This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 0e49a87ff0218385d2998664367c861dbc52638b (commit) via 252a5d4d06c4eefd102502a175bbc5264553002f (commit) via 7386cc1f6072864479022d12a8f1fc8ddf676805 (commit) from 202d48c3408c2a3a7ec3b2a25d7b2c3a429f0719 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 0e49a87ff0218385d2998664367c861dbc52638b Author: Michael Tremer michael.tremer@ipfire.org Date: Wed Oct 2 16:02:32 2024 +0000

core190: Ship Suricata & libhtp

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 252a5d4d06c4eefd102502a175bbc5264553002f Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Oct 2 15:41:33 2024 +0200

suricata: Update to 7.0.7

Exerpt from changelog: "7.0.7 -- 2024-10-01

Security #7289: http: missing hashtable random seed leads to potential DoS(CRITICAL - CVE 2024-47188) Security #7268: ja4: non alphanumeric characters in alpn lead to panic (7.0.x backport)(HIGH - CVE 2024-47522) Security #7258: thash: random factor not used; possible abusive hash collisions (7.0.x backport)(CRITICAL - CVE 2024-47187) Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)(HIGH - CVE 2024-45796) Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)(HIGH - CVE 2024-45795) Security #7192: http: quadratic complexity in headers processing/finding (7.0.x backport)(CRITICAL - CVE 2024-45797) Bug #7290: tls: a rule stops working since 7.0.5 (7.0.x backport) Bug #7286: eve/tls: enabling JA4 breaks custom field selection Bug #7276: ja3: Error: ja3: Buffer should not be NULL (7.0.x backport) Bug #7271: pgsql: track 'progress' in tx per direction (7.0.x backport) Bug #7265: detect/flow: ACK with data on 3whs fails to match 'flow:established' (7.0.x backport) Bug #7257: fuzz: CIFuzz is not fuzzing PRs as it is supposed to (7.0.x backport) Bug #7242: app-layer-protocol: negated matching false positive (7.0.x backport) Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport) Bug #7225: dataset: lookup function is not working with ip type (7.0.x backport) Bug #7214: frames: stream frame is not always the first one registered (7.0.x backport) Bug #7207: cbindgen: comptability with newer version 0.27 (7.0.x backport) Bug #7198: log/rfb: inconsistent key value security_result or security-result Bug #7194: output: jb context not closed on error in EvePacket Bug #7188: detect: dcerpc logging and matching issues (7.0.x backport) Bug #7182: fuzz: File confyaml.c is missing (7.0.x backport) Bug #7173: detect/integers: do not bother to free NULL pointer on setup/parse failure (7.0.x backport) Bug #7166: profiling: rule profiling doesn't support absolute paths (7.0.x backport) Bug #7159: tcp: 'broken ack' event set on flow timeout (7.0.x backport) Bug #7136: util/thash: debug assertion for memuse (7.0.x backport) Bug #7122: smb/ntlmssp: nonsense smb.ntlmssp.version values (7.0.x backport) Bug #7116: dpdk: timestamping packets through TSC does not yield the same time as kernel time (7.0.x backport) Bug #7066: alert/metadata: no pgsql object encapsulation (7.0.x backport) Bug #7054: bypass: cannot bypass udp flow from first packet (7.0.x backport) Bug #7001: pgsql: trigger raw stream reassembly (7.0.x backport) Bug #6608: file: do not store if filestore:both,flow is triggered after the file was set to nostore (7.0.x backport) Bug #6555: eve/alert: payload/payload_printable misrepresent data in case of overlaps (7.0.x backport) Bug #6541: landlock: coverity warnings (7.0.x backport) Optimization #7134: detect/snmp.version: do not free NULL pointer Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport) Feature #7102: iprep: support seeing if rule is part of a rep list (7.0.x backport) Feature #6674: detect: allow alert-then-pass logic (7.0.x backport) Task #7249: libhtp 0.5.49 (7.0.x backport) Task #7168: dns: make the version field in a dns object required (7.0.x backport) Documentation #6641: doc: add tcp timeout fix to upgrade guide (7.0.x backport)"

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit 7386cc1f6072864479022d12a8f1fc8ddf676805 Author: Matthias Fischer matthias.fischer@ipfire.org Date: Wed Oct 2 15:41:32 2024 +0200

libhtp: Update to 0.5.49

For details see: https://github.com/OISF/libhtp/releases/tag/0.5.49

Signed-off-by: Matthias Fischer matthias.fischer@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/rootfiles/{oldcore/131 => core/190}/filelists/libhtp | 0 config/rootfiles/{oldcore/131 => core/190}/filelists/suricata | 0 config/rootfiles/core/190/update.sh | 2 ++ lfs/libhtp | 6 +++--- lfs/suricata | 4 ++-- 5 files changed, 7 insertions(+), 5 deletions(-) copy config/rootfiles/{oldcore/131 => core/190}/filelists/libhtp (100%) copy config/rootfiles/{oldcore/131 => core/190}/filelists/suricata (100%)

Difference in files: diff --git a/config/rootfiles/core/190/filelists/libhtp b/config/rootfiles/core/190/filelists/libhtp new file mode 120000 index 000000000..676e2c5e8 --- /dev/null +++ b/config/rootfiles/core/190/filelists/libhtp @@ -0,0 +1 @@ +../../../common/libhtp \ No newline at end of file diff --git a/config/rootfiles/core/190/filelists/suricata b/config/rootfiles/core/190/filelists/suricata new file mode 120000 index 000000000..f671f6993 --- /dev/null +++ b/config/rootfiles/core/190/filelists/suricata @@ -0,0 +1 @@ +../../../common/suricata \ No newline at end of file diff --git a/config/rootfiles/core/190/update.sh b/config/rootfiles/core/190/update.sh index 38f3126ec..ba7816216 100644 --- a/config/rootfiles/core/190/update.sh +++ b/config/rootfiles/core/190/update.sh @@ -32,6 +32,7 @@ for (( i=1; i<=$core; i++ )); do done

# Stop services +/etc/init.d/suricata stop

# Extract files extract_files @@ -60,6 +61,7 @@ fi /etc/init.d/collectd restart /etc/init.d/sshd restart /etc/init.d/squid restart +/etc/init.d/suricata start

# This update needs a reboot... touch /var/run/need_reboot diff --git a/lfs/libhtp b/lfs/libhtp index d3b56dcb2..205ae3ed1 100644 --- a/lfs/libhtp +++ b/lfs/libhtp @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2023 IPFire Team info@ipfire.org # +# Copyright (C) 2007-2024 IPFire Team info@ipfire.org # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -24,7 +24,7 @@

include Config

-VER = 0.5.48 +VER = 0.5.49

THISAPP = libhtp-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = 56eeef3524ffeac593c251846196d09e0ccfacd9aadd03b35061fd1fe6a245d1374c338581b4f7bee67255797740f4e282344fc10bf3d0c0fdf824f159380053 +$(DL_FILE)_BLAKE2 = 84473148547fd68a75a1ef458980b648f7ee28c1f1ca81f1a9a8320efda5cd8df83df4be6135c67b45be2997ec59e1f84dae0634b925425eea93852ea8dc26c8

install : $(TARGET)

diff --git a/lfs/suricata b/lfs/suricata index dcee61ea1..b563ff9da 100644 --- a/lfs/suricata +++ b/lfs/suricata @@ -24,7 +24,7 @@

include Config

-VER = 7.0.6 +VER = 7.0.7

THISAPP = suricata-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)

$(DL_FILE) = $(DL_FROM)/$(DL_FILE)

-$(DL_FILE)_BLAKE2 = e031eda35913f0db553ae68e6fc4173db2f0a87b2f2c60141edf09abba3eef44cdba6cca1db039c8814525ff803dd60ea13cbba7b66e57fed3ae5297f90c7b18 +$(DL_FILE)_BLAKE2 = dc39279b99880762bee2b1788fea9046dc63c01560332ffc167844673314165456dcbff3b0d05d32c931741b397fd68e9e294d2ee6c526a3d286445c2a83b789

install : $(TARGET)

hooks/post-receive -- IPFire 2.x development tree