"6.0.12 -- 2023-05-08

Bug #6040: tcp: failed assertion ASSERT: !(ssn->state != TCP_SYN_SENT) (6.0.x backport) Bug #6039: TCP resets have incorrect len, nh in IPv6 (6.0.x backport) Bug #6034: time: integer comparison with different signs (6.0.x backport) Bug #6031: af-packet: reload not occurring until packets are seen (6.0.x backport) Bug #6020: smtp: fuzz debug assertion trigger (6.0.x backport) Bug #6018: scan-build warning for mime decoder (6.0.x backport) Bug #6017: scan-build warnings for ac implementations (6.0.x backport) Bug #6016: scan-build warnings in radix implementation (6.0.x backport) Bug #6015: scan-build warning for detect sigordering (6.0.x backport) Bug #6014: scan-build warnings for detect address handling (6.0.x backport) Bug #6013: scan-build warning for detect port handling (6.0.x backport) Bug #6007: Unexpected behavior of `endswith` in combination with negated content matches (6.0.x backport) Bug #5999: exception/policy: make work with simulated flow memcap (6.0.x backport) Bug #5997: perf shows excessive time in IPOnlyMatchPacket (6.0.x backport) Bug #5980: rust: warning for future compile errors Bug #5961: smb: wrong endian conversion when parse NTLM Negotiate Flags (6.0.x backport) Bug #5958: bpf: postpone IPS check after IPS runmode is determined from the configuration file (6.0.x backport) Bug #5934: app-layer-htp: Condition depending on enabled IPS mode never true (6.0.x backport) Optimization #6033: detect using uninitialized engine mode (6.0.x backport) Feature #5996: Add support for 'inner' PF_RING clustering modes (6.0.x backport) Task #6052: github-ci: add windows + windivert build (6.0.x backport)"

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org --- lfs/suricata | 4 ++-- .../suricata-5.0.8-fix-level1-cache-line-size-detection.patch | 2 +- src/patches/suricata/suricata-disable-sid-2210059.patch | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lfs/suricata b/lfs/suricata index 75698b0b1..b28d5e3e7 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@

include Config

-VER = 6.0.11 +VER = 6.0.12

THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = 41b37168e6c50b32971ad8c0541f3bc1981152c8360bbfc261a9abab5dc229425bef92fe19db5d0ec7cf32abff71acca62934c411aea79f5c8f9b38bd6422ee4 +$(DL_FILE)_BLAKE2 = 3cd16072014e814ec116bbde6649a0230200e447884028fef0440cbbc38a36b28c1edb39098e4089ee966890464bcd2573ea82d3e35e6d034ad465ac20c4c0b6

install : $(TARGET)

diff --git a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch index 5aaabb167..f1529812d 100644 --- a/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch +++ b/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch @@ -2,7 +2,7 @@ diff --git a/configure.ac b/configure.ac index d56d3a550..81abf8f00 100644 --- a/configure.ac +++ b/configure.ac -@@ -2390,7 +2390,7 @@ fi +@@ -2424,7 +2424,7 @@ fi AC_PATH_PROG(HAVE_GETCONF_CMD, getconf, "no") if test "$HAVE_GETCONF_CMD" != "no"; then CLS=$(getconf LEVEL1_DCACHE_LINESIZE) diff --git a/src/patches/suricata/suricata-disable-sid-2210059.patch b/src/patches/suricata/suricata-disable-sid-2210059.patch index 54747dfd2..8955eec5e 100644 --- a/src/patches/suricata/suricata-disable-sid-2210059.patch +++ b/src/patches/suricata/suricata-disable-sid-2210059.patch @@ -1,7 +1,7 @@ diff -Nur a/rules/stream-events.rules b/rules/stream-events.rules --- a/rules/stream-events.rules 2021-11-17 16:55:12.000000000 +0100 +++ b/rules/stream-events.rules 2021-12-08 18:12:39.850189502 +0100 -@@ -89,7 +89,7 @@ +@@ -97,7 +97,7 @@ # rule to alert if a stream has excessive retransmissions alert tcp any any -> any any (msg:"SURICATA STREAM excessive retransmissions"; flowbits:isnotset,tcp.retransmission.alerted; flowint:tcp.retransmission.count,>=,10; flowbits:set,tcp.retransmission.alerted; classtype:protocol-command-decode; sid:2210054; rev:1;) # Packet on wrong thread. Fires at most once per flow.