For details see: https://github.com/OISF/libhtp/releases/tag/0.5.40
"uri: optionally allows spaces in uri ints: integer handling improvements headers: continue on nul byte headers: consistent trailing space handling list: fix integer overflow util: remove unused htp_utf8_decode fix 100-continue with CL 0 lzma: don't do unnecessary realloc"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/libhtp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lfs/libhtp b/lfs/libhtp index 3dad9955b..ffc82f8cd 100644 --- a/lfs/libhtp +++ b/lfs/libhtp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 0.5.39 +VER = 0.5.40
THISAPP = libhtp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = fec9e2b0dd867becde972e9e2bf572a21d90acc747a8ee8338e2fe68240d690706db01b12c3cf8c6bf1b5d4415da4e4a5bf92a056e1dff96f54a9ac569906712 +$(DL_FILE)_BLAKE2 = 37239d8d0afb6841c54bab1669a17ec7336b10998f8835ef91cf9556dd7449991ce6fb04a408d16b431ba6327b32f6f509a79a4c79ffc6e88e555fcf2e9f2cce
install : $(TARGET)
Changelog:
"5.0.9 -- 2022-04-21
Security #4889: ftp: SEGV at flow cleanup due to protocol confusion Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input Security #5253: Infinite loop in JsonFTPLogger Feature #4644: pthreads: set minimum stack size Bug #4466: dataset file not written when run as user Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content Bug #4745: Absent app-layer protocol is always enabled by default Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap Bug #4823: conf: quadratic complexity Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set Bug #4838: af-packet: cluster_id is not used when trying to set fanout support Bug #4878: datasets: memory leak in 5.0.x Bug #4887: dnp3: buffer over read in logging base64 empty objects Bug #4891: protodetect: SMB vs TLS protocol detection in midstream Bug #4893: TFTP: memory leak due to missing detect state Bug #4895: Memory leak with signature using file_data and NFS Bug #4897: profiling: Invalid performance counter when using sampling Bug #4901: eve: memory leak related to dns Bug #4932: smtp: smtp transaction not logged if no email is present Bug #4955: stream: too aggressive pruning in lossy streams Bug #4957: SMTP assertion triggered Bug #4959: suricatasc loop if recv returns no data Bug #4961: dns: transaction not created when z-bit set Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet Bug #5058: dns: probing/parser can return error when it should return incomplete Bug #5063: Not keyword matches in Kerberos requests Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl Bug #5099: htp: server personality radix handling issue Bug #5101: defrag: policy config can setup radix incorrectly Bug #5103: Application log cannot to be re-opened when running as non-root user Bug #5105: iprep: cidr support can set up radix incorrectly Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly Bug #5109: swf: coverity warning Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice() Bug #5137: smb: excessive memory use during file transfer Bug #5150: nfs: Integer underflow in NFS Bug #5157: xbits: noalert is allowed in rule language with other commands Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT) Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree Bug #5193: SSL : over allocation for certificates Bug #5213: content:"22 2 22"; is parsed without error Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow. Bug #5251: smb: integer underflows and overflows Task #5006: libhtp 0.5.40"
Additionally, I moved the 'suricata' patch files into a separate directory. Apart from some line numbers, nothing else was changed.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/suricata | 12 ++++++------ ...eam-tcp-Handle-retransmitted-SYN-with-TSval.patch | 2 +- ...-5.0.8-fix-level1-cache-line-size-detection.patch | 2 +- .../suricata-disable-sid-2210059.patch | 0 4 files changed, 8 insertions(+), 8 deletions(-) rename src/patches/{ => suricata}/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch (97%) rename src/patches/{ => suricata}/suricata-5.0.8-fix-level1-cache-line-size-detection.patch (95%) rename src/patches/{ => suricata}/suricata-disable-sid-2210059.patch (100%)
diff --git a/lfs/suricata b/lfs/suricata index 80e0923d3..4a9dcdb1d 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 5.0.8 +VER = 5.0.9
THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 5c13aea176b6666477c620d1ed294310ee84ec706abbc740a23d66722297c09b61f253bbe17700cd58f8ce439987c9b13f312aba37d911b6522e4848e7c1b0cd +$(DL_FILE)_BLAKE2 = 02ab99585233a47b1577e55060ba1141c339718e5bd39b6f4d38bb9384fd459aae353f313083048128507f9023a8bcfea3e5a5bcc9ea0c75cfc9c288ca9db6b6
install : $(TARGET)
@@ -70,9 +70,9 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-disable-sid-2210059.patch - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disable-sid-2210059.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ --prefix=/usr \ --sysconfdir=/etc \ diff --git a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch similarity index 97% rename from src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch rename to src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch index fcea77cfa..6bc745a0f 100644 --- a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch +++ b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch @@ -26,7 +26,7 @@ diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 1cff19fa5..af681760b 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c -@@ -1643,6 +1643,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p, +@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p, "ssn->client.last_ack %"PRIu32"", ssn, ssn->client.isn, ssn->client.next_seq, ssn->client.last_ack); diff --git a/src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch similarity index 95% rename from src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch rename to src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch index a6747a2a7..68a21f1e9 100644 --- a/src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch +++ b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch @@ -2,7 +2,7 @@ diff --git a/configure.ac b/configure.ac index d56d3a550..81abf8f00 100644 --- a/configure.ac +++ b/configure.ac -@@ -2313,7 +2313,7 @@ fi +@@ -2318,7 +2318,7 @@ fi AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no") if test "$HAVE_GETCONF_CMD" != "no"; then CLS=$(getconf LEVEL1_DCACHE_LINESIZE) diff --git a/src/patches/suricata-disable-sid-2210059.patch b/src/patches/suricata/suricata-disable-sid-2210059.patch similarity index 100% rename from src/patches/suricata-disable-sid-2210059.patch rename to src/patches/suricata/suricata-disable-sid-2210059.patch
Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 22/04/2022 10:21, Matthias Fischer wrote:
Changelog:
"5.0.9 -- 2022-04-21
Security #4889: ftp: SEGV at flow cleanup due to protocol confusion Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input Security #5253: Infinite loop in JsonFTPLogger Feature #4644: pthreads: set minimum stack size Bug #4466: dataset file not written when run as user Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content Bug #4745: Absent app-layer protocol is always enabled by default Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap Bug #4823: conf: quadratic complexity Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set Bug #4838: af-packet: cluster_id is not used when trying to set fanout support Bug #4878: datasets: memory leak in 5.0.x Bug #4887: dnp3: buffer over read in logging base64 empty objects Bug #4891: protodetect: SMB vs TLS protocol detection in midstream Bug #4893: TFTP: memory leak due to missing detect state Bug #4895: Memory leak with signature using file_data and NFS Bug #4897: profiling: Invalid performance counter when using sampling Bug #4901: eve: memory leak related to dns Bug #4932: smtp: smtp transaction not logged if no email is present Bug #4955: stream: too aggressive pruning in lossy streams Bug #4957: SMTP assertion triggered Bug #4959: suricatasc loop if recv returns no data Bug #4961: dns: transaction not created when z-bit set Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet Bug #5058: dns: probing/parser can return error when it should return incomplete Bug #5063: Not keyword matches in Kerberos requests Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl Bug #5099: htp: server personality radix handling issue Bug #5101: defrag: policy config can setup radix incorrectly Bug #5103: Application log cannot to be re-opened when running as non-root user Bug #5105: iprep: cidr support can set up radix incorrectly Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly Bug #5109: swf: coverity warning Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice() Bug #5137: smb: excessive memory use during file transfer Bug #5150: nfs: Integer underflow in NFS Bug #5157: xbits: noalert is allowed in rule language with other commands Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT) Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree Bug #5193: SSL : over allocation for certificates Bug #5213: content:"22 2 22"; is parsed without error Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow. Bug #5251: smb: integer underflows and overflows Task #5006: libhtp 0.5.40"
Additionally, I moved the 'suricata' patch files into a separate directory. Apart from some line numbers, nothing else was changed.
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/suricata | 12 ++++++------ ...eam-tcp-Handle-retransmitted-SYN-with-TSval.patch | 2 +- ...-5.0.8-fix-level1-cache-line-size-detection.patch | 2 +- .../suricata-disable-sid-2210059.patch | 0 4 files changed, 8 insertions(+), 8 deletions(-) rename src/patches/{ => suricata}/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch (97%) rename src/patches/{ => suricata}/suricata-5.0.8-fix-level1-cache-line-size-detection.patch (95%) rename src/patches/{ => suricata}/suricata-disable-sid-2210059.patch (100%)
diff --git a/lfs/suricata b/lfs/suricata index 80e0923d3..4a9dcdb1d 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 5.0.8 +VER = 5.0.9
THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 5c13aea176b6666477c620d1ed294310ee84ec706abbc740a23d66722297c09b61f253bbe17700cd58f8ce439987c9b13f312aba37d911b6522e4848e7c1b0cd +$(DL_FILE)_BLAKE2 = 02ab99585233a47b1577e55060ba1141c339718e5bd39b6f4d38bb9384fd459aae353f313083048128507f9023a8bcfea3e5a5bcc9ea0c75cfc9c288ca9db6b6
install : $(TARGET)
@@ -70,9 +70,9 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-disable-sid-2210059.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disable-sid-2210059.patch
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ --prefix=/usr \ --sysconfdir=/etc \
diff --git a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch similarity index 97% rename from src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch rename to src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch index fcea77cfa..6bc745a0f 100644 --- a/src/patches/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch +++ b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch @@ -26,7 +26,7 @@ diff --git a/src/stream-tcp.c b/src/stream-tcp.c index 1cff19fa5..af681760b 100644 --- a/src/stream-tcp.c +++ b/src/stream-tcp.c -@@ -1643,6 +1643,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p, +@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p, "ssn->client.last_ack %"PRIu32"", ssn, ssn->client.isn, ssn->client.next_seq, ssn->client.last_ack); diff --git a/src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch similarity index 95% rename from src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch rename to src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch index a6747a2a7..68a21f1e9 100644 --- a/src/patches/suricata-5.0.8-fix-level1-cache-line-size-detection.patch +++ b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch @@ -2,7 +2,7 @@ diff --git a/configure.ac b/configure.ac index d56d3a550..81abf8f00 100644 --- a/configure.ac +++ b/configure.ac -@@ -2313,7 +2313,7 @@ fi +@@ -2318,7 +2318,7 @@ fi AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no") if test "$HAVE_GETCONF_CMD" != "no"; then CLS=$(getconf LEVEL1_DCACHE_LINESIZE) diff --git a/src/patches/suricata-disable-sid-2210059.patch b/src/patches/suricata/suricata-disable-sid-2210059.patch similarity index 100% rename from src/patches/suricata-disable-sid-2210059.patch rename to src/patches/suricata/suricata-disable-sid-2210059.patch
Reviewed-by: Adolf Belka adolf.belka@ipfire.org
On 22/04/2022 10:21, Matthias Fischer wrote:
For details see: https://github.com/OISF/libhtp/releases/tag/0.5.40
"uri: optionally allows spaces in uri ints: integer handling improvements headers: continue on nul byte headers: consistent trailing space handling list: fix integer overflow util: remove unused htp_utf8_decode fix 100-continue with CL 0 lzma: don't do unnecessary realloc"Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org
lfs/libhtp | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/lfs/libhtp b/lfs/libhtp index 3dad9955b..ffc82f8cd 100644 --- a/lfs/libhtp +++ b/lfs/libhtp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2022 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@
include Config
-VER = 0.5.39 +VER = 0.5.40
THISAPP = libhtp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = fec9e2b0dd867becde972e9e2bf572a21d90acc747a8ee8338e2fe68240d690706db01b12c3cf8c6bf1b5d4415da4e4a5bf92a056e1dff96f54a9ac569906712 +$(DL_FILE)_BLAKE2 = 37239d8d0afb6841c54bab1669a17ec7336b10998f8835ef91cf9556dd7449991ce6fb04a408d16b431ba6327b32f6f509a79a4c79ffc6e88e555fcf2e9f2cce
install : $(TARGET)
-
Adolf Belka -
Matthias Fischer