This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via a702353e262542fd5becc930e42b2a47caca2a00 (commit)
via b7f887e3b112d5a871886d942645f11c59465753 (commit)
via e3d8db51fbf721698aa3cb767fbc134b12b0592d (commit)
via ce8610479e024c2c81a4b4893b7dbc792a32252c (commit)
from 979a8b3df745e74173a777ef361bf8f3abfcbad0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit a702353e262542fd5becc930e42b2a47caca2a00
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Jul 14 09:44:42 2022 +0000
c170: Ship suricata
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b7f887e3b112d5a871886d942645f11c59465753
Author: Matthias Fischer <matthias.fischer(a)ipfire.org>
Date: Wed Jul 13 23:03:50 2022 +0200
suricata: Update to 5.0.10
Changelog:
"5.0.10 -- 2022-07-12
Bug #5429: TCP flow that retransmits the SYN with a newer TSval not properly tracked (5.0.x backport)
[Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch' could be removed]
Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport)
Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport)
Bug #5404: detect: will still inspect packets of a "dropped" flow for non-TCP (5.0.x backport)
Bug #5388: detect/threshold: offline time handling issue (5.0.x backports)
Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport)
Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails (5.0.x backport)
Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backport)
Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0.x backport)
Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.0.x backport)
Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x backport)
Bug #5325: FTP: expectation created in wrong direction (5.0.x backport)
Bug #5305: cppcheck: various static analyzer "warning"s
Bug #5302: Failed assert DeStateSearchState
Bug #5301: eve: payload field randomly missing even if the packet field is present
Bug #5289: Remove unneeded stack-on-signal initialization.
Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length
Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Bug #5113: Off-by-one in flow-manager flow_hash row allocation
Bug #5055: Documentation copyright years are invalid
Bug #5021: dataset: error with space in rule language
Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport)
Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)
Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport)
Task #5322: stats/alert: log out to stats alerts that have been discarded from packet queue (5.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer(a)ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit e3d8db51fbf721698aa3cb767fbc134b12b0592d
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Thu Jul 14 09:42:11 2022 +0000
c170: Update collectd.conf
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit ce8610479e024c2c81a4b4893b7dbc792a32252c
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Wed Jul 13 20:05:16 2022 +0000
collectd: Do not keep track of entropy any more
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/collectd/collectd.conf | 1 -
.../{oldcore/131 => core/170}/filelists/suricata | 0
config/rootfiles/core/170/update.sh | 6 +++
lfs/suricata | 5 +-
...m-tcp-Handle-retransmitted-SYN-with-TSval.patch | 55 ----------------------
5 files changed, 8 insertions(+), 59 deletions(-)
copy config/rootfiles/{oldcore/131 => core/170}/filelists/suricata (100%)
delete mode 100644 src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
Difference in files:
diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf
index e34a97da1..4ef34ea07 100644
--- a/config/collectd/collectd.conf
+++ b/config/collectd/collectd.conf
@@ -16,7 +16,6 @@ LoadPlugin conntrack
LoadPlugin cpu
#LoadPlugin cpufreq
LoadPlugin disk
-LoadPlugin entropy
LoadPlugin interface
LoadPlugin iptables
LoadPlugin load
diff --git a/config/rootfiles/core/170/filelists/suricata b/config/rootfiles/core/170/filelists/suricata
new file mode 120000
index 000000000..f671f6993
--- /dev/null
+++ b/config/rootfiles/core/170/filelists/suricata
@@ -0,0 +1 @@
+../../../common/suricata
\ No newline at end of file
diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh
index 7dde03060..aaa42cbb4 100644
--- a/config/rootfiles/core/170/update.sh
+++ b/config/rootfiles/core/170/update.sh
@@ -107,8 +107,14 @@ chown nobody:nobody /var/lib/ipblocklist
# Rebuild fcrontab from scratch
/usr/bin/fcrontab -z
+# Update collectd.conf
+sed -i /etc/collectd.conf \
+ -e "/LoadPlugin entropy/d"
+/etc/init.d/collectd restart
+
# Start services
/etc/init.d/rc.d/unbound start
+/etc/init.d/rc.d/suricata restart
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/lfs/suricata b/lfs/suricata
index 1ebcb4ba4..1fbc2c185 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -24,7 +24,7 @@
include Config
-VER = 5.0.9
+VER = 5.0.10
THISAPP = suricata-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 02ab99585233a47b1577e55060ba1141c339718e5bd39b6f4d38bb9384fd459aae353f313083048128507f9023a8bcfea3e5a5bcc9ea0c75cfc9c288ca9db6b6
+$(DL_FILE)_BLAKE2 = b5c83b9882e89894c3dedb7f536d584a20bbeab24236752e528171db6589a6308422c8b0be4f433fc63b8cfc227aa0b67935a4aece943b10f4577398ea9ed467
install : $(TARGET)
@@ -70,7 +70,6 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE)
- cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disable-sid-2210059.patch
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch
cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \
diff --git a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
deleted file mode 100644
index 6bc745a0f..000000000
--- a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001
-From: Michael Tremer <michael.tremer(a)ipfire.org>
-Date: Fri, 19 Nov 2021 17:17:47 +0000
-Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval
-
-For connections that use TCP timestamps for which the first SYN packet
-does not reach the server, any replies to retransmitted SYNs will be
-tropped.
-
-This is happening in StateSynSentValidateTimestamp, where the timestamp
-value in a SYN-ACK packet must match the one from the SYN packet.
-However, since the server never received the first SYN packet, it will
-respond with an updated timestamp from any of the following SYN packets.
-
-The timestamp value inside suricata is not being updated at any time
-which should happen. This patch fixes that problem.
-
-This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318.
-
-Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
----
- src/stream-tcp.c | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/src/stream-tcp.c b/src/stream-tcp.c
-index 1cff19fa5..af681760b 100644
---- a/src/stream-tcp.c
-+++ b/src/stream-tcp.c
-@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p,
- "ssn->client.last_ack %"PRIu32"", ssn,
- ssn->client.isn, ssn->client.next_seq,
- ssn->client.last_ack);
-+ } else if (PKT_IS_TOSERVER(p)) {
-+ /*
-+ * On retransmitted SYN packets, the timestamp value must be updated,
-+ * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN
-+ * with an updated timestamp in StateSynSentValidateTimestamp.
-+ */
-+ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) {
-+ uint32_t ts_val = TCP_GET_TSVAL(p);
-+
-+ // Check whether packets have been received in the correct order (only ever update)
-+ if (ssn->client.last_ts < ts_val) {
-+ ssn->client.last_ts = ts_val;
-+ ssn->client.last_pkt_ts = p->ts.tv_sec;
-+ }
-+
-+ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt);
-+ }
- }
-
- /** \todo check if it's correct or set event */
---
-2.30.2
-
hooks/post-receive
--
IPFire 2.x development tree