summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Pierre Chifflier [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
CVE-2023-35852-1
commit
aee1523b4591430ebed1ded0bb95508e6717a335
Author: Jason Ish <jason.ish@oisf.net>
Date: Tue May 23 15:17:59 2023 -0600
datasets: don't allow absolute or paths with directory traversal
For dataset filenames coming from rules, do not allow filenames that
are absolute or contain a directory traversal with "..". This prevents
datasets from escaping the define data-directory which may allow a bad
rule to overwrite any file that Suricata has permission to write to.
Add a new configuration option,
"datasets.rules.allow-absolute-filenames" to allow absolute filenames
in dataset rules. This will be a way to revert back to the pre 6.0.13
behavior where save/state rules could use any filename.
Ticket: #6118
Gbp-Pq: Name CVE-2023-35852-1.patch
Pierre Chifflier [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
CVE-2021-45098
commit
50e2b973eeec7172991bf8f544ab06fb782b97df
Author: Victor Julien <victor@inliniac.net>
Date: Tue Oct 5 14:48:27 2021 +0200
stream/tcp: handle RST with MD5 or AO header
Special handling for RST packets if they have an TCP MD5 or AO header option.
The options hash can't be validated. The end host might be able to validate
it, as it can have a key/password that was communicated out of band.
The sender could use this to move the TCP state to 'CLOSED', leading to
a desync of the TCP session.
This patch builds on top of
843d0b7a10bb ("stream: support RST getting lost/ignored")
It flags the receiver as having received an RST and moves the TCP state
into the CLOSED state. It then reverts this if the sender continues to
send traffic. In this case it sets the following event:
stream-event:suspected_rst_inject;
Bug: #4710.
Gbp-Pq: Name CVE-2021-45098.patch
Eric Leblond [Fri, 28 May 2021 10:19:38 +0000 (12:19 +0200)]
[PATCH] stream/tcp: don't reject on bad ack
Not using a packet for the streaming analysis when a non zero
ACK value and ACK bit was unset was leading to evasion as it was
possible to start a session with a SYN packet with a non zero ACK
value to see the full TCP stream to escape all stream and application
layer detection.
This addresses CVE-2021-35063.
Fixes: fa692df37 ("stream: reject broken ACK packets")
Ticket: #4504.
Gbp-Pq: Name stream-no-reject-bad-ack.patch
Pierre Chifflier [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
llc
Gbp-Pq: Name llc.patch
Eric Leblond [Thu, 31 Oct 2019 12:29:56 +0000 (13:29 +0100)]
[PATCH] ebpf: avoid to include if_tunnel.h
This is causing a dependency issue as file from another architecture
have to be installed.
Gbp-Pq: Name avoid-to-include-if_tunnel-h.patch
Sascha Steinbiss [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
do not install the suricata Python module
Bug: https://redmine.openinfosecfoundation.org/issues/3156
Last-Update: 2019-09-18
Suricata's Python tools only import submodules of 'suricata'. Not installing
this module ensures that there is no chance of having an __init__.py in the
root module directory that might clash with other packages, e.g. suricata-
update.
Gbp-Pq: Name remove-conflicting-python-file.patch
Eric Leblond [Wed, 17 Jul 2019 10:35:12 +0000 (12:35 +0200)]
[PATCH] af-packet: fix build on recent Linux kernels
Gbp-Pq: Name import-sockio-h.patch
Hilko Bengen [Tue, 23 Jul 2019 12:43:21 +0000 (14:43 +0200)]
Add --with-ebpf-includes parameter
Gbp-Pq: Name with-ebpf-includes.patch
Hilko Bengen [Tue, 22 Jan 2019 17:10:47 +0000 (18:10 +0100)]
configure: Introduce CLANG variable
Gbp-Pq: Name configure-clang-variable.patch
Sascha Steinbiss [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
do not clean vendor directory on distclean
Last-Update: 2018-12-26
dh_auto_clean calls make distclean, which in the case of Suricata also
removes the vendor directory. This breaks repeated builds.
Gbp-Pq: Name fix-repeated-builds.patch
Adrian Bunk [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
Don't use __USE_GNU
__USE_GNU is a glibc-internal symbol.
AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
way to enable extensions.
Gbp-Pq: Name no-use-gnu.patch
Pierre Chifflier [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
cross
Gbp-Pq: Name cross.patch
Arturo Borrero Gonzalez [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket.
Forwarded: not-needed
Last-Update: 2016-12-01
Gbp-Pq: Name debian-default-cfg.patch
Arturo Borrero Gonzalez [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path.
Forwarded: not-needed
Last-Update: 2016-09-05
Gbp-Pq: Name reproducible.patch
Thorsten Alteholz [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
suricata (1:6.0.1-3+deb11u1) bullseye-security; urgency=medium
* Non-maintainer upload by the LTS Team.
* CVE-2021-45098
Fix bypass of HTTP-based signature by faking an RST TCP packet.
* CVE-2023-35852
Fix unintended file access in local filesystem.
* CVE-2024-32663
Fix using large amount of memory.
* CVE-2024-37151
Fix mishandling of multiple fragmented packets, which might lead to
policy bypass.
* CVE-2024-45796
Fix logic error during fragment reassembly.
* CVE-2025-29918
Fix infinite loop.
* CVE-2024-55626
Fix buffer overflow due to large BPF filter file.
[dgit import unpatched suricata 1:6.0.1-3+deb11u1]
Thorsten Alteholz [Sun, 30 Mar 2025 10:03:02 +0000 (12:03 +0200)]
Import suricata_6.0.1-3+deb11u1.debian.tar.xz
[dgit import tarball suricata 1:6.0.1-3+deb11u1 suricata_6.0.1-3+deb11u1.debian.tar.xz]
Sascha Steinbiss [Thu, 8 Oct 2020 20:23:17 +0000 (22:23 +0200)]
Import suricata_6.0.1.orig.tar.xz
[dgit import orig suricata_6.0.1.orig.tar.xz]
projects / suricata.git / log