ unix command
Bug #3240: Dataset hash-size or prealloc invalid value logging
Bug #3241: Dataset reputation invalid value logging
Bug #3342: Suricata 5.0 crashes while parsing SMB data
Bug #3450: signature with sticky buffer with subsequent pcre check in a different buffer loads but will never match
Bug #3491: Backport 5 BUG_ON(strcasecmp(str, “any”) in DetectAddressParseString
Bug #3507: rule parsing: memory leaks
Bug #3526: 5.0.x Kerberos vulnerable to TCP splitting evasion
Bug #3534: Skip over ERF_TYPE_META records
Bug #3552: file logging: complete files sometimes marked ‘TRUNCATED’
Bug #3571: rust: smb compile warnings
Bug #3573: TCP Fast Open – Bypass of stateless alerts
Bug #3574: Behavior for tcp fastopen
Bug #3576: Segfault when facing malformed SNMP rules
Bug #3577: SIP: Input not parsed when header values contain trailing spaces
Bug #3580: Faulty signature with two threshold keywords does not generate an error and never match
Bug #3582: random failures on sip and http-evader suricata-verify tests
Bug #3585: htp: asan issue
Bug #3592: Segfault on SMTP TLS
Bug #3598: rules: memory leaks in pktvar keyword
Bug #3600: rules: bad address block leads to stack exhaustion
Bug #3602: rules: crash on ‘internal’-only keywords
Bug #3604: rules: missing ‘consumption’ of transforms before pkt_data would lead to crash
Bug #3606: rules: minor memory leak involving pcre_get_substring
Bug #3609: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
Bug #3610: defrag: asan issue
Bug #3612: rules/bsize: memory issue during parsing
Bug #3614: build-info and configure wrongly display libnss status
Bug #3644: Invalid memory read on malformed rule with Lua script
Bug #3646: rules: memory leaks on failed rules
Bug #3649: CIDR Parsing Issue
Bug #3651: FTP response buffering against TCP stream
Bug #3653: Recursion stack-overflow in parsing YAML configuration
Bug #3660: Multiple DetectEngineReload and bad insertion into linked list lead to buffer overflow
Bug #3665: FTP: Incorrect ftp_memuse calculation.
Bug #3667: Signature with an IP range creates one IPOnlyCIDRItem by signe IP address
Bug #3669: Rules reload with Napatech can hang Suricata UNIX manager process
Bug #3672: coverity: data directory handling issues
Bug #3674: Protocol detection evasion by packet splitting
Optimization #3406: filestore rules are loaded without warning when filestore is not enabled
Task #3478: libhtp 0.5.33
Task #3514: SMTP should place restraints on variable length items (e.g., filenames)
Documentation #3543: doc: add ipv4.hdr and ipv6.hdr
Bundled libhtp 0.5.33
Bundled Suricata-Update 1.1.2
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 28 Apr 2020 16:35:56 +0000 (18:35 +0200)]
libhtp: update to 0.5.33
(Scanty) release notes:
0.5.33 (27 April 2020)
----------------------
- compression bomb protection
- memory handling issue found by Oss-Fuzz
- improve handling of anomalies in traffic
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Tue, 28 Apr 2020 14:47:01 +0000 (16:47 +0200)]
Postfix: update to 3.5.1
Please refer to http://www.postfix.org/announcements/postfix-3.5.1.html
for further information.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:41:47 +0000 (17:41 +0200)]
graph.pl: fix intendation of user CPU load
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:25:15 +0000 (17:25 +0200)]
graphs.pl: use brackets instead of hypens
This simply makes more sense in most languages, as INPUT, OUTPUT and
FORWARD are special cases of firewall hits in general.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:52 +0000 (17:24 +0200)]
de.pl: mention technical detail regarding new not SYN packets
Since an appropriate translation of the firewall hits graph is not
possible due to limited space, mentioning "NewNotSYN" at least clarifies
the relationship between "Verworfene neue Pakete ohne SYN-Markierung
protokollieren" and "NewNotSYN".
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:27 +0000 (17:24 +0200)]
en.pl: fix spelling of "SYN"
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 27 Apr 2020 15:24:06 +0000 (17:24 +0200)]
graphs.pl: fix spelling of "SYN"
This merely is a cosmetic change, but since we are dealing with network
packets here, the SYN flag must be capitalised.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 22 Apr 2020 16:01:13 +0000 (16:01 +0000)]
hyperscan: Update to version 5.2.1
Several bugfixes, improvements and extra detection has been added.
For the full changelog, take a look into here -->
https://github.com/intel/hyperscan/blob/master/CHANGELOG.md .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 18 Apr 2020 10:06:02 +0000 (12:06 +0200)]
libusb: update to 1.0.23
Fixes: #11480 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Mon, 4 May 2020 18:10:56 +0000 (20:10 +0200)]
70-log.menu: Fix ovpnclients section.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 11 Apr 2020 17:22:58 +0000 (19:22 +0200)]
coreutils: update to 8.32
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This reverts commit 3bcd393e18c76683f7649368bd30c5c57789f7e5.
this has a corrupt rootfile:
Error! '/x86_64' in rootfiles files found!
./config/rootfiles/common/libwww-perl:#usr/lib/perl5/site_perl/5.30.0/x86_64-linux-thread-multi/auto/libwww
./config/rootfiles/common/libwww-perl:#usr/lib/perl5/site_perl/5.30.0/x86_64-linux-thread-multi/auto/libwww/perl
./config/rootfiles/common/libwww-perl:usr/lib/perl5/site_perl/5.30.0/x86_64-linux-thread-multi/auto/libwww/perl/.packlist
Replace by MACHINE !
Peter Müller [Sat, 11 Apr 2020 10:20:01 +0000 (12:20 +0200)]
Pakfire: do not leak upstream proxy password in log messages
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 11 Apr 2020 09:02:26 +0000 (11:02 +0200)]
system.cgi: correctly translate CPU frequency
The CPU frequency diagram used the same "translation" as the CPU load,
which was confusing. This patch introduces a dedicated translation for
"CPU frequency", which makes things a little bit better but still does
not solve a Deppenleerzeichen ("CPU-Frequenz Diagramm") in the German
translation.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 11 Apr 2020 08:25:29 +0000 (10:25 +0200)]
lang: fix typo (MacVTtap != MacVTap)
Fixes: #12339 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Sat, 11 Apr 2020 05:26:58 +0000 (07:26 +0200)]
borgbackup: Fixes DEP error. Update to 1.1.11
Fixes #12356
Several fixes but also new features has been added with this version.
Full changelog can be found in here --> https://github.com/borgbackup/borg/blob/1.1.11/docs/changes.rst#version-1111-2020-03-08 .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Fri, 10 Apr 2020 08:00:37 +0000 (10:00 +0200)]
gzip: ship zgrep, zless and zmore
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 8 Apr 2020 09:12:18 +0000 (11:12 +0200)]
iproute2: Update to version 5.6.0
Several fixes and new enhancements, including new binaries (devlink, rdma, tipc) has been added.
For all commits, take a look in here --> https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/ .
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Wed, 8 Apr 2020 08:56:17 +0000 (10:56 +0200)]
ipset: Update to version 7.6
Update includes several userspace and kernel part changes.
For an overview, take a look into the changelog http://ipset.netfilter.org/changelog.html
Signed-off-by: Erik Kapfer <ummeegge@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>