This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via a702353e262542fd5becc930e42b2a47caca2a00 (commit) via b7f887e3b112d5a871886d942645f11c59465753 (commit) via e3d8db51fbf721698aa3cb767fbc134b12b0592d (commit) via ce8610479e024c2c81a4b4893b7dbc792a32252c (commit) from 979a8b3df745e74173a777ef361bf8f3abfcbad0 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit a702353e262542fd5becc930e42b2a47caca2a00 Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jul 14 09:44:42 2022 +0000
c170: Ship suricata
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit b7f887e3b112d5a871886d942645f11c59465753 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Jul 13 23:03:50 2022 +0200
suricata: Update to 5.0.10
Changelog:
"5.0.10 -- 2022-07-12
Bug #5429: TCP flow that retransmits the SYN with a newer TSval not properly tracked (5.0.x backport) [Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch' could be removed]
Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport) Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport) Bug #5404: detect: will still inspect packets of a "dropped" flow for non-TCP (5.0.x backport) Bug #5388: detect/threshold: offline time handling issue (5.0.x backports) Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport) Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails (5.0.x backport) Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backport) Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0.x backport) Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.0.x backport) Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x backport) Bug #5325: FTP: expectation created in wrong direction (5.0.x backport) Bug #5305: cppcheck: various static analyzer "warning"s Bug #5302: Failed assert DeStateSearchState Bug #5301: eve: payload field randomly missing even if the packet field is present Bug #5289: Remove unneeded stack-on-signal initialization. Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport) Bug #5113: Off-by-one in flow-manager flow_hash row allocation Bug #5055: Documentation copyright years are invalid Bug #5021: dataset: error with space in rule language Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport) Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport) Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport) Task #5322: stats/alert: log out to stats alerts that have been discarded from packet queue (5.0.x backport)"
Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Reviewed-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit e3d8db51fbf721698aa3cb767fbc134b12b0592d Author: Michael Tremer michael.tremer@ipfire.org Date: Thu Jul 14 09:42:11 2022 +0000
c170: Update collectd.conf
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit ce8610479e024c2c81a4b4893b7dbc792a32252c Author: Peter Müller peter.mueller@ipfire.org Date: Wed Jul 13 20:05:16 2022 +0000
collectd: Do not keep track of entropy any more
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/collectd/collectd.conf | 1 - .../{oldcore/131 => core/170}/filelists/suricata | 0 config/rootfiles/core/170/update.sh | 6 +++ lfs/suricata | 5 +- ...m-tcp-Handle-retransmitted-SYN-with-TSval.patch | 55 ---------------------- 5 files changed, 8 insertions(+), 59 deletions(-) copy config/rootfiles/{oldcore/131 => core/170}/filelists/suricata (100%) delete mode 100644 src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch
Difference in files: diff --git a/config/collectd/collectd.conf b/config/collectd/collectd.conf index e34a97da1..4ef34ea07 100644 --- a/config/collectd/collectd.conf +++ b/config/collectd/collectd.conf @@ -16,7 +16,6 @@ LoadPlugin conntrack LoadPlugin cpu #LoadPlugin cpufreq LoadPlugin disk -LoadPlugin entropy LoadPlugin interface LoadPlugin iptables LoadPlugin load diff --git a/config/rootfiles/core/170/filelists/suricata b/config/rootfiles/core/170/filelists/suricata new file mode 120000 index 000000000..f671f6993 --- /dev/null +++ b/config/rootfiles/core/170/filelists/suricata @@ -0,0 +1 @@ +../../../common/suricata \ No newline at end of file diff --git a/config/rootfiles/core/170/update.sh b/config/rootfiles/core/170/update.sh index 7dde03060..aaa42cbb4 100644 --- a/config/rootfiles/core/170/update.sh +++ b/config/rootfiles/core/170/update.sh @@ -107,8 +107,14 @@ chown nobody:nobody /var/lib/ipblocklist # Rebuild fcrontab from scratch /usr/bin/fcrontab -z
+# Update collectd.conf +sed -i /etc/collectd.conf \ + -e "/LoadPlugin entropy/d" +/etc/init.d/collectd restart + # Start services /etc/init.d/rc.d/unbound start +/etc/init.d/rc.d/suricata restart
# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/suricata b/lfs/suricata index 1ebcb4ba4..1fbc2c185 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@
include Config
-VER = 5.0.9 +VER = 5.0.10
THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 02ab99585233a47b1577e55060ba1141c339718e5bd39b6f4d38bb9384fd459aae353f313083048128507f9023a8bcfea3e5a5bcc9ea0c75cfc9c288ca9db6b6 +$(DL_FILE)_BLAKE2 = b5c83b9882e89894c3dedb7f536d584a20bbeab24236752e528171db6589a6308422c8b0be4f433fc63b8cfc227aa0b67935a4aece943b10f4577398ea9ed467
install : $(TARGET)
@@ -70,7 +70,6 @@ $(subst %,%_BLAKE2,$(objects)) : $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) @$(PREBUILD) @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-disable-sid-2210059.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/suricata/suricata-5.0.8-fix-level1-cache-line-size-detection.patch cd $(DIR_APP) && LDFLAGS="$(LDFLAGS)" ./configure \ diff --git a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch b/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch deleted file mode 100644 index 6bc745a0f..000000000 --- a/src/patches/suricata/suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 511648b3d7a4b5a5b4d55b92dffd63fcb23903a0 Mon Sep 17 00:00:00 2001 -From: Michael Tremer michael.tremer@ipfire.org -Date: Fri, 19 Nov 2021 17:17:47 +0000 -Subject: [PATCH] stream: tcp: Handle retransmitted SYN with TSval - -For connections that use TCP timestamps for which the first SYN packet -does not reach the server, any replies to retransmitted SYNs will be -tropped. - -This is happening in StateSynSentValidateTimestamp, where the timestamp -value in a SYN-ACK packet must match the one from the SYN packet. -However, since the server never received the first SYN packet, it will -respond with an updated timestamp from any of the following SYN packets. - -The timestamp value inside suricata is not being updated at any time -which should happen. This patch fixes that problem. - -This problem was introduced in 9f0294fadca3dcc18c919424242a41e01f3e8318. - -Signed-off-by: Michael Tremer michael.tremer@ipfire.org ---- - src/stream-tcp.c | 17 +++++++++++++++++ - 1 file changed, 17 insertions(+) - -diff --git a/src/stream-tcp.c b/src/stream-tcp.c -index 1cff19fa5..af681760b 100644 ---- a/src/stream-tcp.c -+++ b/src/stream-tcp.c -@@ -1641,6 +1641,23 @@ static int StreamTcpPacketStateSynSent(ThreadVars *tv, Packet *p, - "ssn->client.last_ack %"PRIu32"", ssn, - ssn->client.isn, ssn->client.next_seq, - ssn->client.last_ack); -+ } else if (PKT_IS_TOSERVER(p)) { -+ /* -+ * On retransmitted SYN packets, the timestamp value must be updated, -+ * to avoid dropping any SYN+ACK packets that respond to a retransmitted SYN -+ * with an updated timestamp in StateSynSentValidateTimestamp. -+ */ -+ if ((ssn->client.flags & STREAMTCP_STREAM_FLAG_TIMESTAMP) && TCP_HAS_TS(p)) { -+ uint32_t ts_val = TCP_GET_TSVAL(p); -+ -+ // Check whether packets have been received in the correct order (only ever update) -+ if (ssn->client.last_ts < ts_val) { -+ ssn->client.last_ts = ts_val; -+ ssn->client.last_pkt_ts = p->ts.tv_sec; -+ } -+ -+ SCLogDebug("ssn %p: Retransmitted SYN. Updated timestamp from packet %"PRIu64, ssn, p->pcap_cnt); -+ } - } - - /** \todo check if it's correct or set event */ --- -2.30.2 -
hooks/post-receive -- IPFire 2.x development tree