CVE-2025-59147
From
e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
Take SEQ and ACK into account for more scenarios.
SYN on SYN_SENT
In this case the SYN packets with different SEQ and other properties are
queued up. Each packet updates the ssn to reflect the last packet to
come in. The old ssn data is added to a TcpStateQueue entry in
TcpSession::queue. If the max queue length is exceeded, the oldest entry
is evicted. The queue is actually a single linked list, where the list
head reflects the oldest entry.
SYN/ACK on SYN_SENT
In this case the first check is if the SYN/ACK matches the session. If
it doesn't, the queue is checked to see if there SYN's stored. If one is
found that matches, it is used and the session is updated to reflect
that.
SYN/ACK on SYN_RECV
SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
from the current packet. The old settings are stored in a TcpStateQueue
entry in the TcpSession::queue.
ACK on SYN_RECV
Checks any stored SYN/ACKs before checking the session. If a queued
SYN/ACK was sound, the session is updated to match it.
Ticket: #3844.
Ticket: #7657.
(cherry picked from commit
be6315dba0d9101b11d16e9dacfe2822b3792f1b)
Patch adjusted for Debian to fit for Suricata 7.0.10.
Origin: upstream, https://github.com/OISF/suricata/commit/
e91b03c90385db15e21cf1a0e85b921bf92b039e.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7852
Subject: Upstream fix for CVE-2025-59147
Gbp-Pq: Name CVE-2025-59147.patch
CVE-2025-53538
From
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001
# Subject: [PATCH] http2: forbid data on stream 0
# Subject: [PATCH] http2: forbid data on stream 0
Ticket: 7658
Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.
RFC 9113 section 6.1 states:
If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
of type PROTOCOL_ERROR.
(cherry picked from commit
1d6d331752e933c46aca0ae7a9679b27462246e3)
Origin: upstream, https://github.com/OISF/suricata/commit/
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7659
Bug-Debian: https://bugs.debian.org/
1109806
Subject: Upstream fix for CVE-2025-53538
Gbp-Pq: Name CVE-2025-53538.patch
Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket.
Forwarded: not-needed
Last-Update: 2016-12-01
Gbp-Pq: Name debian-default-cfg.patch
Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path.
Forwarded: not-needed
Last-Update: 2016-09-05
Gbp-Pq: Name reproducible.patch
suricata (1:7.0.10-1+deb13u1) trixie; urgency=medium
* Fix CVE-2025-53538 in 7.0.10.
Cherry-Picked from upstream
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.
Closes: #1109806
Reference: #
1116945
* Fix CVE-2025-59147 in 7.0.10.
Cherry-Picked from upstream
e91b03c90385db15e21cf1a0e85b921bf92b039e
and slightly modified to fit for Suricata 7.0.10.
Reference: #
1119940
[dgit import unpatched suricata 1:7.0.10-1+deb13u1]
projects / suricata.git / log