[dgit import tarball suricata 1:7.0.10-1+deb13u3 suricata_7.0.10-1+deb13u3.debian.tar.xz]
--- /dev/null
+#!/bin/bash
+
+# this script prints 'true' if any ancestor process name is any of $REGEXPS
+
+REGEXPS="debci autopkgtest adt"
+
+set -e
+
+walk()
+{
+ pid=$1
+
+ [ ! -r /proc/$pid/cmdline ] && exit 1
+
+ name=$(ps -p $pid -o cmd | tail -1)
+ for exp in $REGEXPS
+ do
+ if grep -e $exp <<< $name >/dev/null ; then
+ echo true
+ exit
+ fi
+ done
+
+ ppid=$(ps -o ppid= $pid | tr -d ' ')
+ walk $ppid
+}
+
+walk $$
--- /dev/null
+suricata (1:7.0.10-1+deb13u3) trixie; urgency=medium
+
+ * Fix CVE-2026-22258 in 7.0.10.
+ Cherry-Picked from:
+ * f82a388d0283725cb76782cf64e8341cab370830
+ * df389f8a43a06c718bb336ea082d6c80d6fefda0
+ * c9b80e5affe073ce9d95d0c935a8d67647c83bf7
+ * Fix CVE-2026-22262 in 7.0.10.
+ Cherry-Picked from:
+ * 32609e6896f9079c175665a94005417cec7637eb
+ * 27a2180bceaa3477419c78c54fce364398d011f1
+ * Fix CVE-2026-22264 in 7.0.10.
+ Cherry-Picked from 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2.
+ * Fix CVE-2026-22259 in 7.0.10.
+ Cherry-Picked from:
+ * 63225d5f8ef64cc65164c0bb1800730842d54942
+ * 635af8dc8be09667689be71d781912718ca1aa49
+ * fdd79bdb14488244604729f1d68ca4bc60000dbd
+ * a6d950315d9b6c1e35c10c24d9bb7128d422c21f
+ With this fix, DNP3 has reduced the default maximum number of
+ outstanding transactions from 500 down to 32.
+ Read the update instructions for Suricata 7.0.14 for more details.
+ * Fix CVE-2026-22261 in 7.0.10.
+ Cherry-Picked from:
+ * 44d0c81f537f230e9215c769453fb4d7214217a1
+ * 7e704a3f50690b5f5d5cc573147ef41449fe37ac
+
+ -- Andreas Dolp <dev@andreas-dolp.de> Sun, 22 Feb 2026 13:28:52 +0100
+
+suricata (1:7.0.10-1+deb13u2) trixie; urgency=medium
+
+ * Fix CVE-2025-64344 in 7.0.10.
+ Cherry-Picked from upstream a7ff4c9ba53009680c7cd128b16c28d0aeda9886.
+ * Fix CVE-2025-64333 in 7.0.10.
+ Cherry-Picked from upstream 4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.
+ * Fix CVE-2025-64332 in 7.0.10.
+ Cherry-Picked from upstream f67d72702a2601d0a86ac1450686e70d7176f629.
+ * Fix CVE-2025-64331 in 7.0.10.
+ Cherry-Picked from upstream 5abf9b81e78476f49ab074f3a74b5840747cd069.
+ Added missing function declaration and refreshed patch by quilt.
+ * Fix CVE-2025-64330 in 7.0.10.
+ Cherry-Picked from upstream 5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.
+
+ -- Andreas Dolp <dev@andreas-dolp.de> Wed, 10 Dec 2025 20:12:20 +0100
+
+suricata (1:7.0.10-1+deb13u1) trixie; urgency=medium
+
+ * Fix CVE-2025-53538 in 7.0.10.
+ Cherry-Picked from upstream 97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.
+ Closes: #1109806
+ Reference: #1116945
+ * Fix CVE-2025-59147 in 7.0.10.
+ Cherry-Picked from upstream e91b03c90385db15e21cf1a0e85b921bf92b039e
+ and slightly modified to fit for Suricata 7.0.10.
+ Reference: #1119940
+
+ -- Andreas Dolp <dev@andreas-dolp.de> Sat, 27 Sep 2025 21:43:45 +0200
+
+suricata (1:7.0.10-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 26 Mar 2025 09:28:20 +0100
+
+suricata (1:7.0.9-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Bump versioned libhtp dependency to 0.5.50 or later.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 18 Mar 2025 18:15:01 +0100
+
+suricata (1:7.0.8-2) unstable; urgency=medium
+
+ * Drop dpkg depencency from Pre-Depends.
+ Thanks to Guillem Jover for noticing this.
+ Closes: #1100109
+ * Use dpkg-query instead of apt-cache in debian/rules.
+ Thanks to Jochen Sprickerhof for pointing this out.
+ Closes: #1100051
+
+ -- Sascha Steinbiss <satta@debian.org> Sat, 15 Mar 2025 14:37:24 +0100
+
+suricata (1:7.0.8-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Fri, 13 Dec 2024 09:29:46 +0100
+
+suricata (1:7.0.7-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Bump versioned libhtp dependency to 0.5.49 or later.
+
+ -- Sascha Steinbiss <satta@debian.org> Mon, 14 Oct 2024 10:48:09 +0200
+
+suricata (1:7.0.6-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Re-enable tests.
+ * Bump copyright date for debian/ directory.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 27 Jun 2024 14:29:40 +0200
+
+suricata (1:7.0.5-2) unstable; urgency=medium
+
+ * Disable tests that need builds for now.
+ Meant to remove one of the roadblocks towards testing migration.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 24 Apr 2024 23:01:32 +0200
+
+suricata (1:7.0.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Bump versioned libhtp dependency to 0.5.48 or later.
+ * Remove (probably buggy) Rust constraint from d/rules.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 23 Apr 2024 15:12:33 +0200
+
+suricata (1:7.0.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Bump versioned libhtp dependency to 0.5.47 or later.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 20 Mar 2024 13:41:22 +0100
+
+suricata (1:7.0.3-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 08 Feb 2024 23:22:40 +0100
+
+suricata (1:7.0.2-2) unstable; urgency=medium
+
+ * Enable DPDK feature and add dependencies on archs that support it.
+ Closes: #1061762
+
+ -- Sascha Steinbiss <satta@debian.org> Fri, 02 Feb 2024 20:35:20 +0100
+
+suricata (1:7.0.2-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 19 Oct 2023 19:30:48 +0200
+
+suricata (1:7.0.1-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Fri, 15 Sep 2023 21:18:47 +0200
+
+suricata (1:7.0.0-2) unstable; urgency=medium
+
+ * Fix FTBFS on armel and mipsel by fixing -latomic addition in LDFLAGS.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 20 Jul 2023 11:03:07 +0200
+
+suricata (1:7.0.0-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Drop Arturo Borrero Gonzalez from Uploaders at his request.
+ * Use new project website at suricata.io.
+ * Remove patches applied upstream.
+ * Change PCRE lib dependency to libpcre2.
+ * Bump versioned libhtp dependency to 0.5.45 or later.
+ * Bump versioned Rust dependency to 1.61 or later.
+ * Bump watchfile to version 4.
+ * Remove obsolete dependency on lsb-base.
+ * Remove obsolete entries in d/copyright.
+ * Remove versions in Conflicts/Replaces.
+ * Remove obsolete dh_strip override.
+ * Bump d/copyright dates.
+ * Update/fix Lintian overrides regarding eBPF file distribution.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 19 Jul 2023 10:14:37 +0200
+
+suricata (1:6.0.13-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Raise libhtp minimum dependency version to 0.5.44.
+ * Bump Standards-Version.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 15 Jun 2023 23:45:03 +0200
+
+suricata (1:6.0.12-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 09 May 2023 15:58:02 +0200
+
+suricata (1:6.0.11-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Raise libhtp minimum dependency version to 0.5.43.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 13 Apr 2023 23:53:02 +0200
+
+suricata (1:6.0.10-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Drop patch applied upstream.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 31 Jan 2023 14:34:17 +0100
+
+suricata (1:6.0.9-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Use manpages built from source instead of outdated bundled ones.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 29 Nov 2022 11:19:06 +0100
+
+suricata (1:6.0.8-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Raise libhtp minimum dependency version to 0.5.41.
+ * Remove obsolete patch since Python scripts are installed differently
+ via upstream now.
+ * Add upstream metadata.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 27 Sep 2022 23:24:59 +0200
+
+suricata (1:6.0.6-2) unstable; urgency=medium
+
+ * Add patch to not use deprecated libbpf API. This prepares Suricata to be
+ ready for libbpf 1.0 when it hits unstable.
+ Closes: #1018914
+ * Raise libbpf dependency version requirement to 0.7.
+ * Refresh other patches.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 21 Sep 2022 18:39:53 +0200
+
+suricata (1:6.0.6-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Drop patch applied upstream: bigendian-cidr.patch
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 12 Jul 2022 16:57:16 +0200
+
+suricata (1:6.0.5-3) unstable; urgency=medium
+
+ * Add patch to handle undefined LEVEL1_DCACHE_LINESIZE.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 01 Jun 2022 11:33:06 +0200
+
+suricata (1:6.0.5-2) unstable; urgency=medium
+
+ * Introduce patch to fix segfaulting autopkgtests on s390x.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 28 Apr 2022 08:51:06 +0200
+
+suricata (1:6.0.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Raise libhtp minimum dependency version to 0.5.40.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 21 Apr 2022 19:53:32 +0200
+
+suricata (1:6.0.4-3) unstable; urgency=medium
+
+ * Remove suricata-oinkmaster binary package.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 14 Dec 2021 15:24:47 +0100
+
+suricata (1:6.0.4-2) unstable; urgency=medium
+
+ * Raise libhtp minimum dependency version to 0.5.39.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 18 Nov 2021 22:57:47 +0100
+
+suricata (1:6.0.4-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 18 Nov 2021 22:00:08 +0100
+
+suricata (1:6.0.3-2) unstable; urgency=medium
+
+ * Use 'command -v' instead of 'which' in suricata-oinkmaster cron file.
+ This avoids a runtime deprecation warning on recent versions, and fixes
+ piuparts cron job tests.
+
+ -- Sascha Steinbiss <satta@debian.org> Mon, 30 Aug 2021 20:56:18 +0200
+
+suricata (1:6.0.3-1) unstable; urgency=medium
+
+ * Upload to unstable post-release.
+ * Remove patch applied upstream.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 18 Aug 2021 16:33:31 +0200
+
+suricata (1:6.0.3-1~exp2) experimental; urgency=medium
+
+ * Also use libatomic workaround on powerpc.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 01 Jul 2021 19:44:53 +0200
+
+suricata (1:6.0.3-1~exp1) experimental; urgency=medium
+
+ * New upstream release.
+ * Bump Standards-Version.
+ * Add Rules-Requires-Root: no.
+ * Raise libhtp minimum version B-D to 0.5.38.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 30 Jun 2021 23:51:24 +0200
+
+suricata (1:6.0.2-1~exp1) experimental; urgency=medium
+
+ * Fix conditional variable use in d/rules.
+ * New upstream release.
+ * Use libhtp 0.5.37.
+
+ -- Sascha Steinbiss <satta@debian.org> Fri, 11 Dec 2020 09:45:02 +0100
+
+suricata (1:6.0.1-3) unstable; urgency=medium
+
+ * Address CVE-2021-35063 by backporting upstream fix.
+ Closes: #990835
+
+ -- Sascha Steinbiss <satta@debian.org> Mon, 19 Jul 2021 13:26:22 +0200
+
+suricata (1:6.0.1-2) unstable; urgency=medium
+
+ * Also specify explicit separate '-latomic' reference on mipsel.
+ This addresses a remaining FTBFS there.
+
+ -- Sascha Steinbiss <satta@debian.org> Fri, 11 Dec 2020 09:35:57 +0100
+
+suricata (1:6.0.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Disable Prelude support.
+ This is broken upstream, see https://redmine.openinfosecfoundation.org/issues/4065
+ * Bump libhtp dependency to 0.5.36.
+ * Disable suricata-update, as it is a separate package in Debian.
+ * Add patches to fix builds with new Autoconf scripts.
+ * Use debhelper 13.
+ * Include upstream's man pages.
+ * Add workaround for missing '-latomic' symbols on armel.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 08 Oct 2020 22:23:17 +0200
+
+suricata (1:5.0.3-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Use /run instead of /var/run for pidfiles. Thanks to Michael Berg for the
+ patch.
+ Closes: #954435
+ * Bump libhtp dependency to 0.5.33.
+ * Remove nonexistent Files entries in d/copyright.
+ * Use correct DEB_LDFLAGS_MAINT_APPEND in d/rules..
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 29 Apr 2020 09:34:49 +0200
+
+suricata (1:5.0.2-3) unstable; urgency=medium
+
+ * Source upload to enable testing migration.
+ * Bump Standards-Version.
+
+ -- Sascha Steinbiss <satta@debian.org> Sat, 22 Feb 2020 12:47:50 +0100
+
+suricata (1:5.0.2-2) unstable; urgency=medium
+
+ * Add --allow-multiple-definition linker flag to work around FTBFS on armel.
+ Closes: #951765
+
+ -- Sascha Steinbiss <satta@debian.org> Sat, 22 Feb 2020 12:23:52 +0100
+
+suricata (1:5.0.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ Closes: #951654
+ * Add patch from upstream to build without needing if_tunnel.h.
+ This avoids a potentially foreign arch build-dep for eBPF builds.
+ Thanks to Eric Leblond.
+ * Drop patches applied upstream.
+ * Use debhelper-compat.
+ * Mark autopkgtests requiring a control socket as potentially flaky.
+ We cannot always predict the timing on all archs and do not want to
+ use them for CI gating.
+ Closes: #951721
+ * Bring d/copyright up to date with current code base.
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 20 Feb 2020 14:55:23 +0100
+
+suricata (1:4.1.5-2) unstable; urgency=medium
+
+ * Add versioned Depends on at least libhtp version used for building.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 09 Oct 2019 13:13:40 +0200
+
+suricata (1:4.1.5-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 25 Sep 2019 10:24:50 +0200
+
+suricata (1:4.1.4-7) unstable; urgency=medium
+
+ * Prevent file clash with other packages writing into the Python3
+ module root directory (suricata/__init__.py).
+ * Add patch to make suricatactl Python3-compatible.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 18 Sep 2019 20:55:51 +0200
+
+suricata (1:4.1.4-6) unstable; urgency=medium
+
+ * Make Python components use Python3.
+ Closes: #938603
+
+ -- Sascha Steinbiss <satta@debian.org> Sat, 07 Sep 2019 17:47:44 +0200
+
+suricata (1:4.1.4-5) unstable; urgency=medium
+
+ * Add patch to fix FTBFS on recent kernels. Thanks to Aurelien Jarno for
+ pointing this out.
+ Closes: #934316
+
+ -- Sascha Steinbiss <satta@debian.org> Mon, 12 Aug 2019 12:48:29 +0200
+
+suricata (1:4.1.4-4) unstable; urgency=medium
+
+ [ Hilko Bengen ]
+ * Patch: add --with-ebpf-includes, point to proper include directory for
+ kernel headers, fixing FTBFS on i386
+
+ [ Sascha Steinbiss ]
+ * Only build eBPF programs on archs with available dependencies.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 24 Jul 2019 10:34:25 +0200
+
+suricata (1:4.1.4-3) unstable; urgency=medium
+
+ * Fix cross building by including patch that addresses abuse of
+ AC_CHECK_FILE. Thanks to Helmut Grohne for the patch.
+ Closes: #923174
+ * Enable building with eBPF support.
+ Thanks to Hilko Bengen for the patch.
+ Closes: #917816
+ * Create temporary CARGO_HOME to allow building with new cargo
+ versions when $HOME is nonexistent.
+ * Make autopkgtest more robust when external resources are unavailable.
+ Closes: #932463
+ * Bump debhelper and compat to 12.
+ * Add Pre-Depends by Lintian's suggestion.
+
+ -- Sascha Steinbiss <satta@debian.org> Tue, 09 Jul 2019 16:47:49 +0200
+
+suricata (1:4.1.4-2) unstable; urgency=medium
+
+ * Do not install suricata-update, recommend external pkg instead.
+ Closes: #924096
+
+ -- Sascha Steinbiss <satta@debian.org> Thu, 02 May 2019 17:15:48 +0200
+
+suricata (1:4.1.4-1) unstable; urgency=medium
+
+ * New upstream version 4.1.4
+ - Bugs and security fixes
+ * Refreshed quilt patches
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 01 May 2019 11:44:13 +0200
+
+suricata (1:4.1.3-1) unstable; urgency=medium
+
+ * New upstream version 4.1.3
+ * Refreshed quilt patches
+
+ -- Pierre Chifflier <pollux@debian.org> Fri, 08 Mar 2019 10:24:43 +0100
+
+suricata (1:4.1.2-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Sascha Steinbiss <satta@debian.org> Wed, 09 Jan 2019 12:53:47 +0100
+
+suricata (1:4.1.2-1) experimental; urgency=medium
+
+ * New upstream release.
+ * Add myself to uploaders.
+ * Do not remove Rust vendor directory on distclean (Closes: #915154)
+
+ -- Sascha Steinbiss <satta@debian.org> Sun, 23 Dec 2018 10:48:27 +0000
+
+suricata (1:4.1.0-2) experimental; urgency=medium
+
+ * Disable Rust on armel for now (FTBFS)
+ * Add liblz4-dev to build-deps to enable pcap compression
+ * Update build-dependency on python:any to fix FTCBFS (Closes: #909606)
+
+ -- Pierre Chifflier <pollux@debian.org> Mon, 26 Nov 2018 11:07:08 +0100
+
+suricata (1:4.1.0-1) experimental; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * libhtp: bump soname to libhtp-0.5.24-1
+
+ [ Pierre Chifflier ]
+ * New upstream version 1:4.1.0
+ * Refreshed quilt patches
+ * Update python code directory
+ * Enable rust support (i386 and amd64 only for now)
+ * Also enable Rust on ARM architectures
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 15 Nov 2018 13:29:23 -0800
+
+suricata (1:4.0.6-1) unstable; urgency=medium
+
+ * New upstream version 1:4.0.6
+
+ -- Pierre Chifflier <pollux@debian.org> Mon, 12 Nov 2018 09:19:39 +0100
+
+suricata (1:4.0.5-1) unstable; urgency=medium
+
+ [ Sascha Steinbiss ]
+ * Add patches to help with cross-compiling. Thanks to Helmut Grohne
+ for the patch.
+ Closes: #895996
+ * Add patches to fix building on ia64.
+ Thanks to Jason Duerstock and Adrian Bunk for the patches.
+ Closes: #890432
+ * Fix spelling in debian/patches/reproducible.patch.
+ * Remove obsolete X-Python-Version hint.
+ * Use updated watchfile source URL with https support.
+ * Remove obsolete --parallel dh parameter.
+ * Use canonical Salsa Vcs-Git URL.
+
+ [ Pierre Chifflier ]
+ * New upstream version 1:4.0.5
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 18 Jul 2018 17:14:02 +0200
+
+suricata (1:4.0.4-1) unstable; urgency=medium
+
+ * [3f18cd8] d/control: refresh git URLs
+ * [17da106] New upstream version 4.0.4 (Closes: #889842) fixes CVE-2018-6794
+ * [00fcf17] d/compat: bump debhelper compat level to 11
+ * [45dc0db] d/control: bump std-version to 4.1.3
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 14 Feb 2018 11:33:33 +0100
+
+suricata (1:4.0.3-1) unstable; urgency=medium
+
+ [ Sascha Steinbiss ]
+ * [aece4d6] New upstream version 4.0.3
+ * [c23b64f] refresh patches
+
+ [ Arturo Borrero Gonzalez ]
+ * [7f077ca] d/control: bump std-version to 4.1.2
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 13 Dec 2017 11:42:18 +0100
+
+suricata (1:4.0.1-2) unstable; urgency=medium
+
+ * [d9998f8] suricata-oinkmaster.conf: update ETOPEN ruleset for suricata 4.0.0
+ (Closes: #882442)
+ * [0beae03] suricata-oinkmaster-updater.8: fix typos
+ * [6e7ae75] d/: get rid of dh --with autotools-dev
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 23 Nov 2017 13:41:09 +0100
+
+suricata (1:4.0.1-1) unstable; urgency=medium
+
+ * [72d28e5] d/control: upgrade std-version to 4.1.0
+ * [ea1e317] d/control: upgrade std-version to 4.1.1
+ * [14fea39] d/: switch to debhelper compat 10
+ * [a4715b8] New upstream version 4.0.1
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Sat, 21 Oct 2017 12:09:27 +0200
+
+suricata (1:4.0.0-5) unstable; urgency=medium
+
+ * [392c5b2] d/t/control: allow-stderr for the internal unittest test
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 20 Sep 2017 20:27:12 +0200
+
+suricata (1:4.0.0-4) unstable; urgency=medium
+
+ * [93ee9030] d/control: enable libluajit-5.1-dev build-dep on mipsel
+ (Closes: #873832)
+ * [9527fe94] d/t/control: run suricata -u from the source tree
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 08 Sep 2017 06:06:47 +0200
+
+suricata (1:4.0.0-3) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * [aa53ce82] suricata-oinkmaster-updater.8: fix typo
+ * [2d171d5a] suricata-oinkmaster-updater.8: clarify paragraph
+ * [90c76777] d/rules: disable dh_auto_test
+ * [5b311761] suricata: switch to use dbgsym package
+ * [9b12c48d] d/control: bump std-versions to 4.0.1
+
+ [ Sascha Steinbiss ]
+ * [c353985a] enable libevent support (Closes: #872908)
+ * [49ff3181] enable luajit on mipsel (Closes: #858545)
+
+ [ Arturo Borrero Gonzalez ]
+ * [50ab7eae] suricata.service: update online docs link
+ * [5098fd7b] d/control: add dh-python to build-deps
+ * [f070d160] d/watch: implement signature verification
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 29 Aug 2017 23:22:48 +0200
+
+suricata (1:4.0.0-2) unstable; urgency=medium
+
+ * [449b4202] d/t/control: running suricata unittest requires
+ geoip-database installed
+ * [0bd02487] d/building-in-ci.sh: be more robust
+ * [edd49e4a] d/watch: more robust approach for upstream tarball generation
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 15 Aug 2017 13:45:45 +0200
+
+suricata (1:4.0.0-1) unstable; urgency=medium
+
+ * [636f10f] d/rules: actually use dh-systemd (Closes: #861732)
+ * [c728ed0] d/rules: cleanup comments
+ * [f0d9adb] suricata: switch to src:libhtp instead of the bundled one
+ * [fa5f8be] New upstream version 4.0.0-rc1
+ * [fac7566] suricata: remove Build-Conflict with libhtp-dev
+ * [1bce782] suricata: explicit build-dep on new src:libhtp
+ * [f3aec1c] d/suricata.preinst: use strict mode (Closes: #866280)
+ * [c831659] suricata: support for internal unittest in autopktest
+ * [557ded7] New upstream version 4.0.0
+ * [5d41b6c] d/t/control: the internal suricata unittest is a command test
+ * [7f4feaa] d/changelog: add missing entry for 4.0.0-beta1-1~exp1
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 28 Jul 2017 05:29:48 +0200
+
+suricata (4.0.0-beta1-1~exp1) unstable; urgency=medium
+
+ * [c21347df] New upstream version 4.0.0-beta1
+ * [5661b3cc] libhtp: bump soname to libhtp-0.5.24-1
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 09 Jun 2017 20:52:10 +0200
+
+suricata (3.2.1-1) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * Rebuild for unstable from 3.2.1-1~exp2 (experimental).
+
+ [ Sascha Steinbiss ]
+ * [d0c3629] detect valid interface in autopkgtest
+ * [2d3ae00] fix typo in service file
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 16 Mar 2017 09:04:03 +0100
+
+suricata (3.2.1-1~exp2) experimental; urgency=medium
+
+ [ Sascha Steinbiss ]
+ * [ced48e4] suricata: migrate from old split binary scheme (Closes: #855573)
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 20 Feb 2017 13:29:37 +0100
+
+suricata (3.2.1-1~exp1) experimental; urgency=medium
+
+ * [67004c8] New upstream version 3.2.1
+ * [05b1756] d/control: bump dependency on libhyperscan
+ * [4483d1c] suricata: drop suricata-hyperscan binary package (Closes: #851647)
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 15 Feb 2017 20:54:17 +0100
+
+suricata (3.2-2) unstable; urgency=medium
+
+ * Rebuild for unstable.
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 10 Jan 2017 09:27:59 +0100
+
+suricata (3.2-2~exp1) experimental; urgency=medium
+
+ [ Sascha Steinbiss ]
+ * [8c7704d] suricata: add hyperscan support (Closes: #846143)
+
+ [ Arturo Borrero Gonzalez ]
+ * [209d2cf] suricata: add remaining hyperscan support
+
+ [ Sascha Steinbiss ]
+ * [ec9b28a] set +x bit on d/suricata-hyperscan.install
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 22 Dec 2016 09:01:29 +0100
+
+suricata (3.2-1) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * [04f5cc3] d/control: update suricata homepage to suricata-ids.org
+ (Closes: #844603)
+
+ [ Sascha Steinbiss ]
+ * [b1cd09c] d/t/control: add some time to settle in autopkgtest
+
+ [ Arturo Borrero Gonzalez ]
+ * [dde83f1] New upstream version 3.2
+ * [c55dda2] d/patches/debian-default-cfg.patch: refresh patch
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 01 Dec 2016 16:22:50 +0100
+
+suricata (3.1.3-3) unstable; urgency=medium
+
+ * [e7a248d] d/tests/control: allow-stderr in the suricata-oinkmaster-updater
+ command
+ * [2caf89b] d/control: make libhtp packages Multi-Arch: same
+ * [825cef4] d/libhtp-0.5.23-1.lintian-overrides: generalize override
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 10 Nov 2016 09:42:29 +0100
+
+suricata (3.1.3-2) unstable; urgency=medium
+
+ * [5c395f9] d/tests/control: rearange suricatasc command tests
+ * [789723b] d/tests/control: fix typo in test command 'suricatas'
+ * [353e030] d/changelog: clean word with typo from the changelog
+ * [b4cf113] d/: add libhtp-0.5.23-1.lintian-overrides
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 09 Nov 2016 13:44:17 +0100
+
+suricata (3.1.3-1) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * [165d14e] suricata-oinkmaster: move the update script to /usr/sbin
+ (Closes: #838129)
+ * [2e21734] d/tests/control: add a basic test for suricata-oinkmaster-updater
+ * [be640f3] suricata: split libhtp to separate binary packages
+ * [c41567a] suricata-oinkmaster: add manpage for suricata-oinkmaster-updater
+ * [b5b6483] d/copyright: refresh file
+ * [2be2225] d/control: add references to IPS and firewall
+ * [bd6a9ed] d/: add symbols file for libhtp
+ * [f61be7d] suricata-oinkmaster-updater.8: fix typo
+ * [ead4a84] d/: update email address to 'arturo@debian.org'
+ * [36d9b9d] d/: refresh date of manpages
+
+ [ Sascha Steinbiss ]
+ * [da1c3c6] d/suricata.logrotate: use 'copytruncate' instead of 'create'
+
+ [ Arturo Borrero Gonzalez ]
+ * [cd9d5d4] New upstream version 3.1.3
+ * [f32a582] libhtp: symbols: refresh file
+ * [1e3edb0] libhtp: bump soname
+ * [d46497e] d/control: suricata depends on lsb-base
+ * [08a6195] d/copyright: refresh copyright owner for some libhtp files
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 08 Nov 2016 08:51:58 +0100
+
+suricata (3.1.2-2) unstable; urgency=medium
+
+ * [482c6f6] d/tests/control: allow-stderr for systemd-service-test.sh
+ * [a4eff10] d/tests/control: add tests for suricatasc
+ * [892096c] d/suricata.8: fix typo 'inet' vs 'init'
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 08 Sep 2016 12:46:44 +0200
+
+suricata (3.1.2-1) unstable; urgency=medium
+
+ * [4e0605d] Revert "suricata: drop support for sysvinit"
+ * [f5abe38] d/patches: add reproducible.patch.
+ Thanks to Christoph Berg <myon@debian.org> for the pointers.
+ * [6569809] New upstream version 3.1.2
+ * [5fea3a6] d/suricata.service: include Restart=on-failure
+ * [d1a973d] d/suricata.service: add ProtectSystem=full and ProtectHome=true
+ * [8e1cddd] d/tests/systemd-service-test.sh: don't test the reload operation by now
+ * [87c00b1] d/suricata.maintscript: factorize renaming of old config file
+ (Closes: #835643)
+ * [55c7a32] d/oinkmaster/suricata-oinkmaster-updater: drop warnings
+ * [7651669] d/oinkmaster/suricata-oinkmaster-updater: cleanup file
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 07 Sep 2016 13:25:13 +0200
+
+suricata (3.1.1-4) unstable; urgency=medium
+
+ * [c9b6efd] d/tests/: add new systemd-service-test.sh test
+ * [848a40f] d/README.Debian: this is not a beta release
+ * [0afb007] d/README.Debian: update file with systemd information
+ * [234ec55] d/suricata.8: update manpage
+ * [ebd6a8a] suricata: drop support for sysvinit
+ * [d8fae07] d/suricata.service: get rid of environment variables
+ * [5fe5359] d/suricata.service: use suricatasc for stop and reload
+ * [2ffd606] d/tests/systemd-service-test.sh: add tests for daemon reload
+ * [5196c36] d/suricata.service: require network-online.target (Closes:
+ #835168)
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 25 Aug 2016 14:14:20 +0200
+
+suricata (3.1.1-3) unstable; urgency=medium
+
+ * [22d26a5] suricata-oinkmaster-updater: prevent bogus if evaluation
+ * [4805c7a] suricata-oinkmaster-updater: dont exit with error if missing
+ requirements (Closes: #834029)
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 16 Aug 2016 13:53:12 +0200
+
+suricata (3.1.1-2) unstable; urgency=medium
+
+ * [833f1c5] d/: add new binary package suricata-oinkmaster
+ * [6155001] d/suricata.service: remove duplicated -D switch in
+ ExecStart=
+ * [6ebbd82] d/patches: add debian-default-cfg.patch [enable unix socket
+ by default]
+ * [2286eb4] d/suricatasc.1: update manpage
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Thu, 28 Jul 2016 13:21:30 +0200
+
+suricata (3.1.1-1) unstable; urgency=medium
+
+ * [cafb099] d/suricata: rename suricata main conffile to
+ /etc/suricata/suricata.yaml
+ * [445c957] suricata: add systemd service file
+ * [94b93bf] Imported Upstream version 3.1.1
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 25 Jul 2016 11:12:03 +0200
+
+suricata (3.1-1) unstable; urgency=medium
+
+ * [d2cce67] d/control: add Vcs-Browser and Vcs-Git information
+ * [8bb2030] Imported Upstream version 3.1
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 21 Jun 2016 11:00:55 +0200
+
+suricata (3.0.1-2) unstable; urgency=medium
+
+ * [178f3cf] suricata: add libgeoip support
+ * [c8a0a0a] d/control: bump std-version to 3.9.8
+ * [523203d] d/control: wrap-and-sort
+ * [e5abae9] suricata: add hiredis support
+ * [9ec82b8] d/control: get rid of XS-Testsuite directive
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 23 May 2016 11:39:40 +0200
+
+suricata (3.0.1-1) unstable; urgency=medium
+
+ * Imported Upstream version 3.0.1
+ * Bump Standards Version to 3.9.7
+
+ -- Pierre Chifflier <pollux@debian.org> Fri, 08 Apr 2016 10:58:35 +0200
+
+suricata (3.0-1) unstable; urgency=medium
+
+ * Imported Upstream version 3.0
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 28 Jan 2016 06:02:41 +0100
+
+suricata (2.0.11-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0.11
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 07 Jan 2016 10:17:16 +0100
+
+suricata (2.0.10-2) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * d/copyright: update file to follow Debian Policy 3.9.6.1
+ * d/control: bump standards to 3.9.6
+ * suricata: add nflog support (Closes: #775074)
+ * d/: wrap-and-sort
+ * d/control: architecture is linux-any
+ * d/rules: don't include upstream install documentation
+ * d/tests: add first basic test
+ * d/control: add missing Testsuite declaration
+ * suritaca: add package suricata-dbg (Closes: #753438)
+ * suricata sysvinit: fix libtcmalloc-minimal integration (Closes: #725249)
+ * d/suricata.init: cleanup file
+ * suricatasc: add manpage
+
+ [ Pierre Chifflier ]
+ * Merge unstable-next branch
+ * Fix dependencies and priority for -dbg package
+ * Install manpage for suricatasc
+
+ -- Pierre Chifflier <pollux@debian.org> Tue, 05 Jan 2016 21:02:40 +0100
+
+suricata (2.0.10-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0.10
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 26 Nov 2015 10:35:53 +0100
+
+suricata (2.0.9-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0.9
+ * Update watch file
+
+ -- Pierre Chifflier <pollux@debian.org> Fri, 25 Sep 2015 19:19:53 +0200
+
+suricata (2.0.8-1) unstable; urgency=high
+
+ [ Arturo Borrero Gonzalez ]
+ * d/suricata.logrotate: add logrotate configuration (Closes: #767249)
+ * d/patches: patch suricatasc to prevent depends on python-symplejson
+ (Closes: #759475)
+ * Revert "d/patches: patch suricatasc to prevent depends on python-symplejson"
+
+ [ Pierre Chifflier ]
+ * Imported Upstream version 2.0.8
+ * Bump Standards Version to 3.9.6
+ Fixes CVE-2015-0971 (Integer overflow in the DER parser)
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 07 May 2015 11:03:19 +0200
+
+suricata (2.0.7-2) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * d/suricata.init: fix proc nfqueue file checking (Closes: #725301)
+
+ [ Pierre Chifflier ]
+ * Check for both proc entries for nfqueue (backwards compatibility) and
+ issue warning only
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 15 Mar 2015 11:17:27 +0100
+
+suricata (2.0.7-1) unstable; urgency=medium
+
+ [ Pierre Chifflier ]
+ * Imported Upstream version 2.0.7
+ * Fix problems with upstream version import
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 12 Mar 2015 07:06:49 +0100
+
+suricata (2.0.6-3) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * suricata: don't deploy .so links
+
+ [ Pierre Chifflier ]
+ * Add missing installation files (Closes: #778724)
+ * Fix .so symlinks removal
+ * Update default-rules-path
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 19 Feb 2015 11:55:05 +0100
+
+suricata (2.0.6-2) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * d/patches: drop 10-fix-missing-script-autoreconf.patch (Closes: #778670)
+ * d/rules: prevent not .so libhtp files from entering binary suricata package
+
+ [ Pierre Chifflier ]
+ * Add conflicts/replaces fields for transition from libhtp (Closes: #778668)
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 18 Feb 2015 11:19:31 +0100
+
+suricata (2.0.6-1) unstable; urgency=medium
+
+ [ Pierre Chifflier ]
+ * Imported Upstream version 2.0.6
+ * Add Arturo to uploaders
+
+ [ Arturo Borrero Gonzalez ]
+ * suricata: use embedded copy of libhtp (Closes: #772551)
+
+ -- Pierre Chifflier <pollux@debian.org> Tue, 17 Feb 2015 11:31:22 +0100
+
+suricata (2.0.4-1) unstable; urgency=high
+
+ * Imported Upstream version 2.0.4
+ * Security: fix out-of-bounds access in SSH parser (Closes: #762828)
+ * Urgency high, CVE-2014-6603
+ Stable and Oldstable versions are not affected.
+
+ -- Pierre Chifflier <pollux@debian.org> Fri, 10 Oct 2014 13:19:59 +0200
+
+suricata (2.0.3-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0.3
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 20 Aug 2014 15:06:21 +0200
+
+suricata (2.0.2-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0.2
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 29 Jun 2014 18:27:56 +0200
+
+suricata (2.0-1) unstable; urgency=medium
+
+ * Imported Upstream version 2.0
+ * Update build, require a recent libhtp, and disable coccinelle tests.
+ * Upload to unstable
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 02 Apr 2014 20:23:10 +0200
+
+suricata (1.4.7-1) unstable; urgency=low
+
+ * Imported Upstream version 1.4.7
+ * Bump Standards Version to 3.9.5
+ * Run autoreconf during build to fix some errors caused by different
+ autotools versions
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 29 Dec 2013 11:29:57 +0100
+
+suricata (1.4.6-1) unstable; urgency=low
+
+ * Imported Upstream version 1.4.6
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 06 Oct 2013 18:52:34 +0200
+
+suricata (1.4.5-1) unstable; urgency=low
+
+ * Imported Upstream version 1.4.5
+ * Prepare transition for suricata 2.0 by conflicting with libhtp >= 0.5
+
+ -- Pierre Chifflier <pollux@debian.org> Tue, 20 Aug 2013 16:44:45 +0200
+
+suricata (1.4.3-1) unstable; urgency=low
+
+ * Imported Upstream version 1.4.3
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 04 Jul 2013 11:50:13 +0200
+
+suricata (1.4.2-1) unstable; urgency=low
+
+ * Imported Upstream version 1.4.2
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 29 May 2013 16:24:52 +0200
+
+suricata (1.4.1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.4.1
+ * Install python control script (add dependency on python, and use
+ dh_python2 for build)
+ * Bump Standards Version to 3.9.4
+ * Fix removal of pid file in init script (Closes: #700547)
+ Thanks to Игорь Козинов <madvampik@gmail.com>.
+ * Add support for af-packet mode in init script (Closes: #697928).
+ Thanks to Jamie Strandboge <jamie@ubuntu.com>.
+
+ -- Pierre Chifflier <pollux@debian.org> Tue, 21 May 2013 12:42:45 +0200
+
+suricata (1.4-3) unstable; urgency=low
+
+ * Add configure flag for luajit only on supported architectures
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 22 Dec 2012 16:38:41 +0100
+
+suricata (1.4-2) unstable; urgency=low
+
+ * Fix error in init script, stop trying to manage suricata pid file
+ * Use arch-specific build dependencies for libluajit-5.1-dev, it is not
+ available on all architectures
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 22 Dec 2012 15:39:57 +0100
+
+suricata (1.4-1) unstable; urgency=low
+
+ * Imported Upstream version 1.4
+ * Enable Jansson and LuaJIT support, and add libjansson-dev libluajit-5.1-dev
+ to build-deps
+ * Add python to recommends, for the suricatasc script
+ * Create /var/run/suricata directory when starting daemon
+
+ -- Pierre Chifflier <pollux@debian.org> Fri, 14 Dec 2012 00:02:51 +0100
+
+suricata (1.3.5-1) unstable; urgency=low
+
+ * Imported Upstream version 1.3.5
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 06 Dec 2012 21:13:56 +0100
+
+suricata (1.3.4-1) unstable; urgency=low
+
+ * Imported Upstream version 1.3.4
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 17 Nov 2012 09:56:08 +0100
+
+suricata (1.3.3-1) unstable; urgency=low
+
+ * Imported Upstream version 1.3.3
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 03 Nov 2012 09:38:36 +0100
+
+suricata (1.3.2-1) unstable; urgency=low
+
+ * Imported Upstream version 1.3.2
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 13 Oct 2012 12:18:33 +0200
+
+suricata (1.3-1) unstable; urgency=low
+
+ * Imported Upstream version 1.3
+ * Add build-dependency on libnss3-dev and libnspr4-dev
+ * Bump Standards Version to 3.9.3
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 22 Jul 2012 22:27:36 +0200
+
+suricata (1.2.1-2) unstable; urgency=low
+
+ * Use override targets in rules files (Closes: #666330)
+ * Add support for parallel build in debian/rules
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 12 Apr 2012 01:56:48 +0200
+
+suricata (1.2.1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.2.1
+ * Add libmagic-dev to build-deps
+ * Convert to DH version 9
+ - Switch from hardening-wrapper to dpkg-buildflags
+
+ -- Pierre Chifflier <pollux@debian.org> Mon, 23 Jan 2012 21:47:26 +0100
+
+suricata (1.1.1-2) unstable; urgency=low
+
+ * Add *.config files to default installation
+ * Trigger rebuild with libhtp versioned symbols
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 05 Jan 2012 08:20:24 +0100
+
+suricata (1.1.1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1.1
+ * Add configure option --enable-af-packet
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 07 Dec 2011 21:52:53 +0100
+
+suricata (1.1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.1
+ * Add instructions on getting new rules using oinkmaster
+ * Add Recommends on oinkmaster
+ * Move snort-rules-default to Recommends
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 17 Nov 2011 23:20:51 +0100
+
+suricata (1.0.5-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.5
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 27 Jul 2011 08:20:25 +0200
+
+suricata (1.0.4-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.4
+ * Bump Standards Version to 3.9.2
+ * Enable hardening-wrapper
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 25 Jun 2011 13:45:44 +0200
+
+suricata (1.0.3-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.3
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 13 Apr 2011 16:59:32 +0200
+
+suricata (1.0.2-2) unstable; urgency=low
+
+ * Add init script (thanks to Edward Fjellskål)
+ * Switch to dpkg-source 3.0 (quilt) format
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 19 Dec 2010 18:35:50 +0100
+
+suricata (1.0.2-1) unstable; urgency=low
+
+ * New Upstream version 1.0.2 (Closes: #598389)
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 29 Sep 2010 10:02:52 +0200
+
+suricata (1.0.1-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.1 (Closes: #591559)
+ * Bump Standards version to 3.9.1
+ * Create /var/log/suricata (Closes: #590861)
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 11 Aug 2010 14:45:14 +0200
+
+suricata (1.0.0-1) unstable; urgency=low
+
+ * Imported Upstream version 1.0.0
+ * Remove arch=native flag from build (Closes: #587714)
+ * Bump Standards version to 3.9.0
+
+ -- Pierre Chifflier <pollux@debian.org> Thu, 01 Jul 2010 21:28:41 +0200
+
+suricata (0.9.2-1) unstable; urgency=low
+
+ * Imported Upstream version 0.9.2
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 19 Jun 2010 17:39:14 +0200
+
+suricata (0.9.1-1) unstable; urgency=low
+
+ * Imported Upstream version 0.9.1
+ * Update watch file
+
+ -- Pierre Chifflier <pollux@debian.org> Wed, 26 May 2010 23:09:07 +0200
+
+suricata (0.9.0-1) unstable; urgency=low
+
+ * Imported Upstream version 0.9.0
+ * Add libcap-ng-dev to build-deps
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 09 May 2010 10:43:44 +0200
+
+suricata (0.8.2-1) unstable; urgency=low
+
+ * Imported Upstream version 0.8.2
+ * Force selection of external libhtp during build
+ * Enable Prelude support
+ * Update watch file
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 02 May 2010 10:50:05 +0200
+
+suricata (0.8.0-2) unstable; urgency=low
+
+ * Update debian/copyright to include all files
+
+ -- Pierre Chifflier <pollux@debian.org> Sun, 21 Feb 2010 21:45:33 +0100
+
+suricata (0.8.0-1) unstable; urgency=low
+
+ * Initial release (Closes: #563422)
+
+ -- Pierre Chifflier <pollux@debian.org> Sat, 30 Jan 2010 18:25:05 +0100
--- /dev/null
+Source: suricata
+Section: net
+Priority: optional
+Maintainer: Pierre Chifflier <pollux@debian.org>
+Uploaders: Sascha Steinbiss <satta@debian.org>
+Build-Depends: debhelper-compat (= 13),
+ dh-python,
+ libbpf-dev (>= 1:0.7.0) [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
+ clang [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
+ llvm [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
+ libcap-ng-dev,
+ libelf-dev [amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32],
+ libevent-dev,
+ libgeoip-dev,
+ libhiredis-dev,
+ libjansson-dev,
+ libluajit-5.1-dev [i386 amd64 powerpc mips mipsel armel armhf],
+ libhyperscan-dev (>= 4.4.0) [i386 amd64 x32],
+ rustc (>= 1.61.0),
+ cargo (>= 0.29.0),
+ liblz4-dev,
+ libmagic-dev,
+ libmaxminddb-dev,
+ libnet1-dev | libnet-dev,
+ libnetfilter-log-dev,
+ libnetfilter-queue-dev,
+ libnspr4-dev,
+ libnss3-dev,
+ libpcap-dev,
+ libpcre2-dev,
+ libyaml-dev,
+ python3:any,
+ zlib1g-dev | libz-dev,
+ libhtp-dev (>= 1:0.5.50),
+ procps,
+ dpdk-dev [amd64 arm64 riscv64 ppc64el],
+ libnuma-dev [amd64 arm64 riscv64 ppc64el]
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+Homepage: https://suricata.io
+Vcs-Browser: https://salsa.debian.org/pkg-suricata-team/pkg-suricata
+Vcs-Git: https://salsa.debian.org/pkg-suricata-team/pkg-suricata.git
+
+Package: suricata
+Architecture: linux-any
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${misc:Depends}, ${python3:Depends}, ${shlibs:Depends}, libhtp2 (>= ${libhtp:Version}~)
+Conflicts: libhtp1, suricata-hyperscan
+Replaces: suricata-hyperscan
+Recommends: python3, snort-rules-default, suricata-update
+Suggests: libtcmalloc-minimal4
+Description: Next Generation Intrusion Detection and Prevention Tool
+ Suricata is a network Intrusion Detection System (IDS). It is based on
+ rules (and is fully compatible with snort rules) to detect a variety of
+ attacks / probes by searching packet content.
+ .
+ It can also be used as Intrusion Prevention System (IPS), and as higher layer
+ firewall.
+ .
+ This new Engine supports Multi-Threading, Automatic Protocol Detection
+ (IP, TCP, UDP, ICMP, HTTP, TLS, FTP and SMB), Gzip Decompression, Fast
+ IP Matching and coming soon hardware acceleration on CUDA and OpenCL GPU
+ cards.
+ .
+ This version has inline (NFQUEUE) support enabled.
--- /dev/null
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: suricata
+Source: https://suricata.io/download/
+Files-Excluded: libhtp
+
+Files: *
+Copyright: 2007-2020 Open Information Security Foundation
+License: GPL-2
+
+Files: aclocal.m4
+Copyright: 1996-2017 Free Software Foundation, Inc.
+ 2004 Scott James Remnant <scott@netsplit.com>
+ 2012-2015 Dan Nicholson <dbn.lists@gmail.com>
+License: GPL-2+
+
+Files: compile
+ config.sub
+ configure
+Copyright: 1992-2018 Free Software Foundation, Inc.
+License: GPL-2
+
+Files: config.guess
+Copyright: 1992-2018 Free Software Foundation, Inc.
+License: GPL-3
+
+Files: contrib/Makefile.am
+Copyright: 2007-2020 Open Information Security Foundation
+License: GPL-2
+
+Files: contrib/file_processor/*
+Copyright: 2007-2020 Open Information Security Foundation
+License: GPL-2
+
+Files: contrib/file_processor/Action/Makefile.in
+Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
+License: GPL-2
+
+Files: contrib/file_processor/Makefile.in
+Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
+License: GPL-2
+
+Files: contrib/file_processor/Processor/Makefile.in
+Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
+License: GPL-2
+
+Files: contrib/file_processor/file_processor.pl
+Copyright: 2012, Martin Holste
+License: GPL-2
+
+Files: contrib/suri-graphite
+Copyright: 2013, 2015, Eric Leblond <eric@regit.org>
+License: GPL-2
+
+Files: debian/*
+Copyright: 2010 Pierre Chifflier <pollux@debian.org>
+ 2019-2024 Sascha Steinbiss <satta@debian.org>
+License: GPL-2
+
+Files: doc/Makefile.in
+ doc/userguide/Makefile.in
+Copyright: 1989, 1991-2015, Free Software Foundation, Inc.
+License: GPL-2
+
+Files: install-sh
+Copyright: 1994, X Consortium
+License: Expat
+
+Files: ebpf/Makefile.in
+ etc/Makefile.in
+ python/Makefile.in
+ qa/Makefile.in
+ qa/coccinelle/Makefile.in
+ rules/Makefile.in
+ rust/Makefile.in
+ src/Makefile.in
+Copyright: 1994-2023 Free Software Foundation, Inc.
+License: GPL-2
+
+Files: ebpf/include/linux/bpf.h
+Copyright: 2011-2014 PLUMgrid
+License: GPL-2
+
+Files: python/suricata/ctl/loghandler.py
+Copyright: 2017 Open Information Security Foundation
+ 2016 Jason Ish
+License: GPL-2
+
+Files: qa/coccinelle/sz3.cocci
+Copyright: 2012 LIP6/INRIA
+License: GPL-2
+
+Files: qa/wirefuzz.pl
+Copyright: 2010-2015 Open Information Security Foundation
+License: GPL-2
+
+Files: rust/vendor/autocfg*/*
+Copyright: 2018 Josh Stone <cuviper@gmail.com>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/base64/*
+Copyright: 2015 Alice Maz
+License: MIT or Apache-2.0
+
+Files: rust/vendor/bitflags/*
+Copyright: 2014 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/build_const/*
+Copyright: 2017 Garrett Berg, vitiral@gmail.com
+License: MIT
+
+Files: rust/vendor/byteorder/*
+Copyright: 2015 Andrew Gallant
+License: MIT or Unlicense
+
+Files: rust/vendor/crc/*
+Copyright: 2017 crc-rs Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/der-parser/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/enum_primitive/*
+Copyright: 2015 Anders Kaseorg <andersk@mit.edu>
+License: MIT
+
+Files: rust/vendor/ipsec-parser/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/kerberos-parser/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/libc/*
+Copyright: 2014 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/memchr/*
+Copyright: 2015 Andrew Gallant <jamslam@gmail.com>
+License: Unlicense or MIT
+
+Files: rust/vendor/nom/*
+Copyright: 2014-2018 Geoffroy Couprie <contact@geoffroycouprie.com>
+License: MIT
+
+Files: rust/vendor/ntp-parser/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/num*/*
+Copyright: 2014 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/phf*/*
+Copyright: 2014-2016 Steven Fackler <sfackler@gmail.com>
+License: MIT
+
+Files: rust/vendor/proc-macro2/*
+Copyright: 2014 Alex Crichton <alex@alexcrichton.com>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/quote/*
+Copyright: 2016 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/rand*/*
+Copyright: 2018 The Rand Project Developers
+ 2014 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/rusticata-macros/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/siphasher/*
+Copyright: 2012-2016 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/snmp-parser/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/syn/*
+Copyright: David Tolnay <dtolnay@gmail.com>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/time/*
+Copyright: 2014 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/tls-parser/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/unicode-xid/*
+Copyright: 2015 The Rust Project Developers
+License: MIT or Apache-2.0
+
+Files: rust/vendor/version_check/*
+Copyright: 2017-2018 Sergio Benitez <sb@sergio.bz>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/widestring/*
+Copyright: 2016 Kathryn Long <squeeself@gmail.com>
+License: MIT or Apache-2.0
+
+Files: rust/vendor/x509-parser/*
+Copyright: 2017 Pierre Chifflier <chifflier@wzdftpd.net>
+License: MIT or Apache-2.0
+
+Files: src/Makefile.am
+ src/util-hash-lookup3.c
+ src/util-hash-lookup3.h
+Copyright: 2008 Victor Julien <victor@inliniac.net>
+License: GPL-2
+
+Files: src/app-layer-htp-libhtp.c
+ src/app-layer-htp-libhtp.h
+Copyright: 2010-2013, Qualys, Inc.
+ 2009, 2010, Open Information Security Foundation
+License: BSD-3-clause
+
+Files: src/detect-modbus.c
+ src/detect-modbus.h
+ src/detect-tls.c
+ src/detect-tls.h
+Copyright: 2011-2015, ANSSI
+License: BSD-3-clause
+
+Files: src/queue.h
+ src/win32-syslog.h
+Copyright: 1982, 1986, 1988, 1991, 1993, The Regents of the University of California.
+License: BSD-3-clause
+
+Files: src/util-decode-mime.c
+ src/util-decode-mime.h
+Copyright: 2012, BAE Systems
+License: GPL-2
+
+Files: src/util-fix_checksum.c
+ src/util-fix_checksum.h
+Copyright: 2002-2008, Henning Brauer
+ 2001, Daniel Hartmeier
+License: BSD-2-clause
+Comment:
+ In addition to the BSD license, the authors state the following:
+ Effort sponsored in part by the Defense Advanced Research Projects
+ Agency (DARPA) and Air Force Research Laboratory, Air Force
+ Materiel Command, USAF, under agreement number F30602-01-2-0537
+
+Files: src/util-strlcatu.c
+ src/util-strlcpyu.c
+Copyright: 1998, Todd C. Miller <Todd.Miller@courtesan.com>
+License: BSD-3-clause
+
+Files: src/tree.h
+Copyright: 2002 Niels Provos <provos@citi.umich.edu>
+License: BSD-2-clause
+
+Files: suricata-update/*
+Copyright: 2017-2019 Open Information Security Foundation
+ 2013-2017 Jason Ish
+License: GPL-2
+
+Files: suricata-update/suricata/update/compat/ordereddict.py
+Copyright: 2009 Raymond Hettinger
+License: MIT
+
+License: BSD-3-clause
+ The BSD License
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ .
+ * Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ .
+ * Neither the name of foo nor the names of its
+ contributors may be used to endorse or promote products derived from
+ this software without specific prior written permission.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR
+ CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: Expat
+ The MIT License
+ .
+ Permission is hereby granted, free of charge, to any person
+ obtaining a copy of this software and associated
+ documentation files (the "Software"), to deal in the Software
+ without restriction, including without limitation the rights to
+ use, copy, modify, merge, publish, distribute, sublicense,
+ and/or sell copies of the Software, and to permit persons to
+ whom the Software is furnished to do so, subject to the
+ following conditions:
+ .
+ The above copyright notice and this permission notice shall
+ be included in all copies or substantial portions of the
+ Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT
+ WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
+ INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE AND NONINFRINGEMENT. IN NO EVENT
+ SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+ TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+ CONNECTION WITH THE SOFTWARE OR THE USE OR
+ OTHER DEALINGS IN THE SOFTWARE.
+
+License: GPL-2
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Library General Public License as published by
+ the Free Software Foundation.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Library General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+
+License: GPL-2+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 2 dated June, 1991, or (at
+ your option) any later version.
+ .
+ On Debian systems, the complete text of version 2 of the GNU General
+ Public License can be found in '/usr/share/common-licenses/GPL-2'.
+
+License: GPL-3
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; version 3 dated June, 2007.
+ .
+ On Debian systems, the complete text of version 3 of the GNU General
+ Public License can be found in '/usr/share/common-licenses/GPL-3'.
+
+License: Apache-2.0
+ Debian systems provide the Apache 2.0 license in
+ /usr/share/common-licenses/Apache-2.0
+
+License: MIT
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+ of this software and associated documentation files (the "Software"), to deal
+ in the Software without restriction, including without limitation the rights
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ copies of the Software, and to permit persons to whom the Software is
+ furnished to do so, subject to the following conditions:
+ .
+ The above copyright notice and this permission notice shall be included in all
+ copies or substantial portions of the Software.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ SOFTWARE.
+
+License: Unlicense
+ This is free and unencumbered software released into the public domain.
+ .
+ Anyone is free to copy, modify, publish, use, compile, sell, or
+ distribute this software, either in source code form or as a compiled
+ binary, for any purpose, commercial or non-commercial, and by any
+ means.
+ .
+ In jurisdictions that recognize copyright laws, the author or authors
+ of this software dedicate any and all copyright interest in the
+ software to the public domain. We make this dedication for the benefit
+ of the public at large and to the detriment of our heirs and
+ successors. We intend this dedication to be an overt act of
+ relinquishment in perpetuity of all present and future rights to this
+ software under copyright law.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+ EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+ MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+ IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+ OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+ OTHER DEALINGS IN THE SOFTWARE.
+
+License: BSD-2-clause
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions are
+ met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+ .
+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License: ISC
+ Permission to use, copy, modify, and/or distribute this software for any purpose with or without
+ fee is hereby granted, provided that the above copyright notice and this permission notice appear
+ in all copies.
+ .
+ THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
+ SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE
+ AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF
+ THIS SOFTWARE.
--- /dev/null
+usr/lib/*/lib*.so.*
--- /dev/null
+# false positive, the link is there. Somehow lintian is confused
+libhtp-0.5.24-1: dev-pkg-without-shlib-symlink
--- /dev/null
+libhtp-0.5.24.so.1 libhtp-0.5.24-1 #MINVER#
+ bstr_add@Base 3.1.3
+ bstr_add_c@Base 3.1.3
+ bstr_add_c_noex@Base 3.1.3
+ bstr_add_mem@Base 3.1.3
+ bstr_add_mem_noex@Base 3.1.3
+ bstr_add_noex@Base 3.1.3
+ bstr_adjust_len@Base 3.1.3
+ bstr_adjust_realptr@Base 3.1.3
+ bstr_adjust_size@Base 3.1.3
+ bstr_alloc@Base 3.1.3
+ bstr_begins_with@Base 3.1.3
+ bstr_begins_with_c@Base 3.1.3
+ bstr_begins_with_c_nocase@Base 3.1.3
+ bstr_begins_with_mem@Base 3.1.3
+ bstr_begins_with_mem_nocase@Base 3.1.3
+ bstr_begins_with_nocase@Base 3.1.3
+ bstr_builder_append_c@Base 3.1.3
+ bstr_builder_append_mem@Base 3.1.3
+ bstr_builder_appendn@Base 3.1.3
+ bstr_builder_clear@Base 3.1.3
+ bstr_builder_create@Base 3.1.3
+ bstr_builder_destroy@Base 3.1.3
+ bstr_builder_size@Base 3.1.3
+ bstr_builder_to_str@Base 3.1.3
+ bstr_char_at@Base 3.1.3
+ bstr_char_at_end@Base 3.1.3
+ bstr_chop@Base 3.1.3
+ bstr_chr@Base 3.1.3
+ bstr_cmp@Base 3.1.3
+ bstr_cmp_c@Base 3.1.3
+ bstr_cmp_c_nocase@Base 3.1.3
+ bstr_cmp_mem@Base 3.1.3
+ bstr_cmp_mem_nocase@Base 3.1.3
+ bstr_cmp_nocase@Base 3.1.3
+ bstr_dup@Base 3.1.3
+ bstr_dup_c@Base 3.1.3
+ bstr_dup_ex@Base 3.1.3
+ bstr_dup_lower@Base 3.1.3
+ bstr_dup_mem@Base 3.1.3
+ bstr_expand@Base 3.1.3
+ bstr_free@Base 3.1.3
+ bstr_index_of@Base 3.1.3
+ bstr_index_of_c@Base 3.1.3
+ bstr_index_of_c_nocase@Base 3.1.3
+ bstr_index_of_mem@Base 3.1.3
+ bstr_index_of_mem_nocase@Base 3.1.3
+ bstr_index_of_nocase@Base 3.1.3
+ bstr_rchr@Base 3.1.3
+ bstr_to_lowercase@Base 3.1.3
+ bstr_util_cmp_mem@Base 3.1.3
+ bstr_util_cmp_mem_nocase@Base 3.1.3
+ bstr_util_mem_index_of_c@Base 3.1.3
+ bstr_util_mem_index_of_c_nocase@Base 3.1.3
+ bstr_util_mem_index_of_mem@Base 3.1.3
+ bstr_util_mem_index_of_mem_nocase@Base 3.1.3
+ bstr_util_mem_to_pint@Base 3.1.3
+ bstr_util_mem_trim@Base 3.1.3
+ bstr_util_memdup_to_c@Base 3.1.3
+ bstr_util_strdup_to_c@Base 3.1.3
+ bstr_wrap_c@Base 3.1.3
+ bstr_wrap_mem@Base 3.1.3
+ fprint_bstr@Base 3.1.3
+ fprint_raw_data@Base 3.1.3
+ fprint_raw_data_ex@Base 3.1.3
+ htp_base64_decode@Base 3.1.3
+ htp_base64_decode_bstr@Base 3.1.3
+ htp_base64_decode_mem@Base 3.1.3
+ htp_base64_decode_single@Base 3.1.3
+ htp_base64_decoder_init@Base 3.1.3
+ htp_ch_multipart_callback_request_body_data@Base 3.1.3
+ htp_ch_multipart_callback_request_headers@Base 3.1.3
+ htp_ch_urlencoded_callback_request_body_data@Base 3.1.3
+ htp_ch_urlencoded_callback_request_headers@Base 3.1.3
+ htp_ch_urlencoded_callback_request_line@Base 3.1.3
+ htp_chomp@Base 3.1.3
+ htp_config_copy@Base 3.1.3
+ htp_config_create@Base 3.1.3
+ htp_config_destroy@Base 3.1.3
+ htp_config_get_user_data@Base 3.1.3
+ htp_config_register_log@Base 3.1.3
+ htp_config_register_multipart_parser@Base 3.1.3
+ htp_config_register_request_body_data@Base 3.1.3
+ htp_config_register_request_complete@Base 3.1.3
+ htp_config_register_request_file_data@Base 3.1.3
+ htp_config_register_request_header_data@Base 3.1.3
+ htp_config_register_request_headers@Base 3.1.3
+ htp_config_register_request_line@Base 3.1.3
+ htp_config_register_request_start@Base 3.1.3
+ htp_config_register_request_trailer@Base 3.1.3
+ htp_config_register_request_trailer_data@Base 3.1.3
+ htp_config_register_request_uri_normalize@Base 3.1.3
+ htp_config_register_response_body_data@Base 3.1.3
+ htp_config_register_response_complete@Base 3.1.3
+ htp_config_register_response_header_data@Base 3.1.3
+ htp_config_register_response_headers@Base 3.1.3
+ htp_config_register_response_line@Base 3.1.3
+ htp_config_register_response_start@Base 3.1.3
+ htp_config_register_response_trailer@Base 3.1.3
+ htp_config_register_response_trailer_data@Base 3.1.3
+ htp_config_register_transaction_complete@Base 3.1.3
+ htp_config_register_urlencoded_parser@Base 3.1.3
+ htp_config_set_backslash_convert_slashes@Base 3.1.3
+ htp_config_set_bestfit_map@Base 3.1.3
+ htp_config_set_bestfit_replacement_byte@Base 3.1.3
+ htp_config_set_control_chars_unwanted@Base 3.1.3
+ htp_config_set_convert_lowercase@Base 3.1.3
+ htp_config_set_extract_request_files@Base 3.1.3
+ htp_config_set_field_limits@Base 3.1.3
+ htp_config_set_log_level@Base 3.1.3
+ htp_config_set_nul_encoded_terminates@Base 3.1.3
+ htp_config_set_nul_encoded_unwanted@Base 3.1.3
+ htp_config_set_nul_raw_terminates@Base 3.1.3
+ htp_config_set_nul_raw_unwanted@Base 3.1.3
+ htp_config_set_parse_request_auth@Base 3.1.3
+ htp_config_set_parse_request_cookies@Base 3.1.3
+ htp_config_set_path_separators_compress@Base 3.1.3
+ htp_config_set_path_separators_decode@Base 3.1.3
+ htp_config_set_path_separators_encoded_unwanted@Base 3.1.3
+ htp_config_set_plusspace_decode@Base 3.1.3
+ htp_config_set_requestline_leading_whitespace_unwanted@Base 3.1.3
+ htp_config_set_response_decompression@Base 3.1.3
+ htp_config_set_response_decompression_layer_limit@Base 3.1.3
+ htp_config_set_server_personality@Base 3.1.3
+ htp_config_set_tmpdir@Base 3.1.3
+ htp_config_set_tx_auto_destroy@Base 3.1.3
+ htp_config_set_u_encoding_decode@Base 3.1.3
+ htp_config_set_u_encoding_unwanted@Base 3.1.3
+ htp_config_set_url_encoding_invalid_handling@Base 3.1.3
+ htp_config_set_url_encoding_invalid_unwanted@Base 3.1.3
+ htp_config_set_user_data@Base 3.1.3
+ htp_config_set_utf8_convert_bestfit@Base 3.1.3
+ htp_config_set_utf8_invalid_unwanted@Base 3.1.3
+ htp_conn_close@Base 3.1.3
+ htp_conn_create@Base 3.1.3
+ htp_conn_destroy@Base 3.1.3
+ htp_conn_open@Base 3.1.3
+ htp_conn_remove_tx@Base 3.1.3
+ htp_conn_track_inbound_data@Base 3.1.3
+ htp_conn_track_outbound_data@Base 3.1.3
+ htp_connp_REQ_BODY_CHUNKED_DATA@Base 3.1.3
+ htp_connp_REQ_BODY_CHUNKED_DATA_END@Base 3.1.3
+ htp_connp_REQ_BODY_CHUNKED_LENGTH@Base 3.1.3
+ htp_connp_REQ_BODY_DETERMINE@Base 3.1.3
+ htp_connp_REQ_BODY_IDENTITY@Base 3.1.3
+ htp_connp_REQ_CONNECT_CHECK@Base 3.1.3
+ htp_connp_REQ_CONNECT_PROBE_DATA@Base 3.1.3
+ htp_connp_REQ_CONNECT_WAIT_RESPONSE@Base 3.1.3
+ htp_connp_REQ_FINALIZE@Base 3.1.3
+ htp_connp_REQ_HEADERS@Base 3.1.3
+ htp_connp_REQ_IDLE@Base 3.1.3
+ htp_connp_REQ_IGNORE_DATA_AFTER_HTTP_0_9@Base 3.1.3
+ htp_connp_REQ_LINE@Base 3.1.3
+ htp_connp_REQ_LINE_complete@Base 3.1.3
+ htp_connp_REQ_PROTOCOL@Base 3.1.3
+ htp_connp_RES_BODY_CHUNKED_DATA@Base 3.1.3
+ htp_connp_RES_BODY_CHUNKED_DATA_END@Base 3.1.3
+ htp_connp_RES_BODY_CHUNKED_LENGTH@Base 3.1.3
+ htp_connp_RES_BODY_DETERMINE@Base 3.1.3
+ htp_connp_RES_BODY_IDENTITY_CL_KNOWN@Base 3.1.3
+ htp_connp_RES_BODY_IDENTITY_STREAM_CLOSE@Base 3.1.3
+ htp_connp_RES_FINALIZE@Base 3.1.3
+ htp_connp_RES_HEADERS@Base 3.1.3
+ htp_connp_RES_IDLE@Base 3.1.3
+ htp_connp_RES_LINE@Base 3.1.3
+ htp_connp_clear_error@Base 3.1.3
+ htp_connp_close@Base 3.1.3
+ htp_connp_create@Base 3.1.3
+ htp_connp_destroy@Base 3.1.3
+ htp_connp_destroy_all@Base 3.1.3
+ htp_connp_destroy_decompressors@Base 3.1.3
+ htp_connp_get_connection@Base 3.1.3
+ htp_connp_get_in_tx@Base 3.1.3
+ htp_connp_get_last_error@Base 3.1.3
+ htp_connp_get_out_tx@Base 3.1.3
+ htp_connp_get_user_data@Base 3.1.3
+ htp_connp_in_reset@Base 3.1.3
+ htp_connp_in_state_as_string@Base 3.1.3
+ htp_connp_is_line_folded@Base 3.1.3
+ htp_connp_is_line_ignorable@Base 3.1.3
+ htp_connp_is_line_terminator@Base 3.1.3
+ htp_connp_open@Base 3.1.3
+ htp_connp_out_state_as_string@Base 3.1.3
+ htp_connp_req_data@Base 3.1.3
+ htp_connp_req_data_consumed@Base 3.1.3
+ htp_connp_req_receiver_finalize_clear@Base 3.1.3
+ htp_connp_res_data@Base 3.1.3
+ htp_connp_res_data_consumed@Base 3.1.3
+ htp_connp_res_receiver_finalize_clear@Base 3.1.3
+ htp_connp_set_user_data@Base 3.1.3
+ htp_connp_tx_create@Base 3.1.3
+ htp_connp_tx_remove@Base 3.1.3
+ htp_convert_method_to_number@Base 3.1.3
+ htp_decode_path_inplace@Base 3.1.3
+ htp_extract_quoted_string_as_bstr@Base 3.1.3
+ htp_get_version@Base 3.1.3
+ htp_gzip_decompressor_create@Base 3.1.3
+ htp_hook_copy@Base 3.1.3
+ htp_hook_create@Base 3.1.3
+ htp_hook_destroy@Base 3.1.3
+ htp_hook_register@Base 3.1.3
+ htp_hook_run_all@Base 3.1.3
+ htp_hook_run_one@Base 3.1.3
+ htp_is_folding_char@Base 3.1.3
+ htp_is_line_empty@Base 3.1.3
+ htp_is_line_whitespace@Base 3.1.3
+ htp_is_lws@Base 3.1.3
+ htp_is_separator@Base 3.1.3
+ htp_is_space@Base 3.1.3
+ htp_is_text@Base 3.1.3
+ htp_is_token@Base 3.1.3
+ htp_list_array_clear@Base 3.1.3
+ htp_list_array_create@Base 3.1.3
+ htp_list_array_destroy@Base 3.1.3
+ htp_list_array_get@Base 3.1.3
+ htp_list_array_pop@Base 3.1.3
+ htp_list_array_push@Base 3.1.3
+ htp_list_array_replace@Base 3.1.3
+ htp_list_array_shift@Base 3.1.3
+ htp_list_array_size@Base 3.1.3
+ htp_log@Base 3.1.3
+ htp_mpart_part_create@Base 3.1.3
+ htp_mpart_part_destroy@Base 3.1.3
+ htp_mpart_part_finalize_data@Base 3.1.3
+ htp_mpart_part_handle_data@Base 3.1.3
+ htp_mpart_part_parse_c_d@Base 3.1.3
+ htp_mpart_part_process_headers@Base 3.1.3
+ htp_mpartp_create@Base 3.1.3
+ htp_mpartp_destroy@Base 3.1.3
+ htp_mpartp_finalize@Base 3.1.3
+ htp_mpartp_find_boundary@Base 3.1.3
+ htp_mpartp_get_multipart@Base 3.1.3
+ htp_mpartp_parse@Base 3.1.3
+ htp_mpartp_parse_header@Base 3.1.3
+ htp_mpartp_run_request_file_data_hook@Base 3.1.3
+ htp_normalize_hostname_inplace@Base 3.1.3
+ htp_normalize_parsed_uri@Base 3.1.3
+ htp_normalize_uri_path_inplace@Base 3.1.3
+ htp_parse_authorization@Base 3.1.3
+ htp_parse_authorization_basic@Base 3.1.3
+ htp_parse_authorization_digest@Base 3.1.3
+ htp_parse_chunked_length@Base 3.1.3
+ htp_parse_content_length@Base 3.1.3
+ htp_parse_cookies_v0@Base 3.1.3
+ htp_parse_ct_header@Base 3.1.3
+ htp_parse_header_hostport@Base 3.1.3
+ htp_parse_hostport@Base 3.1.3
+ htp_parse_positive_integer_whitespace@Base 3.1.3
+ htp_parse_protocol@Base 3.1.3
+ htp_parse_request_header_generic@Base 3.1.3
+ htp_parse_request_line_apache_2_2@Base 3.1.3
+ htp_parse_request_line_generic@Base 3.1.3
+ htp_parse_request_line_generic_ex@Base 3.1.3
+ htp_parse_response_header_generic@Base 3.1.3
+ htp_parse_response_line_generic@Base 3.1.3
+ htp_parse_single_cookie_v0@Base 3.1.3
+ htp_parse_status@Base 3.1.3
+ htp_parse_uri@Base 3.1.3
+ htp_parse_uri_hostport@Base 3.1.3
+ htp_php_parameter_processor@Base 3.1.3
+ htp_process_request_header_apache_2_2@Base 3.1.3
+ htp_process_request_header_generic@Base 3.1.3
+ htp_process_response_header_generic@Base 3.1.3
+ htp_req_run_hook_body_data@Base 3.1.3
+ htp_res_run_hook_body_data@Base 3.1.3
+ htp_table_add@Base 3.1.3
+ htp_table_addk@Base 3.1.3
+ htp_table_addn@Base 3.1.3
+ htp_table_clear@Base 3.1.3
+ htp_table_clear_ex@Base 3.1.3
+ htp_table_create@Base 3.1.3
+ htp_table_destroy@Base 3.1.3
+ htp_table_destroy_ex@Base 3.1.3
+ htp_table_get@Base 3.1.3
+ htp_table_get_c@Base 3.1.3
+ htp_table_get_index@Base 3.1.3
+ htp_table_get_mem@Base 3.1.3
+ htp_table_size@Base 3.1.3
+ htp_transcode_bstr@Base 3.1.3
+ htp_transcode_params@Base 3.1.3
+ htp_treat_response_line_as_body@Base 3.1.3
+ htp_tx_create@Base 3.1.3
+ htp_tx_destroy@Base 3.1.3
+ htp_tx_destroy_incomplete@Base 3.1.3
+ htp_tx_finalize@Base 3.1.3
+ htp_tx_get_is_config_shared@Base 3.1.3
+ htp_tx_get_user_data@Base 3.1.3
+ htp_tx_is_complete@Base 3.1.3
+ htp_tx_register_request_body_data@Base 3.1.3
+ htp_tx_register_response_body_data@Base 3.1.3
+ htp_tx_req_add_param@Base 3.1.3
+ htp_tx_req_get_param@Base 3.1.3
+ htp_tx_req_get_param_ex@Base 3.1.3
+ htp_tx_req_has_body@Base 3.1.3
+ htp_tx_req_process_body_data@Base 3.1.3
+ htp_tx_req_process_body_data_ex@Base 3.1.3
+ htp_tx_req_set_header@Base 3.1.3
+ htp_tx_req_set_headers_clear@Base 3.1.3
+ htp_tx_req_set_line@Base 3.1.3
+ htp_tx_req_set_method@Base 3.1.3
+ htp_tx_req_set_method_number@Base 3.1.3
+ htp_tx_req_set_parsed_uri@Base 3.1.3
+ htp_tx_req_set_protocol@Base 3.1.3
+ htp_tx_req_set_protocol_0_9@Base 3.1.3
+ htp_tx_req_set_protocol_number@Base 3.1.3
+ htp_tx_req_set_uri@Base 3.1.3
+ htp_tx_request_progress_as_string@Base 3.1.3
+ htp_tx_res_process_body_data@Base 3.1.3
+ htp_tx_res_process_body_data_ex@Base 3.1.3
+ htp_tx_res_set_header@Base 3.1.3
+ htp_tx_res_set_headers_clear@Base 3.1.3
+ htp_tx_res_set_protocol_number@Base 3.1.3
+ htp_tx_res_set_status_code@Base 3.1.3
+ htp_tx_res_set_status_line@Base 3.1.3
+ htp_tx_res_set_status_message@Base 3.1.3
+ htp_tx_response_progress_as_string@Base 3.1.3
+ htp_tx_set_config@Base 3.1.3
+ htp_tx_set_user_data@Base 3.1.3
+ htp_tx_state_request_complete@Base 3.1.3
+ htp_tx_state_request_complete_partial@Base 3.1.3
+ htp_tx_state_request_headers@Base 3.1.3
+ htp_tx_state_request_line@Base 3.1.3
+ htp_tx_state_request_start@Base 3.1.3
+ htp_tx_state_response_complete@Base 3.1.3
+ htp_tx_state_response_complete_ex@Base 3.1.3
+ htp_tx_state_response_headers@Base 3.1.3
+ htp_tx_state_response_line@Base 3.1.3
+ htp_tx_state_response_start@Base 3.1.3
+ htp_tx_urldecode_params_inplace@Base 3.1.3
+ htp_tx_urldecode_uri_inplace@Base 3.1.3
+ htp_unparse_uri_noencode@Base 3.1.3
+ htp_uri_alloc@Base 3.1.3
+ htp_uri_free@Base 3.1.3
+ htp_urldecode_inplace@Base 3.1.3
+ htp_urldecode_inplace_ex@Base 3.1.3
+ htp_urlenp_create@Base 3.1.3
+ htp_urlenp_destroy@Base 3.1.3
+ htp_urlenp_finalize@Base 3.1.3
+ htp_urlenp_parse_complete@Base 3.1.3
+ htp_urlenp_parse_partial@Base 3.1.3
+ htp_utf8_decode@Base 3.1.3
+ htp_utf8_decode_allow_overlong@Base 3.1.3
+ htp_utf8_decode_path_inplace@Base 3.1.3
+ htp_utf8_validate_path@Base 3.1.3
+ htp_validate_hostname@Base 3.1.3
+ strlcat@Base 3.1.3
+ strlcpy@Base 3.1.3
--- /dev/null
+From 97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Tue, 15 Apr 2025 12:34:37 +0200
+# Subject: [PATCH] http2: forbid data on stream 0
+
+Ticket: 7658
+
+Suricata will not handle well if we open a file for this tx,
+do not close it, but set the transaction state to completed.
+
+RFC 9113 section 6.1 states:
+
+If a DATA frame is received whose Stream Identifier field is 0x00,
+the recipient MUST respond with a connection error (Section 5.4.1)
+ of type PROTOCOL_ERROR.
+
+(cherry picked from commit 1d6d331752e933c46aca0ae7a9679b27462246e3)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/7659
+Bug-Debian: https://bugs.debian.org/1109806
+Subject: Upstream fix for CVE-2025-53538
+---
+ rules/http2-events.rules | 1 +
+ rust/src/http2/http2.rs | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/rules/http2-events.rules b/rules/http2-events.rules
+index 413fdd652..8242e2f79 100644
+--- a/rules/http2-events.rules
++++ b/rules/http2-events.rules
+@@ -21,3 +21,4 @@ alert http2 any any -> any any (msg:"SURICATA HTTP2 too many streams"; flow:esta
+ alert http2 any any -> any any (msg:"SURICATA HTTP2 authority host mismatch"; flow:established,to_server; app-layer-event:http2.authority_host_mismatch; classtype:protocol-command-decode; sid:2290013; rev:1;)
+ alert http2 any any -> any any (msg:"SURICATA HTTP2 user info in uri"; flow:established,to_server; app-layer-event:http2.userinfo_in_uri; classtype:protocol-command-decode; sid:2290014; rev:1;)
+ alert http2 any any -> any any (msg:"SURICATA HTTP2 reassembly limit reached"; flow:established; app-layer-event:http2.reassembly_limit_reached; classtype:protocol-command-decode; sid:2290015; rev:1;)
++alert http2 any any -> any any (msg:"SURICATA HTTP2 data on stream zero"; flow:established; app-layer-event:http2.data_stream_zero; classtype:protocol-command-decode; sid:2290018; rev:1;)
+diff --git a/rust/src/http2/http2.rs b/rust/src/http2/http2.rs
+index 20b7cd947..a79a33c8e 100644
+--- a/rust/src/http2/http2.rs
++++ b/rust/src/http2/http2.rs
+@@ -409,6 +409,7 @@ pub enum HTTP2Event {
+ AuthorityHostMismatch,
+ UserinfoInUri,
+ ReassemblyLimitReached,
++ DataStreamZero,
+ }
+
+ pub struct HTTP2DynTable {
+@@ -1078,7 +1079,9 @@ impl HTTP2State {
+ data: txdata,
+ });
+ }
+- if ftype == parser::HTTP2FrameType::Data as u8 {
++ if ftype == parser::HTTP2FrameType::Data as u8 && sid == 0 {
++ tx.tx_data.set_event(HTTP2Event::DataStreamZero as u8);
++ } else if ftype == parser::HTTP2FrameType::Data as u8 && sid > 0 {
+ match unsafe { SURICATA_HTTP2_FILE_CONFIG } {
+ Some(sfcm) => {
+ //borrow checker forbids to reuse directly tx
+--
+2.51.0
+
--- /dev/null
+From e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001
+From: Victor Julien <vjulien@oisf.net>
+Date: Wed, 20 Aug 2025 12:43:27 +0200
+# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
+
+Take SEQ and ACK into account for more scenarios.
+
+SYN on SYN_SENT
+
+In this case the SYN packets with different SEQ and other properties are
+queued up. Each packet updates the ssn to reflect the last packet to
+come in. The old ssn data is added to a TcpStateQueue entry in
+TcpSession::queue. If the max queue length is exceeded, the oldest entry
+is evicted. The queue is actually a single linked list, where the list
+head reflects the oldest entry.
+
+SYN/ACK on SYN_SENT
+
+In this case the first check is if the SYN/ACK matches the session. If
+it doesn't, the queue is checked to see if there SYN's stored. If one is
+found that matches, it is used and the session is updated to reflect
+that.
+
+SYN/ACK on SYN_RECV
+
+SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
+from the current packet. The old settings are stored in a TcpStateQueue
+entry in the TcpSession::queue.
+
+ACK on SYN_RECV
+
+Checks any stored SYN/ACKs before checking the session. If a queued
+SYN/ACK was sound, the session is updated to match it.
+
+Ticket: #3844.
+Ticket: #7657.
+(cherry picked from commit be6315dba0d9101b11d16e9dacfe2822b3792f1b)
+
+Patch adjusted for Debian to fit for Suricata 7.0.10.
+
+Origin: upstream, https://github.com/OISF/suricata/commit/e91b03c90385db15e21cf1a0e85b921bf92b039e.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/7852
+Subject: Upstream fix for CVE-2025-59147
+---
+ src/stream-tcp-private.h | 2 +-
+ src/stream-tcp.c | 212 ++++++++++++++++++++++++++++-----------
+ 2 files changed, 155 insertions(+), 59 deletions(-)
+
+diff --git a/src/stream-tcp-private.h b/src/stream-tcp-private.h
+index 2da93f6ce..380b9eed1 100644
+--- a/src/stream-tcp-private.h
++++ b/src/stream-tcp-private.h
+@@ -295,7 +295,7 @@ typedef struct TcpSession_ {
+ uint32_t reassembly_depth; /**< reassembly depth for the stream */
+ TcpStream server;
+ TcpStream client;
+- TcpStateQueue *queue; /**< list of SYN/ACK candidates */
++ TcpStateQueue *queue; /**< list of SYN or SYN/ACK candidates */
+ } TcpSession;
+
+ #define StreamTcpSetStreamFlagAppProtoDetectionCompleted(stream) \
+diff --git a/src/stream-tcp.c b/src/stream-tcp.c
+index a266ebf1a..5677d3090 100644
+--- a/src/stream-tcp.c
++++ b/src/stream-tcp.c
+@@ -1787,6 +1787,7 @@ static void TcpStateQueueInitFromSsnSyn(const TcpSession *ssn, TcpStateQueue *q)
+ BUG_ON(ssn->state != TCP_SYN_SENT); // TODO
+ memset(q, 0, sizeof(*q));
+
++ q->seq = ssn->client.isn;
+ /* SYN won't use wscale yet. So window should be limited to 16 bits. */
+ DEBUG_VALIDATE_BUG_ON(ssn->server.window > UINT16_MAX);
+ q->win = (uint16_t)ssn->server.window;
+@@ -1817,8 +1818,9 @@ static void TcpStateQueueInitFromPktSyn(const Packet *p, TcpStateQueue *q)
+ #endif
+ memset(q, 0, sizeof(*q));
+
++ q->seq = TCP_GET_SEQ(p);
+ q->win = TCP_GET_WINDOW(p);
+- q->pkt_ts = SCTIME_SECS(p->ts);
++ q->pkt_ts = (uint32_t)SCTIME_SECS(p->ts);
+
+ if (TCP_GET_SACKOK(p) == 1) {
+ q->flags |= STREAMTCP_QUEUE_FLAG_SACK;
+@@ -1846,6 +1848,7 @@ static void TcpStateQueueInitFromPktSynAck(const Packet *p, TcpStateQueue *q)
+ #endif
+ memset(q, 0, sizeof(*q));
+
++ q->seq = TCP_GET_ACK(p) - 1;
+ q->win = TCP_GET_WINDOW(p);
+ q->pkt_ts = SCTIME_SECS(p->ts);
+
+@@ -1870,36 +1873,62 @@ static void TcpStateQueueInitFromPktSynAck(const Packet *p, TcpStateQueue *q)
+ /** \internal
+ * \brief Find the Queued SYN that is the same as this SYN/ACK
+ * \retval q or NULL */
+-static const TcpStateQueue *StreamTcp3whsFindSyn(const TcpSession *ssn, TcpStateQueue *s)
++static const TcpStateQueue *StreamTcp3whsFindSyn(
++ const TcpSession *ssn, TcpStateQueue *s, TcpStateQueue **ret_tail)
+ {
+ SCLogDebug("ssn %p: search state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, s, s->seq, s->win,
+ BOOL2STR(s->flags & STREAMTCP_QUEUE_FLAG_TS), s->ts);
+
+- for (const TcpStateQueue *q = ssn->queue; q != NULL; q = q->next) {
+- SCLogDebug("ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q, q->seq,
+- q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts);
++ TcpStateQueue *last = NULL;
++ for (TcpStateQueue *q = ssn->queue; q != NULL; q = q->next) {
++ SCLogDebug("ssn %p: queue state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u (last:%s)", ssn, q,
++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts,
++ BOOL2STR(q->next == NULL));
+ if ((s->flags & STREAMTCP_QUEUE_FLAG_TS) == (q->flags & STREAMTCP_QUEUE_FLAG_TS) &&
+- s->ts == q->ts) {
++ s->ts == q->ts && s->seq == q->seq) {
+ return q;
+ }
++ last = q;
+ }
++ if (ret_tail)
++ *ret_tail = last;
+ return NULL;
+ }
+
+-/** \note the SEQ values *must* be the same */
++/** \internal
++ * \brief take oldest element in the list and replace it with the new data
++ */
++static void AddAndRotate(TcpSession *ssn, TcpStateQueue *tail, TcpStateQueue *search)
++{
++ TcpStateQueue *old_head = ssn->queue;
++ TcpStateQueue *new_head = old_head->next;
++ /* set new head */
++ ssn->queue = new_head;
++
++ /* old head node is now appended to the list tail */
++ tail->next = old_head;
++
++ *old_head = *search;
++ old_head->next = NULL;
++}
++
+ static int StreamTcp3whsStoreSyn(TcpSession *ssn, Packet *p)
+ {
+ TcpStateQueue search;
+ TcpStateQueueInitFromSsnSyn(ssn, &search);
++ TcpStateQueue *tail = NULL;
+
+ /* first see if this is already in our list */
+- if (ssn->queue != NULL && StreamTcp3whsFindSyn(ssn, &search) != NULL)
++ if (ssn->queue != NULL && StreamTcp3whsFindSyn(ssn, &search, &tail) != NULL)
+ return 0;
+
+ if (ssn->queue_len == stream_config.max_syn_queued) {
+- SCLogDebug("ssn %p: =~ SYN queue limit reached", ssn);
++ SCLogDebug("%" PRIu64 ": ssn %p: =~ SYN queue limit reached, rotate", p->pcap_cnt, ssn);
+ StreamTcpSetEvent(p, STREAM_3WHS_SYN_FLOOD);
+- return -1;
++
++ /* add to the list, evicting the oldest entry */
++ AddAndRotate(ssn, tail, &search);
++ return 0;
+ }
+
+ if (StreamTcpCheckMemcap((uint32_t)sizeof(TcpStateQueue)) == 0) {
+@@ -1916,9 +1945,13 @@ static int StreamTcp3whsStoreSyn(TcpSession *ssn, Packet *p)
+
+ *q = search;
+ /* put in list */
+- q->next = ssn->queue;
+- ssn->queue = q;
++ if (tail)
++ tail->next = q;
++ if (ssn->queue == NULL)
++ ssn->queue = q;
+ ssn->queue_len++;
++ SCLogDebug("%" PRIu64 ": ssn %p: =~ SYN with SEQ %u added (queue_len %u)", p->pcap_cnt, ssn,
++ q->seq, ssn->queue_len);
+ return 0;
+ }
+
+@@ -1944,6 +1977,102 @@ static inline void StreamTcp3whsStoreSynApplyToSsn(TcpSession *ssn, const TcpSta
+ } else {
+ ssn->flags &= ~STREAMTCP_FLAG_CLIENT_SACKOK;
+ }
++ ssn->client.isn = q->seq;
++ ssn->client.base_seq = ssn->client.next_seq = ssn->client.isn + 1;
++ SCLogDebug("ssn: %p client.isn updated to %u", ssn, ssn->client.isn);
++}
++
++/** \internal
++ * \brief handle SYN/ACK on SYN_SENT state (non-TFO case)
++ *
++ * If packet doesn't match the session, check queued states (if any)
++ *
++ * \retval true packet is accepted
++ * \retval false packet is rejected
++ */
++static inline bool StateSynSentCheckSynAck3Whs(TcpSession *ssn, Packet *p, const bool ts_mismatch)
++{
++ const bool seq_match = SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1);
++ if (seq_match && !ts_mismatch) {
++ return true;
++ }
++
++ /* check the queued syns */
++ if (ssn->queue == NULL) {
++ goto failure;
++ }
++
++ TcpStateQueue search;
++ TcpStateQueueInitFromPktSynAck(p, &search);
++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK looking for SEQ %u", p->pcap_cnt, ssn, search.seq);
++
++ const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search, NULL);
++ if (q == NULL) {
++ SCLogDebug("not found: mismatch");
++ goto failure;
++ }
++
++ SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q,
++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts);
++ StreamTcp3whsStoreSynApplyToSsn(ssn, q);
++ return true;
++failure:
++ if (!seq_match) {
++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
++ } else if (ts_mismatch) {
++ StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
++ }
++ return false;
++}
++
++/** \internal
++ * \brief handle SYN/ACK on SYN_SENT state (TFO case)
++ *
++ * If packet doesn't match the session, check queued states (if any)
++ *
++ * \retval true packet is accepted
++ * \retval false packet is rejected
++ */
++static inline bool StateSynSentCheckSynAckTFO(TcpSession *ssn, Packet *p, const bool ts_mismatch)
++{
++ const bool seq_match_tfo = SEQ_EQ(TCP_GET_ACK(p), ssn->client.next_seq);
++ const bool seq_match_nodata = SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1);
++ if (seq_match_tfo && !ts_mismatch) {
++ // ok
++ } else if (seq_match_nodata && !ts_mismatch) {
++ ssn->client.next_seq = ssn->client.isn; // reset to ISN
++ SCLogDebug("ssn %p: (TFO) next_seq reset to isn (%u)", ssn, ssn->client.next_seq);
++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_TFO_DATA_IGNORED);
++ ssn->flags |= STREAMTCP_FLAG_TFO_DATA_IGNORED;
++ } else {
++ /* check the queued syns */
++ if (ssn->queue == NULL) {
++ goto failure;
++ }
++
++ TcpStateQueue search;
++ TcpStateQueueInitFromPktSynAck(p, &search);
++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK looking for SEQ %u", p->pcap_cnt, ssn, search.seq);
++
++ const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search, NULL);
++ if (q == NULL) {
++ SCLogDebug("not found: mismatch");
++ goto failure;
++ }
++
++ SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u", ssn, q,
++ q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS), q->ts);
++ StreamTcp3whsStoreSynApplyToSsn(ssn, q);
++ }
++ ssn->flags |= STREAMTCP_FLAG_TCP_FAST_OPEN;
++ return true;
++failure:
++ if (!seq_match_tfo && !seq_match_nodata) {
++ StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
++ } else if (ts_mismatch) {
++ StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
++ }
++ return false;
+ }
+
+ /**
+@@ -1965,72 +2094,38 @@ static int StreamTcpPacketStateSynSent(
+
+ /* common case: SYN/ACK from server to client */
+ if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK) && PKT_IS_TOCLIENT(p)) {
+- SCLogDebug("ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64, ssn, p->pcap_cnt);
++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK on SYN_SENT state for packet %" PRIu64,
++ p->pcap_cnt, ssn, p->pcap_cnt);
++ const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p);
+
+ if (!(TCP_HAS_TFO(p) || (ssn->flags & STREAMTCP_FLAG_TCP_FAST_OPEN))) {
+- /* Check if the SYN/ACK packet ack's the earlier
+- * received SYN packet. */
+- if (!(SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1))) {
+- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
+- SCLogDebug("ssn %p: ACK mismatch, packet ACK %" PRIu32 " != "
+- "%" PRIu32 " from stream", ssn, TCP_GET_ACK(p),
+- ssn->client.isn + 1);
++ if (StateSynSentCheckSynAck3Whs(ssn, p, ts_mismatch)) {
++ SCLogDebug("ssn %p: ACK match, packet ACK %" PRIu32 " == "
++ "%" PRIu32 " from stream",
++ ssn, TCP_GET_ACK(p), ssn->client.isn + 1);
++ } else {
++ SCLogDebug("ssn %p: (3WHS) ACK mismatch, packet ACK %" PRIu32 " != "
++ "%" PRIu32 " from stream",
++ ssn, TCP_GET_ACK(p), ssn->client.next_seq);
+ return -1;
+ }
+ } else {
+- if (SEQ_EQ(TCP_GET_ACK(p), ssn->client.next_seq)) {
++ if (StateSynSentCheckSynAckTFO(ssn, p, ts_mismatch)) {
+ SCLogDebug("ssn %p: (TFO) ACK matches next_seq, packet ACK %" PRIu32 " == "
+ "%" PRIu32 " from stream",
+ ssn, TCP_GET_ACK(p), ssn->client.next_seq);
+- } else if (SEQ_EQ(TCP_GET_ACK(p), ssn->client.isn + 1)) {
+- SCLogDebug("ssn %p: (TFO) ACK matches ISN+1, packet ACK %" PRIu32 " == "
+- "%" PRIu32 " from stream",
+- ssn, TCP_GET_ACK(p), ssn->client.isn + 1);
+- ssn->client.next_seq = ssn->client.isn; // reset to ISN
+- SCLogDebug("ssn %p: (TFO) next_seq reset to isn (%u)", ssn, ssn->client.next_seq);
+- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_TFO_DATA_IGNORED);
+- ssn->flags |= STREAMTCP_FLAG_TFO_DATA_IGNORED;
+ } else {
+- StreamTcpSetEvent(p, STREAM_3WHS_SYNACK_WITH_WRONG_ACK);
+ SCLogDebug("ssn %p: (TFO) ACK mismatch, packet ACK %" PRIu32 " != "
+ "%" PRIu32 " from stream", ssn, TCP_GET_ACK(p),
+ ssn->client.next_seq);
+ return -1;
+ }
+- ssn->flags |= STREAMTCP_FLAG_TCP_FAST_OPEN;
+- StreamTcpPacketSetState(p, ssn, TCP_ESTABLISHED);
+- }
+-
+- const bool ts_mismatch = !StateSynSentValidateTimestamp(ssn, p);
+- if (ts_mismatch) {
+- SCLogDebug("ssn %p: ts_mismatch:%s", ssn, BOOL2STR(ts_mismatch));
+- if (ssn->queue) {
+- TcpStateQueue search;
+- TcpStateQueueInitFromPktSynAck(p, &search);
+-
+- const TcpStateQueue *q = StreamTcp3whsFindSyn(ssn, &search);
+- if (q == NULL) {
+- SCLogDebug("not found: mismatch");
+- StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
+- return -1;
+- }
+- SCLogDebug("ssn %p: found queued SYN state:%p, isn:%u/win:%u/has_ts:%s/tsval:%u",
+- ssn, q, q->seq, q->win, BOOL2STR(q->flags & STREAMTCP_QUEUE_FLAG_TS),
+- q->ts);
+-
+- StreamTcp3whsStoreSynApplyToSsn(ssn, q);
+-
+- } else {
+- SCLogDebug("not found: no queue");
+- StreamTcpSetEvent(p, STREAM_PKT_INVALID_TIMESTAMP);
+- return -1;
+- }
+ }
+-
+ /* clear ssn->queue on state change: TcpSession can be reused by SYN/ACK */
+ StreamTcp3wsFreeQueue(ssn);
+
+ StreamTcp3whsSynAckUpdate(ssn, p, /* no queue override */NULL);
++ SCLogDebug("%" PRIu64 ": ssn %p: SYN/ACK on SYN_SENT state: accepted", p->pcap_cnt, ssn);
+ return 0;
+
+ } else if ((p->tcph->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK) && PKT_IS_TOSERVER(p)) {
+--
+2.51.0
+
--- /dev/null
+From 5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc Mon Sep 17 00:00:00 2001
+From: Juliana Fajardini <jufajardini@oisf.net>
+Date: Fri, 31 Oct 2025 21:38:12 -0700
+Subject: [PATCH] output/alert: fix alert index access for verdict
+
+The engine uses p.alerts.cnt as an index to access the packet alert that
+has the `pass` action for the verdict.
+For IDS/IPS mode, a `pass` will always be the last signature in the
+alert queue. However, that position could be either `p.alerts.cnt` or
+`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
+keyword or not.
+This patch fix corner-case scenarios of:
+- accessing an index out of boundaries
+- off-by-one access
+Without changing how the engine increments the alerts.cnt, as this is
+used in many places, and would be a more invasive change.
+It checks the two different scenarios, plus the case when there is only
+a single match as a silent `pass` rule.
+
+Bug #8021
+Bug #7630
+
+Origin: upstream, https://github.com/OISF/suricata/commit/5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8021
+Subject: Upstream fix for CVE-2025-64330
+---
+ src/output-json-alert.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/output-json-alert.c b/src/output-json-alert.c
+index 495b8285f..8c000cb2a 100644
+--- a/src/output-json-alert.c
++++ b/src/output-json-alert.c
+@@ -702,7 +702,12 @@ void EveAddVerdict(JsonBuilder *jb, const Packet *p)
+
+ } else if (PacketCheckAction(p, ACTION_DROP) && EngineModeIsIPS()) {
+ JB_SET_STRING(jb, "action", "drop");
+- } else if (p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS) {
++ } else if (p->alerts.cnt == 0 ||
++ (p->alerts.cnt <= packet_alert_max &&
++ (p->alerts.alerts[p->alerts.cnt - 1].action &
++ (ACTION_PASS | ACTION_ALERT)) == (ACTION_PASS | ACTION_ALERT)) ||
++ (p->alerts.cnt < packet_alert_max &&
++ p->alerts.alerts[p->alerts.cnt].action & ACTION_PASS)) {
+ JB_SET_STRING(jb, "action", "pass");
+ } else {
+ // TODO make sure we don't have a situation where this wouldn't work
+--
+2.51.2
+
--- /dev/null
+From 5abf9b81e78476f49ab074f3a74b5840747cd069 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Thu, 30 Oct 2025 11:18:15 +0100
+Subject: [PATCH] output/jsonbuilder: helper function SCJbSetPrintAsciiString
+
+To replace C PrintStringsToBuffer and avoid a stack alloc
++ copy
+
+Ticket: 8004
+(cherry picked from commit 7447651fa0956ff4ce55283a51b4a9494ec8cc6a)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/5abf9b81e78476f49ab074f3a74b5840747cd069.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8004
+Subject: Upstream fix for CVE-2025-64331
+---
+ rust/src/jsonbuilder.rs | 60 +++++++++++++++++++++++++++++++++++++++++
+ src/output-json-alert.c | 15 +++--------
+ src/output-json-frame.c | 12 ++-------
+ src/output-json-http.c | 9 +------
+ src/output-json.c | 36 +++++--------------------
+ 5 files changed, 72 insertions(+), 60 deletions(-)
+
+--- a/rust/src/jsonbuilder.rs
++++ b/rust/src/jsonbuilder.rs
+@@ -527,6 +527,52 @@
+ }
+ }
+
++ /// Set a key with a string value taking only ascii-printable bytes.
++ /// Non-printable characters are replaced by a dot `.`, except
++ /// CR and LF which are escaped the regular json way \r and \n
++ pub fn set_print_ascii(&mut self, key: &str, val: &[u8]) -> Result<&mut Self, JsonError> {
++ match self.current_state() {
++ State::ObjectNth => {
++ self.push(',')?;
++ }
++ State::ObjectFirst => {
++ self.set_state(State::ObjectNth);
++ }
++ _ => {
++ debug_validate_fail!("invalid state");
++ return Err(JsonError::InvalidState);
++ }
++ }
++ self.push('"')?;
++ self.push_str(key)?;
++ self.push_str("\":\"")?;
++ for &x in val.iter() {
++ match x {
++ b'\r' => {
++ self.push_str("\\r")?;
++ }
++ b'\n'=> {
++ self.push_str("\\n")?;
++ }
++ b'"'=> {
++ self.push_str("\\\"")?;
++ }
++ b'\\'=> {
++ self.push_str("\\\\")?;
++ }
++ _ => {
++ if !x.is_ascii() || x.is_ascii_control() {
++ self.push('.')?;
++ } else {
++ self.push(x as char)?;
++ }
++ }
++ }
++ }
++ self.push('"')?;
++ Ok(self)
++ }
++
+ /// Set a key and a string value (from bytes) on an object, with a limited size
+ pub fn set_string_from_bytes_limited(&mut self, key: &str, val: &[u8], limit: usize) -> Result<&mut Self, JsonError> {
+ let mut valtrunc = Vec::new();
+@@ -883,6 +929,20 @@
+ }
+ return false;
+ }
++
++#[no_mangle]
++pub unsafe extern "C" fn SCJbSetPrintAsciiString(
++ js: &mut JsonBuilder, key: *const c_char, bytes: *const u8, len: u32,
++) -> bool {
++ if bytes.is_null() || len == 0 {
++ return false;
++ }
++ if let Ok(key) = CStr::from_ptr(key).to_str() {
++ let val = std::slice::from_raw_parts(bytes, len as usize);
++ return js.set_print_ascii(key, val).is_ok();
++ }
++ return false;
++}
+
+ #[no_mangle]
+ pub unsafe extern "C" fn jb_set_base64(
+--- a/src/output-json-alert.c
++++ b/src/output-json-alert.c
+@@ -452,13 +452,7 @@
+ }
+
+ if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
+- uint8_t printable_buf[p->payload_len + 1];
+- uint32_t offset = 0;
+- PrintStringsToBuffer(printable_buf, &offset,
+- p->payload_len + 1,
+- p->payload, p->payload_len);
+- printable_buf[p->payload_len] = '\0';
+- jb_set_string(js, "payload_printable", (char *)printable_buf);
++ SCJbSetPrintAsciiString(js, "payload_printable", p->payload, p->payload_len);
+ }
+ }
+
+@@ -764,11 +758,8 @@
+ }
+
+ if (json_output_ctx->flags & LOG_JSON_PAYLOAD) {
+- uint8_t printable_buf[cbd.payload->offset + 1];
+- uint32_t offset = 0;
+- PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer,
+- cbd.payload->offset);
+- jb_set_string(jb, "payload_printable", (char *)printable_buf);
++ SCJbSetPrintAsciiString(
++ jb, "payload_printable", cbd.payload->buffer, cbd.payload->offset);
+ }
+ return true;
+ }
+--- a/src/output-json-frame.c
++++ b/src/output-json-frame.c
+@@ -202,11 +202,7 @@
+
+ if (cbd.payload->offset) {
+ jb_set_base64(jb, "payload", cbd.payload->buffer, cbd.payload->offset);
+- uint8_t printable_buf[cbd.payload->offset + 1];
+- uint32_t offset = 0;
+- PrintStringsToBuffer(printable_buf, &offset, sizeof(printable_buf), cbd.payload->buffer,
+- cbd.payload->offset);
+- jb_set_string(jb, "payload_printable", (char *)printable_buf);
++ SCJbSetPrintAsciiString(jb, "payload_printable", cbd.payload->buffer, cbd.payload->offset);
+ jb_set_bool(jb, "complete", complete);
+ }
+ }
+@@ -235,11 +231,7 @@
+ const uint32_t log_data_len = MIN(data_len, 256);
+ jb_set_base64(js, "payload", data, log_data_len);
+
+- uint8_t printable_buf[log_data_len + 1];
+- uint32_t o = 0;
+- PrintStringsToBuffer(printable_buf, &o, log_data_len + 1, data, log_data_len);
+- printable_buf[log_data_len] = '\0';
+- jb_set_string(js, "payload_printable", (char *)printable_buf);
++ SCJbSetPrintAsciiString(js, "payload_printable", data, log_data_len);
+ #if 0
+ char pretty_buf[data_len * 4 + 1];
+ pretty_buf[0] = '\0';
+--- a/src/output-json-http.c
++++ b/src/output-json-http.c
+@@ -366,7 +366,6 @@
+ static void BodyPrintableBuffer(JsonBuilder *js, HtpBody *body, const char *key)
+ {
+ if (body->sb != NULL && body->sb->region.buf != NULL) {
+- uint32_t offset = 0;
+ const uint8_t *body_data;
+ uint32_t body_data_len;
+ uint64_t body_offset;
+@@ -376,13 +375,7 @@
+ return;
+ }
+
+- uint8_t printable_buf[body_data_len + 1];
+- PrintStringsToBuffer(printable_buf, &offset,
+- sizeof(printable_buf),
+- body_data, body_data_len);
+- if (offset > 0) {
+- jb_set_string(js, key, (char *)printable_buf);
+- }
++ SCJbSetPrintAsciiString(js, key, body_data, body_data_len);
+ }
+ }
+
+--- a/src/output-json.c
++++ b/src/output-json.c
+@@ -210,22 +210,10 @@
+ PrintStringsToBuffer(keybuf, &offset,
+ sizeof(keybuf),
+ pv->key, pv->key_len);
+- uint32_t len = pv->value_len;
+- uint8_t printable_buf[len + 1];
+- offset = 0;
+- PrintStringsToBuffer(printable_buf, &offset,
+- sizeof(printable_buf),
+- pv->value, pv->value_len);
+- jb_set_string(js_vars, (char *)keybuf, (char *)printable_buf);
++ SCJbSetPrintAsciiString(js_vars, (char *)keybuf, pv->value, pv->value_len);
+ } else {
+ const char *varname = VarNameStoreLookupById(pv->id, VAR_TYPE_PKT_VAR);
+- uint32_t len = pv->value_len;
+- uint8_t printable_buf[len + 1];
+- uint32_t offset = 0;
+- PrintStringsToBuffer(printable_buf, &offset,
+- sizeof(printable_buf),
+- pv->value, pv->value_len);
+- jb_set_string(js_vars, varname, (char *)printable_buf);
++ SCJbSetPrintAsciiString(js_vars, varname, pv->value, pv->value_len);
+ }
+ jb_close(js_vars);
+ }
+@@ -276,15 +264,9 @@
+ break;
+ }
+
+- uint32_t len = fv->data.fv_str.value_len;
+- uint8_t printable_buf[len + 1];
+- uint32_t offset = 0;
+- PrintStringsToBuffer(printable_buf, &offset,
+- sizeof(printable_buf),
+- fv->data.fv_str.value, fv->data.fv_str.value_len);
+-
+ jb_start_object(js_flowvars);
+- jb_set_string(js_flowvars, varname, (char *)printable_buf);
++ SCJbSetPrintAsciiString(
++ js_flowvars, varname, fv->data.fv_str.value, fv->data.fv_str.value_len);
+ jb_close(js_flowvars);
+ }
+ } else if (fv->datatype == FLOWVAR_TYPE_STR && fv->key != NULL) {
+@@ -300,15 +282,9 @@
+ sizeof(keybuf),
+ fv->key, fv->keylen);
+
+- uint32_t len = fv->data.fv_str.value_len;
+- uint8_t printable_buf[len + 1];
+- offset = 0;
+- PrintStringsToBuffer(printable_buf, &offset,
+- sizeof(printable_buf),
+- fv->data.fv_str.value, fv->data.fv_str.value_len);
+-
+ jb_start_object(js_flowvars);
+- jb_set_string(js_flowvars, (const char *)keybuf, (char *)printable_buf);
++ SCJbSetPrintAsciiString(js_flowvars, (const char *)keybuf, fv->data.fv_str.value,
++ fv->data.fv_str.value_len);
+ jb_close(js_flowvars);
+ } else if (fv->datatype == FLOWVAR_TYPE_INT) {
+ const char *varname = VarNameStoreLookupById(fv->idx,
+--- a/rust/dist/rust-bindings.h
++++ b/rust/dist/rust-bindings.h
+@@ -4898,6 +4898,11 @@
+ const uint8_t *bytes,
+ uint32_t len);
+
++bool SCJbSetPrintAsciiString(struct JsonBuilder *js,
++ const char *key,
++ const uint8_t *bytes,
++ uint32_t len);
++
+ bool jb_set_base64(struct JsonBuilder *js,
+ const char *key,
+ const uint8_t *bytes,
--- /dev/null
+From f67d72702a2601d0a86ac1450686e70d7176f629 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Thu, 30 Oct 2025 11:27:22 +0100
+Subject: [PATCH] util/swf: move allocation from stack to heap
+
+As it can overflow the stack
+
+Ticket: 8055
+(cherry picked from commit a84addb771846f6d4d55ec535a4591f58369e49c)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/f67d72702a2601d0a86ac1450686e70d7176f629.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8055
+Subject: Upstream fix for CVE-2025-64332
+---
+ src/util-file-decompression.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/util-file-decompression.c b/src/util-file-decompression.c
+index dfafdc87f..bf65b0b7c 100644
+--- a/src/util-file-decompression.c
++++ b/src/util-file-decompression.c
+@@ -169,7 +169,10 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
+ * | LZMA properties | Uncompressed length | Compressed data |
+ */
+ compressed_data_len += 13;
+- uint8_t compressed_data[compressed_data_len];
++ uint8_t *compressed_data = SCCalloc(1, compressed_data_len);
++ if (compressed_data == NULL) {
++ goto error;
++ }
+ /* put lzma properties */
+ memcpy(compressed_data, buffer + 12, 5);
+ /* put lzma end marker */
+@@ -183,6 +186,7 @@ int FileSwfDecompression(const uint8_t *buffer, uint32_t buffer_len,
+ r = FileSwfLzmaDecompression(det_ctx,
+ compressed_data, compressed_data_len,
+ out_buffer->buf + 8, out_buffer->len - 8);
++ SCFree(compressed_data);
+ if (r == 0)
+ goto error;
+ } else {
+--
+2.51.2
+
--- /dev/null
+From 4b1d284bb57219b6677a8bda5cdc14a24a6aa22d Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Thu, 30 Oct 2025 11:43:27 +0100
+Subject: [PATCH] output/http: log content-type like other headers
+
+Ticket: 8056
+
+Avoid stack allocation.
+Do not handle null and ; especially
+
+(cherry picked from commit b8411fcc8dfc16910c3080d4d8c03a9a64c3a1f7)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8056
+Subject: Upstream fix for CVE-2025-64333
+---
+ src/output-json-http.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/src/output-json-http.c b/src/output-json-http.c
+index bd3f6a116..87191caa9 100644
+--- a/src/output-json-http.c
++++ b/src/output-json-http.c
+@@ -237,13 +237,12 @@ static void EveHttpLogJSONBasic(JsonBuilder *js, htp_tx_t *tx)
+ if (tx->response_headers != NULL) {
+ htp_header_t *h_content_type = htp_table_get_c(tx->response_headers, "content-type");
+ if (h_content_type != NULL) {
+- const size_t size = bstr_len(h_content_type->value) * 2 + 1;
+- char string[size];
+- BytesToStringBuffer(bstr_ptr(h_content_type->value), bstr_len(h_content_type->value), string, size);
+- char *p = strchr(string, ';');
++ uint32_t len = (uint32_t)bstr_len(h_content_type->value);
++ const uint8_t *p = memchr(bstr_ptr(h_content_type->value), ';', len);
+ if (p != NULL)
+- *p = '\0';
+- jb_set_string(js, "http_content_type", string);
++ len = (uint32_t)(p - bstr_ptr(h_content_type->value));
++ jb_set_string_from_bytes(
++ js, "http_content_type", bstr_ptr(h_content_type->value), len);
+ }
+ htp_header_t *h_content_range = htp_table_get_c(tx->response_headers, "content-range");
+ if (h_content_range != NULL) {
+--
+2.51.2
+
--- /dev/null
+From a7ff4c9ba53009680c7cd128b16c28d0aeda9886 Mon Sep 17 00:00:00 2001
+From: Victor Julien <vjulien@oisf.net>
+Date: Fri, 31 Oct 2025 09:38:55 +0100
+Subject: [PATCH] lua: remove luajit pushlstring workaround
+
+81ee6f5aadeb ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
+added a workaround for valgrind warnings in pushing a string buffer
+into the lua state. This is no longer needed as tested with both
+address sanitizer and valgrind.
+
+(cherry picked from commit 52fd61dffdfa50c9a2d4ec24865a54da0b8f0a2a)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/a7ff4c9ba53009680c7cd128b16c28d0aeda9886.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8065
+Subject: Upstream fix for CVE-2025-64344
+---
+ src/util-lua.c | 17 +----------------
+ 1 file changed, 1 insertion(+), 16 deletions(-)
+
+diff --git a/src/util-lua.c b/src/util-lua.c
+index 9e65c3017..3dd1d3150 100644
+--- a/src/util-lua.c
++++ b/src/util-lua.c
+@@ -328,22 +328,7 @@ void LuaPrintStack(lua_State *state) {
+
+ int LuaPushStringBuffer(lua_State *luastate, const uint8_t *input, size_t input_len)
+ {
+- if (input_len % 4 != 0) {
+- /* we're using a buffer sized at a multiple of 4 as lua_pushlstring generates
+- * invalid read errors in valgrind otherwise. Adding in a nul to be sure.
+- *
+- * Buffer size = len + 1 (for nul) + whatever makes it a multiple of 4 */
+- size_t buflen = input_len + 1 + ((input_len + 1) % 4);
+- uint8_t buf[buflen];
+- memset(buf, 0x00, buflen);
+- memcpy(buf, input, input_len);
+- buf[input_len] = '\0';
+-
+- /* return value through luastate, as a luastring */
+- lua_pushlstring(luastate, (char *)buf, input_len);
+- } else {
+- lua_pushlstring(luastate, (char *)input, input_len);
+- }
++ lua_pushlstring(luastate, (char *)input, input_len);
+ return 1;
+ }
+
+--
+2.51.2
+
--- /dev/null
+From f82a388d0283725cb76782cf64e8341cab370830 Mon Sep 17 00:00:00 2001
+From: Shivani Bhardwaj <shivani@oisf.net>
+Date: Tue, 6 Jan 2026 16:44:52 +0530
+Subject: [PATCH 1/3] dcerpc: add upper limit on stub data
+
+DCERPC parsers had no upper bounds when it came to extending the stub
+data buffer. Traffic can be crafted to bypass some internal parser
+conditions to create an indefinite buffering in the stub_data array that
+can make Suricata crash.
+
+Add a default limit of 1MiB and make it configurable for the user.
+
+Security 8182
+
+Co-authored-by: Philippe Antoine <pantoine@oisf.net>
+(cherry picked from commit e412215af990feeffbb66c7dd9f392813a20ae50)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8182
+Subject: Upstream fix for CVE-2026-22258 part 1
+---
+ rust/src/dcerpc/dcerpc.rs | 31 +++++++++++++++++++++++++++++--
+ rust/src/dcerpc/dcerpc_udp.rs | 18 +++++++++++++-----
+ rust/src/smb/dcerpc.rs | 31 +++++++++++++++++++++++--------
+ rust/src/smb/smb.rs | 23 +++++++++++++++++++++++
+ suricata.yaml.in | 4 ++++
+ 5 files changed, 92 insertions(+), 15 deletions(-)
+
+diff --git a/rust/src/dcerpc/dcerpc.rs b/rust/src/dcerpc/dcerpc.rs
+index 5469b736b..7297ff82e 100644
+--- a/rust/src/dcerpc/dcerpc.rs
++++ b/rust/src/dcerpc/dcerpc.rs
+@@ -25,7 +25,9 @@ use std;
+ use std::cmp;
+ use std::ffi::CString;
+ use std::collections::VecDeque;
+-use crate::conf::conf_get;
++use crate::conf::{conf_get, get_memval};
++
++pub static mut DCERPC_MAX_STUB_SIZE: u32 = 1048576;
+
+ // Constant DCERPC UDP Header length
+ pub const DCERPC_HDR_LEN: u16 = 16;
+@@ -163,6 +165,11 @@ pub fn get_req_type_for_resp(t: u8) -> u8 {
+ _ => DCERPC_TYPE_UNKNOWN,
+ }
+ }
++#[inline(always)]
++pub fn cfg_max_stub_size() -> u32 {
++ unsafe { DCERPC_MAX_STUB_SIZE }
++}
++
+
+ #[derive(Default, Debug)]
+ pub struct DCERPCTransaction {
+@@ -1096,7 +1103,12 @@ fn evaluate_stub_params(
+ }
+
+ let input_slice = &input[..stub_len as usize];
+- stub_data_buffer.extend_from_slice(input_slice);
++ let max_size = cfg_max_stub_size() as usize;
++ if (stub_data_buffer.len() + input_slice.len()) < max_size {
++ stub_data_buffer.extend_from_slice(input_slice);
++ } else if stub_data_buffer.len() < max_size {
++ stub_data_buffer.extend_from_slice(&input_slice[..max_size - stub_data_buffer.len()]);
++ }
+
+ stub_len
+ }
+@@ -1396,6 +1408,21 @@ pub unsafe extern "C" fn rs_dcerpc_register_parser() {
+ }
+ }
+ SCLogDebug!("Rust DCERPC parser registered.");
++ let retval = conf_get("app-layer.protocols.dcerpc.max-stub-size");
++ if let Some(val) = retval {
++ match get_memval(val) {
++ Ok(retval) => {
++ if retval > 0 {
++ DCERPC_MAX_STUB_SIZE = retval as u32;
++ } else {
++ SCLogError!("Invalid max-stub-size value");
++ }
++ }
++ Err(_) => {
++ SCLogError!("Invalid max-stub-size value");
++ }
++ }
++ }
+ } else {
+ SCLogDebug!("Protocol detector and parser disabled for DCERPC.");
+ }
+diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
+index d70ca1b53..0a6213a87 100644
+--- a/rust/src/dcerpc/dcerpc_udp.rs
++++ b/rust/src/dcerpc/dcerpc_udp.rs
+@@ -1,4 +1,4 @@
+-/* Copyright (C) 2020 Open Information Security Foundation
++/* Copyright (C) 2020-2026 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+@@ -19,7 +19,7 @@ use crate::applayer::{self, *};
+ use crate::core::{self, Direction, DIR_BOTH};
+ use crate::dcerpc::dcerpc::{
+ DCERPCTransaction, DCERPC_MAX_TX, DCERPC_TYPE_REQUEST, DCERPC_TYPE_RESPONSE, PFCL1_FRAG, PFCL1_LASTFRAG,
+- rs_dcerpc_get_alstate_progress, ALPROTO_DCERPC, PARSER_NAME,
++ rs_dcerpc_get_alstate_progress, ALPROTO_DCERPC, PARSER_NAME, cfg_max_stub_size,
+ };
+ use nom7::Err;
+ use std;
+@@ -169,18 +169,27 @@ impl DCERPCUDPState {
+ tx.tx_data.updated_ts = true;
+ let done = (hdr.flags1 & PFCL1_FRAG) == 0 || (hdr.flags1 & PFCL1_LASTFRAG) != 0;
+
++ let max_size = cfg_max_stub_size() as usize;
+ match hdr.pkt_type {
+ DCERPC_TYPE_REQUEST => {
+- tx.stub_data_buffer_ts.extend_from_slice(input);
+ tx.frag_cnt_ts += 1;
++ if input.len() + tx.stub_data_buffer_ts.len() < max_size {
++ tx.stub_data_buffer_ts.extend_from_slice(input);
++ } else if tx.stub_data_buffer_ts.len() < max_size {
++ tx.stub_data_buffer_ts.extend_from_slice(&input[..max_size - tx.stub_data_buffer_ts.len()]);
++ }
+ if done {
+ tx.req_done = true;
+ }
+ return true;
+ }
+ DCERPC_TYPE_RESPONSE => {
+- tx.stub_data_buffer_tc.extend_from_slice(input);
+ tx.frag_cnt_tc += 1;
++ if input.len() + tx.stub_data_buffer_tc.len() < max_size {
++ tx.stub_data_buffer_tc.extend_from_slice(input);
++ } else if tx.stub_data_buffer_tc.len() < max_size {
++ tx.stub_data_buffer_tc.extend_from_slice(&input[..max_size - tx.stub_data_buffer_tc.len()]);
++ }
+ if done {
+ tx.resp_done = true;
+ }
+@@ -397,7 +406,6 @@ pub unsafe extern "C" fn rs_dcerpc_udp_register_parser() {
+ }
+ }
+
+-
+ #[cfg(test)]
+ mod tests {
+ use crate::applayer::AppLayerResult;
+diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
+index 6c2a2f934..1e62241bb 100644
+--- a/rust/src/smb/dcerpc.rs
++++ b/rust/src/smb/dcerpc.rs
+@@ -18,7 +18,7 @@
+ // written by Victor Julien
+
+ use uuid;
+-use crate::smb::smb::*;
++use crate::smb::smb::{cfg_max_stub_size, *};
+ use crate::smb::smb2::*;
+ use crate::smb::dcerpc_records::*;
+ use crate::smb::events::*;
+@@ -205,10 +205,15 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
+ SCLogDebug!("previous CMD {} found at tx {} => {:?}",
+ dcer.packet_type, tx.id, tx);
+ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
+- SCLogDebug!("additional frag of size {}", recr.data.len());
+- tdn.stub_data_ts.extend_from_slice(recr.data);
+ tdn.frag_cnt_ts += 1;
+- SCLogDebug!("stub_data now {}", tdn.stub_data_ts.len());
++ let max_size = cfg_max_stub_size() as usize;
++ if recr.data.len() + tdn.stub_data_ts.len() < max_size {
++ SCLogDebug!("additional frag of size {}", recr.data.len());
++ tdn.stub_data_ts.extend_from_slice(recr.data);
++ SCLogDebug!("stub_data now {}", tdn.stub_data_ts.len());
++ } else if tdn.stub_data_ts.len() < max_size {
++ tdn.stub_data_ts.extend_from_slice(&recr.data[..max_size - tdn.stub_data_ts.len()]);
++ }
+ }
+ if dcer.last_frag {
+ SCLogDebug!("last frag set, so request side of DCERPC closed");
+@@ -240,12 +245,17 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
+ SCLogDebug!("DCERPC: REQUEST {:?}", recr);
+ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
+ SCLogDebug!("first frag size {}", recr.data.len());
+- tdn.stub_data_ts.extend_from_slice(recr.data);
+ tdn.opnum = recr.opnum;
+ tdn.context_id = recr.context_id;
+ tdn.frag_cnt_ts += 1;
+- SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}",
+- tdn.opnum, tdn.stub_data_ts.len());
++ let max_size = cfg_max_stub_size() as usize;
++ if tdn.stub_data_ts.len() + recr.data.len() < max_size {
++ tdn.stub_data_ts.extend_from_slice(recr.data);
++ SCLogDebug!("DCERPC: REQUEST opnum {} stub data len {}",
++ tdn.opnum, tdn.stub_data_ts.len());
++ } else if tdn.stub_data_ts.len() < max_size {
++ tdn.stub_data_ts.extend_from_slice(&recr.data[..max_size - tdn.stub_data_ts.len()]);
++ }
+ }
+ if dcer.last_frag {
+ tx.request_done = true;
+@@ -407,8 +417,13 @@ fn dcerpc_response_handle(tx: &mut SMBTransaction,
+ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
+ SCLogDebug!("CMD 11 found at tx {}", tx.id);
+ tdn.set_result(DCERPC_TYPE_RESPONSE);
+- tdn.stub_data_tc.extend_from_slice(respr.data);
++ let max_size = cfg_max_stub_size() as usize;
+ tdn.frag_cnt_tc += 1;
++ if tdn.stub_data_tc.len() + respr.data.len() < max_size {
++ tdn.stub_data_tc.extend_from_slice(respr.data);
++ } else if tdn.stub_data_tc.len() < max_size {
++ tdn.stub_data_tc.extend_from_slice(&respr.data[..max_size - tdn.stub_data_tc.len()]);
++ }
+ }
+ tx.vercmd.set_ntstatus(ntstatus);
+ tx.response_done = dcer.last_frag;
+diff --git a/rust/src/smb/smb.rs b/rust/src/smb/smb.rs
+index c22bc9fc9..0a0fc1082 100644
+--- a/rust/src/smb/smb.rs
++++ b/rust/src/smb/smb.rs
+@@ -81,6 +81,8 @@ pub static mut SMB_CFG_MAX_WRITE_SIZE: u32 = 16777216;
+ pub static mut SMB_CFG_MAX_WRITE_QUEUE_SIZE: u32 = 67108864;
+ pub static mut SMB_CFG_MAX_WRITE_QUEUE_CNT: u32 = 64;
+
++pub static mut SMB_DCERPC_MAX_STUB_SIZE: u32 = 1048576;
++
+ static mut ALPROTO_SMB: AppProto = ALPROTO_UNKNOWN;
+
+ static mut SMB_MAX_TX: usize = 1024;
+@@ -2438,6 +2440,21 @@ pub unsafe extern "C" fn rs_smb_register_parser() {
+ SCLogError!("Invalid value for smb.max-tx");
+ }
+ }
++ let retval = conf_get("app-layer.protocols.smb.dcerpc.max-stub-size");
++ if let Some(val) = retval {
++ match get_memval(val) {
++ Ok(retval) => {
++ if retval > 0 {
++ SMB_DCERPC_MAX_STUB_SIZE = retval as u32;
++ } else {
++ SCLogError!("Invalid max-stub-size value");
++ }
++ }
++ Err(_) => {
++ SCLogError!("Invalid max-stub-size value");
++ }
++ }
++ }
+ SCLogConfig!("read: max record size: {}, max queued chunks {}, max queued size {}",
+ SMB_CFG_MAX_READ_SIZE, SMB_CFG_MAX_READ_QUEUE_CNT, SMB_CFG_MAX_READ_QUEUE_SIZE);
+ SCLogConfig!("write: max record size: {}, max queued chunks {}, max queued size {}",
+@@ -2446,3 +2463,9 @@ pub unsafe extern "C" fn rs_smb_register_parser() {
+ SCLogDebug!("Protocol detector and parser disabled for SMB.");
+ }
+ }
++
++#[inline(always)]
++pub fn cfg_max_stub_size() -> u32 {
++ unsafe { SMB_DCERPC_MAX_STUB_SIZE }
++}
++
+diff --git a/suricata.yaml.in b/suricata.yaml.in
+index 7640f2b62..eab6ca500 100644
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -951,6 +951,8 @@ app-layer:
+ enabled: yes
+ # Maximum number of live DCERPC transactions per flow
+ # max-tx: 1024
++ #max-stub-size: 1MiB
++
+ ftp:
+ enabled: yes
+ # memcap: 64mb
+@@ -1015,6 +1017,8 @@ app-layer:
+
+ # Stream reassembly size for SMB streams. By default track it completely.
+ #stream-depth: 0
++ #dcerpc:
++ # max-stub-size: 1MiB
+
+ nfs:
+ enabled: yes
+--
+2.47.3
+
--- /dev/null
+From df389f8a43a06c718bb336ea082d6c80d6fefda0 Mon Sep 17 00:00:00 2001
+From: Shivani Bhardwaj <shivani@oisf.net>
+Date: Wed, 7 Jan 2026 10:33:57 +0530
+Subject: [PATCH 2/3] doc: add dcerpc.max-stub-size config param
+
+(cherry picked from commit 6702791a9c4463858c8b54ee8678fd4f5fbe831a)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/df389f8a43a06c718bb336ea082d6c80d6fefda0.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8182
+Subject: Upstream fix for CVE-2026-22258 part 2
+---
+ doc/userguide/configuration/suricata-yaml.rst | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
+index bd414fbc6..8ea093b51 100644
+--- a/doc/userguide/configuration/suricata-yaml.rst
++++ b/doc/userguide/configuration/suricata-yaml.rst
+@@ -1674,6 +1674,9 @@ Several options are available for limiting record sizes and data chunk tracking.
+ max-write-queue-size: 16mb
+ max-write-queue-cnt: 16
+
++ dcerpc:
++ max-stub-size: 1MiB
++
+ The `max-read-size` option can be set to control the max size of accepted
+ READ records. Events will be raised if a READ request asks for too much data
+ and/or if READ responses are too big. A value of 0 disables the checks.
+@@ -1685,6 +1688,8 @@ data. A value of 0 disables the checks.
+ Additionally if the `max-read-size` or `max-write-size` values in the
+ "negotiate protocol response" exceeds this limit an event will also be raised.
+
++To control the size of the DCERPC stub data, `dcerpc.max-stub-size` should be
++used. It is by default set to 1MiB.
+
+ For file tracking, extraction and file data inspection the parser queues up
+ out of order data chunks for both READs and WRITEs. To avoid using too much
+@@ -1710,6 +1715,13 @@ the limits are exceeded, and an event will be raised.
+ `max-write-queue-size` and `max-write-queue-cnt` are as the READ variants,
+ but then for WRITEs.
+
++Configure DCERPC
++~~~~~~~~~~~~~~~~
++
++DCERPC has one parameter that can be customized.
++`max-stub-size` is used to control the stub data size of a DCERPC request/response. By
++default, it is set to 1MiB.
++
+ Configure HTTP2
+ ~~~~~~~~~~~~~~~
+
+--
+2.47.3
+
--- /dev/null
+From c9b80e5affe073ce9d95d0c935a8d67647c83bf7 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Thu, 8 Jan 2026 14:48:40 +0100
+Subject: [PATCH 3/3] dcerpc: use saturating_add to count fragments
+
+And do not overflow if we have traffic with more than 65K fragments
+
+(cherry picked from commit a48200b9e5befb1f0aa45ad5b33e2664e6a9fa41)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/c9b80e5affe073ce9d95d0c935a8d67647c83bf7.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8182
+Subject: Upstream fix for CVE-2026-22258 part 3
+---
+ rust/src/dcerpc/dcerpc_udp.rs | 4 ++--
+ rust/src/smb/dcerpc.rs | 6 +++---
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/rust/src/dcerpc/dcerpc_udp.rs b/rust/src/dcerpc/dcerpc_udp.rs
+index 0a6213a87..87fa9764b 100644
+--- a/rust/src/dcerpc/dcerpc_udp.rs
++++ b/rust/src/dcerpc/dcerpc_udp.rs
+@@ -172,7 +172,7 @@ impl DCERPCUDPState {
+ let max_size = cfg_max_stub_size() as usize;
+ match hdr.pkt_type {
+ DCERPC_TYPE_REQUEST => {
+- tx.frag_cnt_ts += 1;
++ tx.frag_cnt_ts = tx.frag_cnt_ts.saturating_add(1);
+ if input.len() + tx.stub_data_buffer_ts.len() < max_size {
+ tx.stub_data_buffer_ts.extend_from_slice(input);
+ } else if tx.stub_data_buffer_ts.len() < max_size {
+@@ -184,7 +184,7 @@ impl DCERPCUDPState {
+ return true;
+ }
+ DCERPC_TYPE_RESPONSE => {
+- tx.frag_cnt_tc += 1;
++ tx.frag_cnt_tc = tx.frag_cnt_tc.saturating_add(1);
+ if input.len() + tx.stub_data_buffer_tc.len() < max_size {
+ tx.stub_data_buffer_tc.extend_from_slice(input);
+ } else if tx.stub_data_buffer_tc.len() < max_size {
+diff --git a/rust/src/smb/dcerpc.rs b/rust/src/smb/dcerpc.rs
+index 1e62241bb..5cb1adeba 100644
+--- a/rust/src/smb/dcerpc.rs
++++ b/rust/src/smb/dcerpc.rs
+@@ -205,7 +205,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
+ SCLogDebug!("previous CMD {} found at tx {} => {:?}",
+ dcer.packet_type, tx.id, tx);
+ if let Some(SMBTransactionTypeData::DCERPC(ref mut tdn)) = tx.type_data {
+- tdn.frag_cnt_ts += 1;
++ tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1);
+ let max_size = cfg_max_stub_size() as usize;
+ if recr.data.len() + tdn.stub_data_ts.len() < max_size {
+ SCLogDebug!("additional frag of size {}", recr.data.len());
+@@ -247,7 +247,7 @@ pub fn smb_write_dcerpc_record(state: &mut SMBState,
+ SCLogDebug!("first frag size {}", recr.data.len());
+ tdn.opnum = recr.opnum;
+ tdn.context_id = recr.context_id;
+- tdn.frag_cnt_ts += 1;
++ tdn.frag_cnt_ts = tdn.frag_cnt_ts.saturating_add(1);
+ let max_size = cfg_max_stub_size() as usize;
+ if tdn.stub_data_ts.len() + recr.data.len() < max_size {
+ tdn.stub_data_ts.extend_from_slice(recr.data);
+@@ -418,7 +418,7 @@ fn dcerpc_response_handle(tx: &mut SMBTransaction,
+ SCLogDebug!("CMD 11 found at tx {}", tx.id);
+ tdn.set_result(DCERPC_TYPE_RESPONSE);
+ let max_size = cfg_max_stub_size() as usize;
+- tdn.frag_cnt_tc += 1;
++ tdn.frag_cnt_tc = tdn.frag_cnt_tc.saturating_add(1);
+ if tdn.stub_data_tc.len() + respr.data.len() < max_size {
+ tdn.stub_data_tc.extend_from_slice(respr.data);
+ } else if tdn.stub_data_tc.len() < max_size {
+--
+2.47.3
+
--- /dev/null
+From 63225d5f8ef64cc65164c0bb1800730842d54942 Mon Sep 17 00:00:00 2001
+From: Jason Ish <jason.ish@oisf.net>
+Date: Tue, 6 Jan 2026 16:15:09 -0600
+Subject: [PATCH 1/4] dnp3: check done state, not complete state for progress
+
+Complete is a flag used to tell if the message was completely parsed,
+as not all messages may be completely parsed if we don't know all
+their objects. However, they are still "done".
+
+In the alstate-progress callback, check the done flag, not the
+complete flag.
+
+Ticket: #8181
+(cherry picked from commit d61eef9a8a0d92921989479de15e5cbfec3251a9)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/63225d5f8ef64cc65164c0bb1800730842d54942.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8181
+Subject: Upstream fix for CVE-2026-22259 part 1
+---
+ src/app-layer-dnp3.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/app-layer-dnp3.c b/src/app-layer-dnp3.c
+index ecae4ae63..1a8b3cb63 100644
+--- a/src/app-layer-dnp3.c
++++ b/src/app-layer-dnp3.c
+@@ -1438,7 +1438,7 @@ static int DNP3GetAlstateProgress(void *tx, uint8_t direction)
+ SCReturnInt(1);
+ }
+
+- if (dnp3tx->complete)
++ if (dnp3tx->done)
+ retval = 1;
+
+ SCReturnInt(retval);
+--
+2.47.3
+
--- /dev/null
+From 635af8dc8be09667689be71d781912718ca1aa49 Mon Sep 17 00:00:00 2001
+From: Jason Ish <jason.ish@oisf.net>
+Date: Tue, 6 Jan 2026 11:06:40 -0600
+Subject: [PATCH 2/4] dnp3: reduce flood threshold to 32 and make configurable
+
+Lower the number of unreplied requests from 500 to 32 to consider a
+flood. At the very least this is an anomaly given the DNP3 spec mentions
+that DNP3 should only have one outstanding request at a time, with an
+exception for unsolicited responses, so in practice no more than 2
+should be seen.
+
+Additionally make this value configurable by introducing the max-tx
+parameter.
+
+Ticket: #8181
+(cherry picked from commit a16f087b93be1ff2f2edf47371866ad9b28593c1)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/635af8dc8be09667689be71d781912718ca1aa49.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8181
+Subject: Upstream fix for CVE-2026-22259 part 2
+---
+ doc/userguide/upgrade.rst | 10 ++++++++++
+ src/app-layer-dnp3.c | 29 +++++++++++++++++++----------
+ suricata.yaml.in | 1 +
+ 3 files changed, 30 insertions(+), 10 deletions(-)
+
+--- a/doc/userguide/upgrade.rst
++++ b/doc/userguide/upgrade.rst
+@@ -34,6 +34,16 @@
+ this guide. Those features are either not enabled by default or require
+ dedicated new configuration.
+
++Upgrading to 7.0.14 (trixie-security 1:7.0.10-1~bpo13u3)
++-------------------
++
++Other Changes
++~~~~~~~~~~~~~
++- ``dnp3`` has reduced the default maximum number of outstanding
++ transactions from 500 down to 32. A ``max-tx`` parameter has been
++ added to the ``dnp3`` parser for users that need a larger number of
++ in-flight transactions.
++
+ Upgrading to 7.0.9
+ ------------------
+ - The AF_PACKET default block size for both TPACKET_V2 and TPACKET_V3
+--- a/src/app-layer-dnp3.c
++++ b/src/app-layer-dnp3.c
+@@ -40,9 +40,6 @@
+ #include "app-layer-dnp3.h"
+ #include "app-layer-dnp3-objects.h"
+
+-/* Default number of unreplied requests to be considered a flood. */
+-#define DNP3_DEFAULT_REQ_FLOOD_COUNT 500
+-
+ #define DNP3_DEFAULT_PORT "20000"
+
+ /* Expected values for the start bytes. */
+@@ -93,6 +90,14 @@
+ /* Extract the range code from the object qualifier. */
+ #define DNP3_OBJ_RANGE(x) (x & 0xf)
+
++/* Default number of unreplied requests to be considered a flood.
++ *
++ * DNP3 is a request/response SCADA protocol with typically only 1-2
++ * transactions in flight. But set a limit high enough to allow for
++ * some pipelining but reduce the chance of memory exhaustion
++ * attacks. */
++static uint64_t dnp3_max_tx = 32;
++
+ /* Decoder event map. */
+ SCEnumCharMap dnp3_decoder_event_table[] = {
+ {"FLOODED", DNP3_DECODER_EVENT_FLOODED},
+@@ -514,7 +519,7 @@
+ TAILQ_INSERT_TAIL(&dnp3->tx_list, tx, next);
+
+ /* Check for flood state. */
+- if (dnp3->unreplied > DNP3_DEFAULT_REQ_FLOOD_COUNT) {
++ if (dnp3->unreplied > dnp3_max_tx && !dnp3->flooded) {
+ DNP3SetEvent(dnp3, DNP3_DECODER_EVENT_FLOODED);
+ dnp3->flooded = 1;
+ }
+@@ -1384,7 +1389,7 @@
+ dnp3->unreplied--;
+
+ /* Check flood state. */
+- if (dnp3->flooded && dnp3->unreplied < DNP3_DEFAULT_REQ_FLOOD_COUNT) {
++ if (dnp3->flooded && dnp3->unreplied < dnp3_max_tx) {
+ dnp3->flooded = 0;
+ }
+
+@@ -1430,8 +1435,7 @@
+ int retval = 0;
+
+ /* If flooded, "ack" old transactions. */
+- if (dnp3->flooded && (dnp3->transaction_max -
+- dnp3tx->tx_num >= DNP3_DEFAULT_REQ_FLOOD_COUNT)) {
++ if (dnp3->flooded && (dnp3->transaction_max - dnp3tx->tx_num >= dnp3_max_tx)) {
+ SCLogDebug("flooded: returning tx as done.");
+ SCReturnInt(1);
+ }
+@@ -1604,8 +1608,13 @@
+ AppLayerParserRegisterTxDataFunc(IPPROTO_TCP, ALPROTO_DNP3,
+ DNP3GetTxData);
+ AppLayerParserRegisterStateDataFunc(IPPROTO_TCP, ALPROTO_DNP3, DNP3GetStateData);
+- }
+- else {
++
++ /* Parse max-tx configuration. */
++ intmax_t value = 0;
++ if (ConfGetInt("app-layer.protocols.dnp3.max-tx", &value)) {
++ dnp3_max_tx = (uint64_t)value;
++ }
++ } else {
+ SCLogConfig("Parser disabled for protocol %s. "
+ "Protocol detection still on.", proto_name);
+ }
+@@ -2252,7 +2261,7 @@
+ FAIL_IF_NOT(tx->done);
+ FAIL_IF_NOT(DNP3GetAlstateProgress(tx, STREAM_TOSERVER));
+
+- for (int i = 0; i < DNP3_DEFAULT_REQ_FLOOD_COUNT - 1; i++) {
++ for (uint64_t i = 0; i < dnp3_max_tx - 1; i++) {
+ SCMutexLock(&flow.m);
+ FAIL_IF(AppLayerParserParse(NULL, alp_tctx, &flow, ALPROTO_DNP3,
+ STREAM_TOSERVER, request, sizeof(request)));
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -1161,6 +1161,7 @@
+ enabled: no
+ detection-ports:
+ dp: 20000
++ #max-tx: 32
+
+ # SCADA EtherNet/IP and CIP protocol support
+ enip:
--- /dev/null
+From fdd79bdb14488244604729f1d68ca4bc60000dbd Mon Sep 17 00:00:00 2001
+From: Jason Ish <jason.ish@oisf.net>
+Date: Wed, 7 Jan 2026 09:23:09 -0600
+Subject: [PATCH 3/4] dnp3: set a bound on the number of points per message
+
+16384 is used as the max, but a configuration parameter has been
+provided. The reason for setting an upper bound is that bit flags can
+create a memory amplification as we parse them into individual data
+structures.
+
+Ticket: #8181
+(cherry picked from commit 3a32bb5743c35afb3278a6448f7e9669512dbe92)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/fdd79bdb14488244604729f1d68ca4bc60000dbd.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8181
+Subject: Upstream fix for CVE-2026-22259 part 3
+---
+ doc/userguide/upgrade.rst | 9 +++++----
+ rules/dnp3-events.rules | 5 +++++
+ src/app-layer-dnp3.c | 33 ++++++++++++++++++++++++++-------
+ src/app-layer-dnp3.h | 1 +
+ suricata.yaml.in | 1 +
+ 5 files changed, 38 insertions(+), 11 deletions(-)
+
+--- a/doc/userguide/upgrade.rst
++++ b/doc/userguide/upgrade.rst
+@@ -39,10 +39,11 @@
+
+ Other Changes
+ ~~~~~~~~~~~~~
+-- ``dnp3`` has reduced the default maximum number of outstanding
+- transactions from 500 down to 32. A ``max-tx`` parameter has been
+- added to the ``dnp3`` parser for users that need a larger number of
+- in-flight transactions.
++- ``dnp3`` has reduced the maximum number of open transactions from
++ 500 down to 32, and the maximum number of points per message from
++ unbounded to 16384. Configuration options, ``max-tx`` and
++ ``max-points`` have been added for users who may need to change
++ these defaults.
+
+ Upgrading to 7.0.9
+ ------------------
+--- a/rules/dnp3-events.rules
++++ b/rules/dnp3-events.rules
+@@ -24,3 +24,8 @@
+ # Unknown object.
+ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Unknown object"; \
+ app-layer-event:dnp3.unknown_object; classtype:protocol-command-decode; sid:2270004; rev:2;)
++
++# Too many points in a message.
++alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many points in message"; \
++ app-layer-event:dnp3.too_many_points; \
++ classtype:protocol-command-decode; sid:2270005; rev:1;)
+--- a/src/app-layer-dnp3.c
++++ b/src/app-layer-dnp3.c
+@@ -98,15 +98,19 @@
+ * attacks. */
+ static uint64_t dnp3_max_tx = 32;
+
++/* The maximum number of points allowed per message (configurable). */
++static uint64_t max_points = 16384;
++
+ /* Decoder event map. */
+ SCEnumCharMap dnp3_decoder_event_table[] = {
+- {"FLOODED", DNP3_DECODER_EVENT_FLOODED},
+- {"LEN_TOO_SMALL", DNP3_DECODER_EVENT_LEN_TOO_SMALL},
+- {"BAD_LINK_CRC", DNP3_DECODER_EVENT_BAD_LINK_CRC},
+- {"BAD_TRANSPORT_CRC", DNP3_DECODER_EVENT_BAD_TRANSPORT_CRC},
+- {"MALFORMED", DNP3_DECODER_EVENT_MALFORMED},
+- {"UNKNOWN_OBJECT", DNP3_DECODER_EVENT_UNKNOWN_OBJECT},
+- {NULL, -1},
++ { "FLOODED", DNP3_DECODER_EVENT_FLOODED },
++ { "LEN_TOO_SMALL", DNP3_DECODER_EVENT_LEN_TOO_SMALL },
++ { "BAD_LINK_CRC", DNP3_DECODER_EVENT_BAD_LINK_CRC },
++ { "BAD_TRANSPORT_CRC", DNP3_DECODER_EVENT_BAD_TRANSPORT_CRC },
++ { "MALFORMED", DNP3_DECODER_EVENT_MALFORMED },
++ { "UNKNOWN_OBJECT", DNP3_DECODER_EVENT_UNKNOWN_OBJECT },
++ { "TOO_MANY_POINTS", DNP3_DECODER_EVENT_TOO_MANY_POINTS },
++ { NULL, -1 },
+ };
+
+ /* Calculate the next transport sequence number. */
+@@ -709,6 +713,7 @@
+ uint32_t len, DNP3ObjectList *objects)
+ {
+ int retval = 0;
++ uint64_t point_count = 0;
+
+ if (buf == NULL || len == 0) {
+ return 1;
+@@ -839,6 +844,13 @@
+ goto next;
+ }
+
++ /* Check if we've exceeded the maximum number of points per message. */
++ point_count += object->count;
++ if (point_count > max_points) {
++ DNP3SetEventTx(tx, DNP3_DECODER_EVENT_TOO_MANY_POINTS);
++ goto done;
++ }
++
+ int event = DNP3DecodeObject(header->group, header->variation, &buf,
+ &len, object->prefix_code, object->start, object->count,
+ object->points);
+@@ -1614,6 +1626,13 @@
+ if (ConfGetInt("app-layer.protocols.dnp3.max-tx", &value)) {
+ dnp3_max_tx = (uint64_t)value;
+ }
++
++ /* Parse max-points configuration. */
++ if (ConfGetInt("app-layer.protocols.dnp3.max-points", &value)) {
++ if (value > 0) {
++ max_points = (uint64_t)value;
++ }
++ }
+ } else {
+ SCLogConfig("Parser disabled for protocol %s. "
+ "Protocol detection still on.", proto_name);
+--- a/src/app-layer-dnp3.h
++++ b/src/app-layer-dnp3.h
+@@ -109,6 +109,7 @@
+ DNP3_DECODER_EVENT_BAD_TRANSPORT_CRC,
+ DNP3_DECODER_EVENT_MALFORMED,
+ DNP3_DECODER_EVENT_UNKNOWN_OBJECT,
++ DNP3_DECODER_EVENT_TOO_MANY_POINTS,
+ };
+
+ /**
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -1162,6 +1162,7 @@
+ detection-ports:
+ dp: 20000
+ #max-tx: 32
++ #max-points: 16384
+
+ # SCADA EtherNet/IP and CIP protocol support
+ enip:
--- /dev/null
+From a6d950315d9b6c1e35c10c24d9bb7128d422c21f Mon Sep 17 00:00:00 2001
+From: Jason Ish <jason.ish@oisf.net>
+Date: Tue, 6 Jan 2026 17:14:21 -0600
+Subject: [PATCH 4/4] dnp3: bound the maximum number of objects per tx
+
+Default to 2048, but provide a user configuration value.
+
+Ticket: #8181
+(cherry picked from commit 2c95f1ff44e17c3bc8693d5e23e175f2bc90ea10)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/a6d950315d9b6c1e35c10c24d9bb7128d422c21f.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8181
+Subject: Upstream fix for CVE-2026-22259 part 4
+---
+ doc/userguide/upgrade.rst | 9 +++++----
+ rules/dnp3-events.rules | 5 +++++
+ src/app-layer-dnp3.c | 18 ++++++++++++++++++
+ src/app-layer-dnp3.h | 1 +
+ suricata.yaml.in | 1 +
+ 5 files changed, 30 insertions(+), 4 deletions(-)
+
+--- a/doc/userguide/upgrade.rst
++++ b/doc/userguide/upgrade.rst
+@@ -40,10 +40,11 @@
+ Other Changes
+ ~~~~~~~~~~~~~
+ - ``dnp3`` has reduced the maximum number of open transactions from
+- 500 down to 32, and the maximum number of points per message from
+- unbounded to 16384. Configuration options, ``max-tx`` and
+- ``max-points`` have been added for users who may need to change
+- these defaults.
++ 500 down to 32, the maximum number of points per message from
++ unbounded to 16384, and the maximum number of objects per message
++ from unbounded to 2048. Configuration options, ``max-tx``,
++ ``max-points``, and ``max-objects`` have been added for users who
++ may need to change these defaults.
+
+ Upgrading to 7.0.9
+ ------------------
+--- a/rules/dnp3-events.rules
++++ b/rules/dnp3-events.rules
+@@ -29,3 +29,8 @@
+ alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many points in message"; \
+ app-layer-event:dnp3.too_many_points; \
+ classtype:protocol-command-decode; sid:2270005; rev:1;)
++
++# Too many objects.
++alert dnp3 any any -> any any (msg:"SURICATA DNP3 Too many objects"; \
++ app-layer-event:dnp3.too_many_objects; \
++ classtype:protocol-command-decode; sid:2270006; rev:1;)
+--- a/src/app-layer-dnp3.c
++++ b/src/app-layer-dnp3.c
+@@ -101,6 +101,9 @@
+ /* The maximum number of points allowed per message (configurable). */
+ static uint64_t max_points = 16384;
+
++/* The maximum number of objects allowed per message (configurable). */
++static uint64_t dnp3_max_objects = 2048;
++
+ /* Decoder event map. */
+ SCEnumCharMap dnp3_decoder_event_table[] = {
+ { "FLOODED", DNP3_DECODER_EVENT_FLOODED },
+@@ -110,6 +113,7 @@
+ { "MALFORMED", DNP3_DECODER_EVENT_MALFORMED },
+ { "UNKNOWN_OBJECT", DNP3_DECODER_EVENT_UNKNOWN_OBJECT },
+ { "TOO_MANY_POINTS", DNP3_DECODER_EVENT_TOO_MANY_POINTS },
++ { "TOO_MANY_OBJECTS", DNP3_DECODER_EVENT_TOO_MANY_OBJECTS },
+ { NULL, -1 },
+ };
+
+@@ -714,6 +718,7 @@
+ {
+ int retval = 0;
+ uint64_t point_count = 0;
++ uint64_t object_count = 0;
+
+ if (buf == NULL || len == 0) {
+ return 1;
+@@ -728,6 +733,12 @@
+ DNP3ObjHeader *header = (DNP3ObjHeader *)buf;
+ offset += sizeof(DNP3ObjHeader);
+
++ /* Check if we've exceeded the maximum number of objects. */
++ if (++object_count > dnp3_max_objects) {
++ DNP3SetEventTx(tx, DNP3_DECODER_EVENT_TOO_MANY_OBJECTS);
++ goto done;
++ }
++
+ DNP3Object *object = DNP3ObjectAlloc();
+ if (unlikely(object == NULL)) {
+ goto done;
+@@ -1633,6 +1644,13 @@
+ max_points = (uint64_t)value;
+ }
+ }
++
++ /* Parse max-objects configuration. */
++ if (ConfGetInt("app-layer.protocols.dnp3.max-objects", &value)) {
++ if (value > 0) {
++ dnp3_max_objects = (uint64_t)value;
++ }
++ }
+ } else {
+ SCLogConfig("Parser disabled for protocol %s. "
+ "Protocol detection still on.", proto_name);
+--- a/src/app-layer-dnp3.h
++++ b/src/app-layer-dnp3.h
+@@ -110,6 +110,7 @@
+ DNP3_DECODER_EVENT_MALFORMED,
+ DNP3_DECODER_EVENT_UNKNOWN_OBJECT,
+ DNP3_DECODER_EVENT_TOO_MANY_POINTS,
++ DNP3_DECODER_EVENT_TOO_MANY_OBJECTS,
+ };
+
+ /**
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -1163,6 +1163,7 @@
+ dp: 20000
+ #max-tx: 32
+ #max-points: 16384
++ #max-objects: 2048
+
+ # SCADA EtherNet/IP and CIP protocol support
+ enip:
--- /dev/null
+From 44d0c81f537f230e9215c769453fb4d7214217a1 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Tue, 9 Dec 2025 09:21:58 +0100
+Subject: [PATCH 1/2] output: optimize loop for finding alert http xff
+
+Ticket: 8156
+
+In case of non-tx alerts, we try to loop over all the txs to find
+the xff header. Do not start from tx_id 0, but from min_id
+as AppLayerParserTransactionsCleanup to skip txs that were freed
+
+(cherry picked from commit 3b1a6c1711b8f7d0bde4cb05f15cf50c751eda60)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/44d0c81f537f230e9215c769453fb4d7214217a1.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8156
+Subject: Upstream fix for CVE-2026-22261 part 1
+---
+ src/app-layer-htp-xff.c | 2 +-
+ src/app-layer-parser.c | 7 +++++++
+ src/app-layer-parser.h | 1 +
+ 3 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/app-layer-htp-xff.c b/src/app-layer-htp-xff.c
+index c145e5818..6eae5b1b3 100644
+--- a/src/app-layer-htp-xff.c
++++ b/src/app-layer-htp-xff.c
+@@ -180,7 +180,7 @@ int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
+ int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
+ {
+ HtpState *htp_state = NULL;
+- uint64_t tx_id = 0;
++ uint64_t tx_id = AppLayerParserGetMinId(f->alparser);
+ uint64_t total_txs = 0;
+
+ htp_state = (HtpState *)FlowGetAppState(f);
+diff --git a/src/app-layer-parser.c b/src/app-layer-parser.c
+index 627bf929a..2b8a59a14 100644
+--- a/src/app-layer-parser.c
++++ b/src/app-layer-parser.c
+@@ -721,6 +721,13 @@ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate)
+ SCReturnCT((pstate == NULL) ? 0 : pstate->log_id, "uint64_t");
+ }
+
++uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate)
++{
++ SCEnter();
++
++ SCReturnCT((pstate == NULL) ? 0 : pstate->min_id, "uint64_t");
++}
++
+ void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id)
+ {
+ SCEnter();
+diff --git a/src/app-layer-parser.h b/src/app-layer-parser.h
+index 77e8c813f..dad0b613c 100644
+--- a/src/app-layer-parser.h
++++ b/src/app-layer-parser.h
+@@ -230,6 +230,7 @@ void AppLayerParserDestroyProtocolParserLocalStorage(uint8_t ipproto, AppProto a
+
+
+ uint64_t AppLayerParserGetTransactionLogId(AppLayerParserState *pstate);
++uint64_t AppLayerParserGetMinId(AppLayerParserState *pstate);
+ void AppLayerParserSetTransactionLogId(AppLayerParserState *pstate, uint64_t tx_id);
+
+ uint64_t AppLayerParserGetTransactionInspectId(AppLayerParserState *pstate, uint8_t direction);
+--
+2.47.3
+
--- /dev/null
+From 7e704a3f50690b5f5d5cc573147ef41449fe37ac Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Tue, 9 Dec 2025 09:38:31 +0100
+Subject: [PATCH 2/2] output: use tx iterator for finding alert http xff
+
+Ticket: 8156
+
+Allows better performance.
+
+(cherry picked from commit ab2e128176744ead5130707bb53fa59038e19634)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/7e704a3f50690b5f5d5cc573147ef41449fe37ac.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8156
+Subject: Upstream fix for CVE-2026-22261 part 2
+---
+ src/app-layer-htp-xff.c | 77 +++++++++++++++++++++++++----------------
+ 1 file changed, 47 insertions(+), 30 deletions(-)
+
+diff --git a/src/app-layer-htp-xff.c b/src/app-layer-htp-xff.c
+index 6eae5b1b3..2e5c25cdb 100644
+--- a/src/app-layer-htp-xff.c
++++ b/src/app-layer-htp-xff.c
+@@ -107,38 +107,12 @@ static int ParseXFFString(char *input, char *output, int output_size)
+ return 0;
+ }
+
+-/**
+- * \brief Function to return XFF IP if any in the selected transaction. The
+- * caller needs to lock the flow.
+- * \retval 1 if the IP has been found and returned in dstbuf
+- * \retval 0 if the IP has not being found or error
+- */
+-int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
+- char *dstbuf, int dstbuflen)
++static int HttpXFFGetIPFromTxAux(
++ const Flow *f, htp_tx_t *tx, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
+ {
+ uint8_t xff_chain[XFF_CHAIN_MAXLEN];
+- HtpState *htp_state = NULL;
+- htp_tx_t *tx = NULL;
+- uint64_t total_txs = 0;
+ uint8_t *p_xff = NULL;
+
+- htp_state = (HtpState *)FlowGetAppState(f);
+-
+- if (htp_state == NULL) {
+- SCLogDebug("no http state, XFF IP cannot be retrieved");
+- return 0;
+- }
+-
+- total_txs = AppLayerParserGetTxCnt(f, htp_state);
+- if (tx_id >= total_txs)
+- return 0;
+-
+- tx = AppLayerParserGetTx(f->proto, ALPROTO_HTTP1, htp_state, tx_id);
+- if (tx == NULL) {
+- SCLogDebug("tx is NULL, XFF cannot be retrieved");
+- return 0;
+- }
+-
+ htp_header_t *h_xff = NULL;
+ if (tx->request_headers != NULL) {
+ h_xff = htp_table_get_c(tx->request_headers, xff_cfg->header);
+@@ -172,6 +146,38 @@ int HttpXFFGetIPFromTx(const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg,
+ return 0;
+ }
+
++/**
++ * \brief Function to return XFF IP if any in the selected transaction. The
++ * caller needs to lock the flow.
++ * \retval 1 if the IP has been found and returned in dstbuf
++ * \retval 0 if the IP has not being found or error
++ */
++int HttpXFFGetIPFromTx(
++ const Flow *f, uint64_t tx_id, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen)
++{
++ HtpState *htp_state = NULL;
++ uint64_t total_txs = 0;
++ htp_tx_t *tx = NULL;
++
++ htp_state = (HtpState *)FlowGetAppState(f);
++
++ if (htp_state == NULL) {
++ SCLogDebug("no http state, XFF IP cannot be retrieved");
++ return 0;
++ }
++
++ total_txs = AppLayerParserGetTxCnt(f, htp_state);
++ if (tx_id >= total_txs)
++ return 0;
++
++ tx = AppLayerParserGetTx(f->proto, ALPROTO_HTTP1, htp_state, tx_id);
++ if (tx == NULL) {
++ SCLogDebug("tx is NULL, XFF cannot be retrieved");
++ return 0;
++ }
++ return HttpXFFGetIPFromTxAux(f, tx, xff_cfg, dstbuf, dstbuflen);
++}
++
+ /**
+ * \brief Function to return XFF IP if any. The caller needs to lock the flow.
+ * \retval 1 if the IP has been found and returned in dstbuf
+@@ -190,9 +196,20 @@ int HttpXFFGetIP(const Flow *f, HttpXFFCfg *xff_cfg, char *dstbuf, int dstbuflen
+ }
+
+ total_txs = AppLayerParserGetTxCnt(f, htp_state);
+- for (; tx_id < total_txs; tx_id++) {
+- if (HttpXFFGetIPFromTx(f, tx_id, xff_cfg, dstbuf, dstbuflen) == 1)
++ AppLayerGetTxIteratorFunc IterFunc = AppLayerGetTxIterator(f->proto, f->alproto);
++ AppLayerGetTxIterState state;
++ memset(&state, 0, sizeof(state));
++
++ while (1) {
++ AppLayerGetTxIterTuple ires =
++ IterFunc(f->proto, f->alproto, f->alstate, tx_id, total_txs, &state);
++ if (ires.tx_ptr == NULL)
++ break;
++
++ if (HttpXFFGetIPFromTxAux(f, ires.tx_ptr, xff_cfg, dstbuf, dstbuflen) == 1)
+ return 1;
++
++ tx_id = ires.tx_id + 1;
+ }
+
+ end:
+--
+2.47.3
+
--- /dev/null
+From 32609e6896f9079c175665a94005417cec7637eb Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Mon, 17 Nov 2025 13:27:54 +0100
+Subject: [PATCH 1/2] datasets: explicitly errors on too long string
+
+Also avoids stack allocation
+
+Ticket: 8110
+(cherry picked from commit 0eff24213763c2aa2bb0957901d5dc1e18414dbf)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8110
+Subject: Upstream fix for CVE-2026-22262 part 1
+---
+ src/datasets-string.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/src/datasets-string.c b/src/datasets-string.c
+index 0a8f499ae..524a60ad9 100644
+--- a/src/datasets-string.c
++++ b/src/datasets-string.c
+@@ -49,12 +49,13 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
+ const StringType *str = s;
+
+ unsigned long len = Base64EncodeBufferSize(str->len);
+- uint8_t encoded_data[len];
+- if (Base64Encode((unsigned char *)str->ptr, str->len,
+- encoded_data, &len) != SC_BASE64_OK)
++ if (len + 2 > out_size) {
++ // linefeed and final zero
++ return 0;
++ }
++ if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
+ return 0;
+
+- strlcpy(out, (const char *)encoded_data, out_size);
+ strlcat(out, "\n", out_size);
+ return strlen(out);
+ }
+--
+2.47.3
+
--- /dev/null
+From 27a2180bceaa3477419c78c54fce364398d011f1 Mon Sep 17 00:00:00 2001
+From: Philippe Antoine <pantoine@oisf.net>
+Date: Tue, 25 Nov 2025 14:43:18 +0100
+Subject: [PATCH 2/2] datasets: allocates on the heap if string base64 is long
+
+Ticket: 8110
+(cherry picked from commit d6bc718e303ecbec5999066b8bc88eeeca743658)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8110
+Subject: Upstream fix for CVE-2026-22262 part 2
+---
+ src/datasets-string.c | 4 ++--
+ src/util-thash.c | 21 ++++++++++++++++++++-
+ 2 files changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/src/datasets-string.c b/src/datasets-string.c
+index 524a60ad9..53a179a10 100644
+--- a/src/datasets-string.c
++++ b/src/datasets-string.c
+@@ -50,8 +50,8 @@ int StringAsBase64(const void *s, char *out, size_t out_size)
+
+ unsigned long len = Base64EncodeBufferSize(str->len);
+ if (len + 2 > out_size) {
+- // linefeed and final zero
+- return 0;
++ // linefeed and final zero : signal we need more space
++ return len + 2;
+ }
+ if (Base64Encode((unsigned char *)str->ptr, str->len, (uint8_t *)out, &len) != SC_BASE64_OK)
+ return 0;
+diff --git a/src/util-thash.c b/src/util-thash.c
+index 548637916..c6df02cf3 100644
+--- a/src/util-thash.c
++++ b/src/util-thash.c
+@@ -390,7 +390,26 @@ int THashWalk(THashTableContext *ctx, THashFormatFunc FormatterFunc, THashOutput
+ char output_string[1024] = "";
+ int size = FormatterFunc(h->data, output_string, sizeof(output_string));
+ if (size > 0) {
+- if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
++ if (size > 1024) {
++ // we did not provide enough space on the stack, let's allocate on the heap
++ char *out_alloc = SCCalloc(1, size);
++ if (out_alloc == NULL) {
++ err = true;
++ break;
++ }
++ size = FormatterFunc(h->data, out_alloc, size);
++ if (size == 0) {
++ err = true;
++ SCFree(out_alloc);
++ break;
++ }
++ if (OutputterFunc(output_ctx, (const uint8_t *)out_alloc, size) < 0) {
++ err = true;
++ SCFree(out_alloc);
++ break;
++ }
++ SCFree(out_alloc);
++ } else if (OutputterFunc(output_ctx, (const uint8_t *)output_string, size) < 0) {
+ err = true;
+ break;
+ }
+--
+2.47.3
+
--- /dev/null
+From 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2 Mon Sep 17 00:00:00 2001
+From: Shivani Bhardwaj <shivani@oisf.net>
+Date: Mon, 5 Jan 2026 19:27:11 +0530
+Subject: [PATCH] detect/alert: check alert queue capacity before expanding
+
+So far, the alert queue was expanded by doubling in size w/o any
+boundary checks in place. This led to situations where doubling
+the alert_queue_capacity meant overflow of the very same value
+stored in det_ctx.
+This led to heap-use-after-free in some conditions where
+det_ctx->alert_queue_capacity overflowed.
+
+Fix this by capping the max of alert_queue_capacity by checking if its
+expansion could result in an overflow.
+
+Security 8190
+
+(cherry picked from commit ac1eb394181530430fb7262969f423a1bf8f209b)
+
+Origin: upstream, https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2.patch
+Bug: https://redmine.openinfosecfoundation.org/issues/8190
+Subject: Upstream fix for CVE-2026-22264
+---
+ src/detect-engine-alert.c | 35 +++++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+diff --git a/src/detect-engine-alert.c b/src/detect-engine-alert.c
+index f3e49586e..0cce98196 100644
+--- a/src/detect-engine-alert.c
++++ b/src/detect-engine-alert.c
+@@ -238,6 +238,22 @@ void AlertQueueFree(DetectEngineThreadCtx *det_ctx)
+ det_ctx->alert_queue_capacity = 0;
+ }
+
++static inline uint16_t AlertQueueExpandDo(DetectEngineThreadCtx *det_ctx, uint16_t new_cap)
++{
++ DEBUG_VALIDATE_BUG_ON(det_ctx->alert_queue_capacity >= new_cap);
++
++ void *tmp_queue = SCRealloc(det_ctx->alert_queue, new_cap * sizeof(PacketAlert));
++ if (unlikely(tmp_queue == NULL)) {
++ /* queue capacity didn't change */
++ return det_ctx->alert_queue_capacity;
++ }
++ det_ctx->alert_queue = tmp_queue;
++ det_ctx->alert_queue_capacity = new_cap;
++ SCLogDebug("Alert queue size expanded: %u elements, bytes: %" PRIuMAX "",
++ det_ctx->alert_queue_capacity, (uintmax_t)(new_cap * sizeof(PacketAlert)));
++ return new_cap;
++}
++
+ /** \internal
+ * \retval the new capacity
+ */
+@@ -247,18 +263,17 @@ static uint16_t AlertQueueExpand(DetectEngineThreadCtx *det_ctx)
+ if (unlikely(g_eps_is_alert_queue_fail_mode))
+ return det_ctx->alert_queue_capacity;
+ #endif
+- uint16_t new_cap = det_ctx->alert_queue_capacity * 2;
+- void *tmp_queue = SCRealloc(det_ctx->alert_queue, (size_t)(sizeof(PacketAlert) * new_cap));
+- if (unlikely(tmp_queue == NULL)) {
+- /* queue capacity didn't change */
++ if (det_ctx->alert_queue_capacity == UINT16_MAX) {
+ return det_ctx->alert_queue_capacity;
+ }
+- det_ctx->alert_queue = tmp_queue;
+- det_ctx->alert_queue_capacity = new_cap;
+- SCLogDebug("Alert queue size doubled: %u elements, bytes: %" PRIuMAX "",
+- det_ctx->alert_queue_capacity,
+- (uintmax_t)(sizeof(PacketAlert) * det_ctx->alert_queue_capacity));
+- return new_cap;
++
++ uint16_t new_cap;
++ if (det_ctx->alert_queue_capacity > (UINT16_MAX / 2)) {
++ new_cap = UINT16_MAX;
++ } else {
++ new_cap = det_ctx->alert_queue_capacity * 2;
++ }
++ return AlertQueueExpandDo(det_ctx, new_cap);
+ }
+
+ /** \internal
+--
+2.47.3
+
--- /dev/null
+From 6f7636cfc6dffb387afe21f4f3bff119f8d8e033 Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Thu, 31 Oct 2019 13:29:56 +0100
+Subject: [PATCH] ebpf: avoid to include if_tunnel.h
+
+This is causing a dependency issue as file from another architecture
+have to be installed.
+---
+ ebpf/xdp_lb.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/ebpf/xdp_lb.c
++++ b/ebpf/xdp_lb.c
+@@ -26,7 +26,6 @@
+ /* Workaround to avoid the need of 32bit headers */
+ #define _LINUX_IF_H
+ #define IFNAMSIZ 16
+-#include <linux/if_tunnel.h>
+ #include <linux/ip.h>
+ #include <linux/ipv6.h>
+ #include <linux/tcp.h>
+@@ -35,6 +34,12 @@
+
+ #include "hash_func01.h"
+
++#define GRE_CSUM __cpu_to_be16(0x8000)
++#define GRE_ROUTING __cpu_to_be16(0x4000)
++#define GRE_KEY __cpu_to_be16(0x2000)
++#define GRE_SEQ __cpu_to_be16(0x1000)
++#define GRE_VERSION __cpu_to_be16(0x0007)
++
+ #define LINUX_VERSION_CODE 263682
+
+ /* Hashing initval */
--- /dev/null
+From: Hilko Bengen <bengen@debian.org>
+Date: Tue, 22 Jan 2019 18:10:47 +0100
+Subject: configure: Introduce CLANG variable
+
+---
+ configure.ac | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -38,6 +38,15 @@
+
+ AC_SUBST([CLANG])
+
++ AC_ARG_WITH([clang],
++ [CLANG compiler],
++ [CLANG="$withval"],
++ [AS_IF([test "$compiler" = clang],
++ [CLANG="$CC"],
++ [AC_PATH_PROG([CLANG],[clang])])])
++
++ AC_SUBST([CLANG])
++
+ case "$compiler" in
+ clang)
+ CLANG_CFLAGS="-Wextra -Werror-implicit-function-declaration -Wno-error=unused-command-line-argument"
--- /dev/null
+--- a/configure.ac
++++ b/configure.ac
+@@ -77,8 +77,8 @@
+ AC_PATH_PROG(HAVE_CYGPATH, cygpath, "no")
+ AM_CONDITIONAL([HAVE_CYGPATH], [test "x$HAVE_CYGPATH" != "xno"])
+
+- AC_PATH_PROG(HAVE_PKG_CONFIG, pkg-config, "no")
+- if test "$HAVE_PKG_CONFIG" = "no"; then
++ PKG_PROG_PKG_CONFIG
++ if test "x$PKG_CONFIG" = "x"; then
+ echo
+ echo " ERROR! pkg-config not found, go get it "
+ echo " http://pkg-config.freedesktop.org/wiki/ "
--- /dev/null
+From: Arturo Borrero Gonzalez <arturo@debian.org>
+Subject: Debian default configuration
+ This patch sets Debian defaults for suricata configuration.
+ .
+ Currently, it sets a proper path for suricata unix socket.
+Forwarded: not-needed
+Last-Update: 2016-12-01
+
+--- a/suricata.yaml.in
++++ b/suricata.yaml.in
+@@ -1302,8 +1302,8 @@
+ # activated in live capture mode. You can use the filename variable to set
+ # the file name of the socket.
+ unix-command:
+- enabled: auto
+- #filename: custom.socket
++ enabled: yes
++ filename: @e_localstatedir@suricata-command.socket
+
+ # Magic file. The extension .mgc is added to the value here.
+ #magic-file: /usr/share/file/magic
+--- a/src/unix-manager.c
++++ b/src/unix-manager.c
+@@ -57,7 +57,7 @@
+ # endif
+ #endif
+
+-#define SOCKET_PATH LOCAL_STATE_DIR "/run/suricata/"
++#define SOCKET_PATH LOCAL_STATE_DIR "/"
+ #define SOCKET_FILENAME "suricata-command.socket"
+ #define SOCKET_TARGET SOCKET_PATH SOCKET_FILENAME
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -2603,7 +2603,7 @@
+ EXPAND_VARIABLE(localstatedir, e_logfilesdir, "/log/suricata/files")
+ EXPAND_VARIABLE(localstatedir, e_logcertsdir, "/log/suricata/certs")
+ EXPAND_VARIABLE(sysconfdir, e_sysconfdir, "/suricata/")
+- EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/suricata")
++ EXPAND_VARIABLE(localstatedir, e_localstatedir, "/run/")
+ EXPAND_VARIABLE(datadir, e_datarulesdir, "/suricata/rules")
+ EXPAND_VARIABLE(localstatedir, e_datadir, "/lib/suricata/data")
+ EXPAND_VARIABLE(localstatedir, e_defaultruledir, "/lib/suricata/rules")
--- /dev/null
+Description: do not clean vendor directory on distclean
+ dh_auto_clean calls make distclean, which in the case of Suricata also
+ removes the vendor directory. This breaks repeated builds.
+Author: Sascha Steinbiss <satta@debian.org>
+Last-Update: 2018-12-26
+--- a/rust/Makefile.am
++++ b/rust/Makefile.am
+@@ -77,7 +77,7 @@
+ rm -f Cargo.lock
+
+ maintainer-clean-local:
+- rm -rf vendor gen
++ rm -rf gen
+
+ check:
+ CARGO_HOME="$(CARGO_HOME)" @rustup_home@ \
--- /dev/null
+From: Eric Leblond <eric@regit.org>
+Date: Wed, 17 Jul 2019 12:35:12 +0200
+Subject: [PATCH] af-packet: fix build on recent Linux kernels
+--- a/src/source-af-packet.c
++++ b/src/source-af-packet.c
+@@ -72,6 +72,10 @@
+ #include <linux/sockios.h>
+ #endif
+
++#if HAVE_LINUX_SOCKIOS_H
++#include <linux/sockios.h>
++#endif
++
+ #ifdef HAVE_PACKET_EBPF
+ #include <bpf/libbpf.h>
+ #include <bpf/bpf.h>
--- /dev/null
+--- a/configure.ac
++++ b/configure.ac
+@@ -478,11 +478,12 @@
+ [
+ AS_IF([test "$CLANG" != no],
+ [
+- llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \
+- awk '/^clang version/ {
+- split($3, v, ".");
+- printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
+- }')
++ #llc_candidates=$($CLANG --version | sed -e 's/.*clang version/clang version/' | \
++ # awk '/^clang version/ {
++ # split($3, v, ".");
++ # printf("llc-%s.%s llc-%s llc", v[[1]], v[[2]], v[[1]])
++ # }')
++ llc_candidates=llc
+ AC_CHECK_PROGS([LLC], [$llc_candidates], "no")
+ if test "$LLC" = "no"; then
+ AC_MSG_ERROR([unable to find any of $llc_candidates needed to build ebpf files])
--- /dev/null
+Description: Don't use __USE_GNU
+ __USE_GNU is a glibc-internal symbol.
+ AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
+ way to enable extensions.
+Author: Adrian Bunk <bunk@debian.org>
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -6,6 +6,7 @@
+ AM_INIT_AUTOMAKE([tar-ustar subdir-objects])
+
+ AC_LANG([C])
++ AC_USE_SYSTEM_EXTENSIONS
+ LT_INIT
+ PKG_PROG_PKG_CONFIG
+
+--- a/src/suricata-common.h
++++ b/src/suricata-common.h
+@@ -33,9 +33,6 @@
+ #define TRUE 1
+ #define FALSE 0
+
+-#define _GNU_SOURCE
+-#define __USE_GNU
+-
+ #if defined(__clang_analyzer__)
+ /* clang analyzer acts as DEBUG_VALIDATION in some places, so
+ * force this so #ifdef DEBUG_VALIDATION code gets included */
--- /dev/null
+From: Arturo Borrero Gonzalez <arturo@debian.org>
+Subject: Patch to make the suricata build reproducible
+ This patch makes some changes to the suricata build to make it reproducible
+ .
+ Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds
+ the build path.
+Forwarded: not-needed
+Last-Update: 2016-09-05
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -2738,7 +2738,8 @@
+ echo
+ echo "$SURICATA_BUILD_CONF"
+ echo "printf(" >src/build-info.h
+-echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' >>src/build-info.h
++echo "$SURICATA_BUILD_CONF" | sed -e 's/^/"/' | sed -e 's/$/\\n"/' \
++ | sed 's/-fdebug-prefix-map=.*=. //' >>src/build-info.h
+ echo ");" >>src/build-info.h
+
+ echo "
--- /dev/null
+reproducible.patch
+debian-default-cfg.patch
+cross.patch
+no-use-gnu.patch
+fix-repeated-builds.patch
+configure-clang-variable.patch
+with-ebpf-includes.patch
+import-sockio-h.patch
+avoid-to-include-if_tunnel-h.patch
+llc.patch
+CVE-2025-53538.patch
+CVE-2025-59147.patch
+CVE-2025-64344.patch
+CVE-2025-64333.patch
+CVE-2025-64332.patch
+CVE-2025-64331.patch
+CVE-2025-64330.patch
+CVE-2026-22258_1.patch
+CVE-2026-22258_2.patch
+CVE-2026-22258_3.patch
+CVE-2026-22262_1.patch
+CVE-2026-22262_2.patch
+CVE-2026-22264.patch
+CVE-2026-22259_1.patch
+CVE-2026-22259_2.patch
+CVE-2026-22259_3.patch
+CVE-2026-22259_4.patch
+CVE-2026-22261_1.patch
+CVE-2026-22261_2.patch
--- /dev/null
+From: Hilko Bengen <bengen@debian.org>
+Date: Tue, 23 Jul 2019 14:43:21 +0200
+Subject: Add --with-ebpf-includes parameter
+
+---
+ configure.ac | 4 ++++
+ ebpf/Makefile.am | 3 +--
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -490,6 +490,10 @@
+ AC_SUBST(LLC)
+ ],
+ [AC_MSG_ERROR([clang needed to build ebpf files])])
++ AC_ARG_WITH(ebpf_includes,
++ [ --with-ebpf-includes=DIR include directory for building eBPF programs],
++ [AC_SUBST([ebpf_includes],["$withval"])],
++ [AC_SUBST([ebpf_includes],["/usr/include/${build_alias}"])])
+ ])
+
+ # enable debug output
+--- a/ebpf/Makefile.am
++++ b/ebpf/Makefile.am
+@@ -4,7 +4,7 @@
+ if BUILD_EBPF
+
+ # Maintaining a local copy of UAPI linux/bpf.h
+-BPF_CFLAGS = -Iinclude
++BPF_CFLAGS = -Iinclude -I$(ebpf_includes)
+
+ BPF_TARGETS = lb.bpf
+ BPF_TARGETS += filter.bpf
+@@ -19,7 +19,6 @@
+ $(BPF_TARGETS): %.bpf: %.c
+ # From C-code to LLVM-IR format suffix .ll (clang -S -emit-llvm)
+ ${CLANG} -Wall $(BPF_CFLAGS) -O2 \
+- -I/usr/include/$(build_cpu)-$(build_os)/ \
+ -D__KERNEL__ -D__ASM_SYSREG_H \
+ -target bpf -S -emit-llvm $< -o ${@:.bpf=.ll}
+ # From LLVM-IR to BPF-bytecode in ELF-obj file
--- /dev/null
+#!/usr/bin/make -f
+
+# verbose mode
+export DH_VERBOSE=1
+
+SURICATA_DESTDIR = $(CURDIR)/debian/tmp
+export DEB_BUILD_MAINT_OPTIONS = hardening=+pie,+bindnow
+export CARGO_HOME = $(CURDIR)/debian/cargohome
+
+include /usr/share/dpkg/architecture.mk
+
+# workaround for linking issue on some archs
+export DEB_LDFLAGS_MAINT_APPEND = -Wl,--allow-multiple-definition
+EXTRA_ATOMIC_ARCHS = armel mipsel powerpc
+ifneq (,$(findstring $(DEB_HOST_ARCH),$(EXTRA_ATOMIC_ARCHS)))
+ DEB_LDFLAGS_MAINT_APPEND += -Wl,--no-as-needed -Wl,-latomic -Wl,--as-needed
+ export DEB_LDFLAGS_MAINT_APPEND
+endif
+
+LUAJIT_ARCHS = i386 amd64 powerpc mips mipsel armel armhf
+HYPERSCAN_ARCHS = i386 amd64 hurd-i386 kfreebsd-amd64 x32
+EBPF_ARCHS = amd64 arm64 armel armhf i386 ppc64el s390x ppc64 sparc64 x32
+DPDK_ARCHS = amd64x arm64x riscv64x ppc64elx
+
+LIBHTP_PKG_VERSION=$(shell dpkg-query -W -f '$${Version}' libhtp2)
+
+ifneq (,$(findstring $(DEB_HOST_ARCH),$(LUAJIT_ARCHS)))
+ ENABLE_LUAJIT="--enable-luajit"
+endif
+
+ifneq (,$(findstring $(DEB_HOST_ARCH),$(HYPERSCAN_ARCHS)))
+ ENABLE_HYPERSCAN="--enable-libhs"
+endif
+
+ifneq (,$(findstring $(DEB_HOST_ARCH)x,$(DPDK_ARCHS)))
+ ENABLE_DPDK="--enable-dpdk"
+endif
+
+CI ?= $(shell $(CURDIR)/debian/building-in-ci.sh)
+ifeq ($(CI),true)
+ ENABLE_UNITTESTS="--enable-unittests"
+endif
+
+ifneq (,$(findstring $(DEB_HOST_ARCH),$(EBPF_ARCHS)))
+ ENABLE_EBPF=--enable-ebpf --enable-ebpf-build \
+ --with-ebpf-includes=/usr/include/$(DEB_HOST_MULTIARCH)
+endif
+
+CONFIGURE_ARGS = --enable-af-packet --enable-nfqueue --enable-nflog \
+ --enable-gccprotect --disable-gccmarch-native \
+ --with-libnss-includes=/usr/include/nss --with-libnss-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
+ --with-libnspr-includes=/usr/include/nspr --with-libnspr-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
+ --with-libevent-includes=/usr/include --with-libevent-libraries=/usr/lib/$(DEB_HOST_MULTIARCH) \
+ --disable-coccinelle \
+ --enable-geoip --enable-hiredis \
+ --enable-non-bundled-htp \
+ --disable-suricata-update \
+ $(ENABLE_LUAJIT) \
+ $(ENABLE_HYPERSCAN) \
+ $(ENABLE_UNITTESTS) \
+ $(ENABLE_EBPF) \
+ $(ENABLE_DPDK)
+
+override_dh_auto_configure:
+ dh_auto_configure -- $(CONFIGURE_ARGS)
+
+override_dh_auto_build:
+ uname -a
+ mkdir -p $(CARGO_HOME)
+ dh_auto_build
+
+override_dh_auto_clean:
+ rm -rf $(CARGO_HOME)
+ rm -f debian/suricata.substvars
+
+override_dh_auto_install:
+ dh_auto_install --destdir=$(SURICATA_DESTDIR)
+ rm -rf $(SURICATA_DESTDIR)/usr/lib/python*;\
+ (cd python && make prefix=$(SURICATA_DESTDIR)/usr)
+ # clean upstream install documentation
+ rm -rf $(SURICATA_DESTDIR)/usr/share/doc/suricata/*
+ $(foreach file, $(wildcard ebpf/*bpf), \
+ install -D -t $(SURICATA_DESTDIR)/usr/lib/suricata/ebpf $(file) ;\
+ )
+
+override_dh_auto_test:
+ # do nothing
+
+override_dh_missing:
+ dh_missing --list-missing
+
+override_dh_gencontrol:
+ echo "libhtp:Version=$(LIBHTP_PKG_VERSION)" >> debian/suricata.substvars
+ dh_gencontrol
+
+%:
+ dh $@ --with python3
--- /dev/null
+3.0 (quilt)
--- /dev/null
+Suricata for Debian
+-------------------
+
+The engine is an Open Source Next Generation Intrusion Detection and
+Prevention Tool, not intended to just replace or emulate the existing tools in
+the industry, but to bring new ideas and technologies to the field.
+
+To run the engine with default configuration on interface eth0 (in live mode),
+run the following command (as root):
+ suricata -c /etc/suricata/suricata.yaml -i eth0
+
+To run in live NFQUEUE mode, use (as root):
+ suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID
+
+You can also run suricata on a PCAP file:
+ suricata -c /etc/suricata/suricata.yaml -r file.pcap
+
+
+Daemon system integration
+-------------------------
+
+The suricata daemon comes preconfigured to run as a system daemon with systemd.
+
+You can start/stop the daemon with:
+ % sudo systemctl start suricata.service
+ % sudo systemctl stop suricata.service
+
+You should copy /lib/systemd/system/suricata.service to
+/etc/systemd/system/suricata.service and adapt the configuration to your needs.
+
+The sysvinit script and related files (/etc/init.d/suricata and
+/etc/default/suricata) will be eventually discarted at some point in the
+future. The /etc/default/suricata file is ignored by the default
+suricata.service file.
+
+By now, there is no integration between suricata and libsystemd (so, options
+like the watchdog are not supported).
+
+
+Updating Rules
+--------------
+
+You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs.
+The recommended way to update rules is via suricata-update (also packaged in Debian).
--- /dev/null
+# Default config for Suricata
+
+# set to yes to start the server in the init.d script
+RUN=no
+
+# Configuration file to load
+SURCONF=/etc/suricata/suricata.yaml
+
+# Listen mode: pcap, nfqueue or af-packet
+# depending on this value, only one of the two following options
+# will be used (af-packet uses neither).
+# Please note that IPS mode is only available when using nfqueue
+LISTENMODE=nfqueue
+
+# Interface to listen on (for pcap mode)
+IFACE=eth0
+
+# Queue number to listen on (for nfqueue mode)
+NFQUEUE=0
+
+# Load Google TCMALLOC if libtcmalloc-minimal4 is installed
+# This _might_ give you very very small performance gain....
+TCMALLOC="YES"
+
+# Pid file
+PIDFILE=/var/run/suricata.pid
--- /dev/null
+etc/suricata
+var/log/suricata
--- /dev/null
+#!/bin/sh -e
+#
+### BEGIN INIT INFO
+# Provides: suricata
+# Required-Start: $time $network $local_fs $remote_fs
+# Required-Stop: $remote_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: Next Generation IDS/IPS
+# Description: Intrusion detection system that will
+# capture traffic from the network cards and will
+# match against a set of known attacks.
+### END INIT INFO
+
+# Source function library.
+. /lib/lsb/init-functions
+
+if test -f /etc/default/suricata; then
+ . /etc/default/suricata
+else
+ echo "/etc/default/suricata is missing... bailing out!" >&2
+ exit 1
+fi
+
+# We'll add up all the options above and use them
+NAME=suricata
+DAEMON=/usr/bin/$NAME
+
+# Use this if you want the user to explicitly set 'RUN' in
+# /etc/default/
+if [ "x$RUN" != "xyes" ] ; then
+ log_failure_msg "$NAME disabled, please adjust the configuration to your needs "
+ log_failure_msg "and then set RUN to 'yes' in /etc/default/$NAME to enable it."
+ exit 0
+fi
+
+check_root() {
+ if [ "$(id -u)" != "0" ]; then
+ log_failure_msg "You must be root to start, stop or restart $NAME."
+ exit 4
+ fi
+}
+
+check_nfqueue() {
+ if [ ! \( -e /proc/net/netfilter/nfnetlink_queue -o -e /proc/net/netfilter/nf_queue \) ]; then
+ log_warning_msg "NFQUEUE support not found !"
+ log_warning_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel"
+ fi
+}
+
+check_run_dir() {
+ if [ ! -d /var/run/suricata ]; then
+ mkdir /var/run/suricata
+ chmod 0755 /var/run/suricata
+ fi
+}
+
+load_libtcmalloc_minimal() {
+ lib="/usr/lib/libtcmalloc_minimal.so.4"
+
+ if [ -f "$lib" ] && [ "x$TCMALLOC" = "xYES" ]; then
+ export LD_PRELOAD="$lib"
+ fi
+}
+
+check_root
+
+case "$LISTENMODE" in
+nfqueue)
+ IDMODE="IPS (nfqueue)"
+ LISTEN_OPTIONS=" -q $NFQUEUE"
+ check_nfqueue
+ ;;
+pcap)
+ IDMODE="IDS (pcap)"
+ LISTEN_OPTIONS=" -i $IFACE"
+ ;;
+af-packet)
+ IDMODE="IDS (af-packet)"
+ LISTEN_OPTIONS=" --af-packet"
+ ;;
+*)
+ echo "Unsupported listen mode $LISTENMODE, aborting"
+ exit 1
+ ;;
+esac
+
+SURICATA_OPTIONS=" -c $SURCONF --pidfile $PIDFILE $LISTEN_OPTIONS -D"
+
+# See how we were called.
+case "$1" in
+start)
+ if [ -f $PIDFILE ]; then
+ PID1=$(cat $PIDFILE)
+ if kill -0 "$PID1" 2>/dev/null; then
+ echo "$NAME is already running with PID $PID1"
+ exit 0
+ fi
+ fi
+ check_run_dir
+ echo -n "Starting suricata in $IDMODE mode..."
+ load_libtcmalloc_minimal
+ $DAEMON $SURICATA_OPTIONS > /var/log/suricata/suricata-start.log 2>&1 &
+ echo " done."
+ ;;
+stop)
+ echo -n "Stopping suricata: "
+ if [ -f $PIDFILE ]; then
+ PID2=$(cat $PIDFILE)
+ else
+ echo " No PID file found; not running?"
+ exit 0;
+ fi
+ start-stop-daemon --oknodo --stop --quiet --pidfile=$PIDFILE --exec $DAEMON
+ if [ -n "$PID2" ]; then
+ kill "$PID2"
+ ret=$?
+ sleep 2
+ if kill -0 "$PID2" 2>/dev/null; then
+ ret=$?
+ echo -n "Waiting . "
+ cnt=0
+ while kill -0 "$PID2" 2>/dev/null; do
+ ret=$?
+ cnt=$(expr "$cnt" + 1)
+ if [ "$cnt" -gt 10 ]; then
+ kill -9 "$PID2"
+ break
+ fi
+ sleep 2
+ echo -n ". "
+ done
+ fi
+ fi
+ if [ -e $PIDFILE ]; then
+ rm $PIDFILE > /dev/null 2>&1
+ fi
+ echo " done."
+ ;;
+status)
+ # Check if running...
+ if [ -s $PIDFILE ]; then
+ PID3=$(cat $PIDFILE)
+ if kill -0 "$PID3" 2>/dev/null; then
+ echo "$NAME is running with PID $PID3"
+ exit 0
+ else
+ echo "PID file $PIDFILE exists, but process not running!"
+ fi
+ else
+ echo "$NAME not running!"
+ fi
+ ;;
+restart)
+ $0 stop
+ $0 start
+ ;;
+force-reload)
+ $0 stop
+ $0 start
+ ;;
+*)
+ echo "Usage: $0 {start|stop|restart|status}"
+ exit 1
+esac
+
+exit 0
--- /dev/null
+etc/classification.config /etc/suricata
+etc/reference.config /etc/suricata
+rules/*.rules /etc/suricata/rules
+suricata.yaml /etc/suricata
+threshold.config /etc/suricata
+usr/bin
+usr/lib
--- /dev/null
+# these are eBPF files
+suricata: binary-from-other-architecture [usr/lib/suricata/ebpf/*.bpf]
+suricata: unstripped-binary-or-object [usr/lib/suricata/ebpf/*.bpf]
+suricata: executable-in-usr-lib [usr/lib/suricata/ebpf/*.bpf]
--- /dev/null
+/var/log/suricata/*.log
+/var/log/suricata/*.json
+{
+ rotate 14
+ missingok
+ compress
+ copytruncate
+ sharedscripts
+ postrotate
+ /bin/kill -HUP $(cat /var/run/suricata.pid)
+ endscript
+}
--- /dev/null
+# Rename file
+mv_conffile /etc/suricata/suricata-debian.yaml /etc/suricata/suricata.yaml 3.1-1 suricata
--- /dev/null
+doc/userguide/*.1
--- /dev/null
+#!/bin/sh
+
+set -e
+
+# we do not need alternatives anymore
+if update-alternatives --quiet --query suricata 2> /dev/null; then
+ echo "Removing legacy alternatives for Hyperscan/non-Hyperscan versions"
+ update-alternatives --remove-all suricata
+fi
+
+#DEBHELPER#
+
+exit 0
--- /dev/null
+[Unit]
+Description=Suricata IDS/IDP daemon
+After=network.target network-online.target
+Requires=network-online.target
+Documentation=man:suricata(8) man:suricatasc(8)
+Documentation=https://suricata.io/documentation/
+
+[Service]
+Type=forking
+#Environment=LD_PRELOAD=/usr/lib/libtcmalloc_minimal.so.4
+PIDFile=/run/suricata.pid
+ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid
+ExecReload=/usr/bin/suricatasc -c reload-rules ; /bin/kill -HUP $MAINPID
+ExecStop=/usr/bin/suricatasc -c shutdown
+Restart=on-failure
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+Test-Command: suricata --build-info
+Depends: @
+
+Test-Command: suricatasc -c "version"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Test-Command: suricatasc -c "command-list"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Test-Command: suricatasc -c "capture-mode"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Test-Command: sleep 10 && suricatasc -c "dump-counters"
+Depends: @
+Restrictions: needs-root, isolation-container
+
+Test-Command: suricatasc -c "uptime"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Test-Command: suricatasc -c "reload-rules"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Test-Command: suricatasc -c "iface-list"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Test-Command: suricatasc -c "shutdown"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Test-Command: sleep 10 && suricatasc -c "running-mode"
+Depends: @
+Restrictions: needs-root, isolation-container, flaky
+
+Tests: systemd-service-test.sh
+Depends: @, systemd, procps
+Restrictions: needs-root, isolation-container, allow-stderr
+
+Test-Command: src/suricata -u
+Depends: @, @builddeps@, procps, geoip-database
+Restrictions: needs-root, isolation-container, build-needed, allow-stderr
--- /dev/null
+#!/bin/sh
+
+set -ex
+
+SERVICE="suricata.service"
+ETC_SERVICE_FILE="/etc/systemd/system/${SERVICE}"
+LIB_SERVICE_FILE="/lib/systemd/system/${SERVICE}"
+CONFIG_FILE="/etc/suricata/suricata.yaml"
+IFACE=$(ip route show | awk '/default/ {print $5}')
+
+if [ ! -r "$LIB_SERVICE_FILE" ] ; then
+ : ERROR unable to read $LIB_SERVICE_FILE
+ exit 1
+fi
+if [ ! -w "$CONFIG_FILE" ] ; then
+ : ERROR unable to write to $CONFIG_FILE
+ exit 1
+fi
+
+systemctl_action()
+{
+ if ! systemctl $1 $SERVICE ; then
+ journalctl -u $SERVICE
+ return 1
+ fi
+ return 0
+}
+
+echo "
+%YAML 1.1
+---
+default-rule-path: /etc/suricata/rules
+rule-files:
+ - tor.rules
+ - http-events.rules
+ - smtp-events.rules
+ - dns-events.rules
+ - tls-events.rules
+classification-file: /etc/suricata/classification.config
+reference-config-file: /etc/suricata/reference.config
+default-log-dir: /var/log/suricata/
+af-packet:
+ - interface: $IFACE
+ cluster-id: 99
+ cluster-type: cluster_flow
+ defrag: yes
+ - interface: default
+ tpacket-v3: yes
+ block-size: 131072
+app-layer:
+ protocols:
+ ssh:
+ enabled: yes
+host-mode: auto
+unix-command:
+ enabled: yes
+ filename: /var/run/suricata-command.socket
+detect:
+ profile: medium
+ custom-values:
+ toclient-groups: 3
+ toserver-groups: 25
+ sgh-mpm-context: auto
+ inspection-recursion-limit: 3000
+ grouping:
+ profiling:
+ grouping:
+ dump-to-disk: false
+ include-rules: false
+ include-mpm-stats: false
+mpm-algo: auto
+spm-algo: auto
+" > $CONFIG_FILE
+
+#
+# before start, package installation may start the daemon
+#
+if systemctl -q is-active $SERVICE ; then
+ : WARNING initial service running, stopping now
+ if ! systemctl_action stop ; then
+ : ERROR cant stop initial service
+ exit 1
+ fi
+fi
+
+#
+# First run of the daemon and basic checks
+#
+if ! systemctl_action start ; then
+ : ERROR cant start the service
+ exit 1
+fi
+sleep 10 # wait for service startup
+systemctl status $SERVICE
+
+#
+# Restart the daemon
+#
+if ! systemctl_action restart ; then
+ : ERROR unable to restart the service
+ exit 1
+fi
+
+sleep 10 # wait for serive startup
+if ! systemctl -q is-active $SERVICE ; then
+ journalctl -u $SERVICE
+ : ERROR service not active after restart
+ exit 1
+fi
+
+#
+# Reload the daemon
+#
+
+: WARNING: Not testing daemon reload: it timeouts in ci.debian.net
+
+#if ! systemctl_action reload ; then
+# : ERROR unable to reload the service
+# exit 1
+#fi
+
+#sleep 10 # wait for service reload
+#if ! systemctl -q is-active $SERVICE ; then
+# journalctl -u $SERVICE
+# : ERROR service not active after reload
+# exit 1
+#fi
+
+: INFO all tests OK
+exit 0
--- /dev/null
+Bug-Database: https://redmine.openinfosecfoundation.org/
+Bug-Submit: https://redmine.openinfosecfoundation.org/projects/suricata/issues/new
+Repository: https://github.com/OISF/suricata.git
+Repository-Browse: https://github.com/OISF/suricata
--- /dev/null
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF8tFVkBEADEEXYv9T6kntaOafPMsBXJPFflcpM4VdXCnEmkY2zcQzfZ+fUB
+kyc6Lh1W07EPd4zGri4Hu9V8nfH5z+23oMmvVrUgbwU62u7ioUhMEpEtLbaLCWL9
+6HSlA4XWwjJhALXKFNMWtWT5BiHHty4jXvLl/KlbYtNrV+BuWDZsSiCRto134His
+Uozb82Yp76qhxdFXdUkXa7PYXJ40EYg9du4Z2l8qP3VWjDHDDrXtoChIgnTmkXkF
+0AdNx9jd9OSugQbJMqi7IV2wvA4xErKMujL+7ytxdMsV0WS39dPOn1mPclYLlnq6
+XDaXcVcHpXOQfC0qniKAHA9ngdKPPG5aJ7DqnZx+G4HBOAf0qnqCT2HBzvJovDuF
+7LdITO+nUiuThlh26oIoRqOfFgIAKDO+F/fRFIJYFt7q5OEwiL9HmlR7UrjLyHb8
+TqWhxocZHvP0ex6qTFMlUOZFaLVD/OC0lMFZDtHNfWIyWLmRIP4CGYia7RDyEEvn
+rHqK7NCF93K5UNUuBZmWNZ5r7/wKccLSYz7wAgkeWaKBAX7bQLspTZUYOOd8Kf5+
+uYlkLd1ju1wHqR7MrVb8/l6Q7cEIpLj+1ou6HeEsKyH1oZ8BQVzkVWIHmz7gaumV
+RKiycSnGqi8UnlFRUbZTW5ChLb7BL+ncBI3MuvrXvB6Ps7RlDPBD4D5AJQARAQAB
+tFBPcGVuIEluZm9ybWF0aW9uIFNlY3VyaXR5IEZvdW5kYXRpb24gKE9JU0YpIDxy
+ZWxlYXNlc0BvcGVuaW5mb3NlY2ZvdW5kYXRpb24ub3JnPokCVAQTAQoAPhYhBLNv
+2vJgfhDo/6ieXiupyYzN8ek6BQJfLRVZAhsDBQkJZgGABQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAAAoJECupyYzN8ek6BAMP/jbjbJgNNYHQpueS6q7Jx1pNsDJ0Iqlr
+2AIfrvMAkvNCQALWMoKsSPYbx+lLhTMKP48wwUTu4PcagaZ74W41kFAHN6ituIeY
+QJ7nyNaccu4KRMLvWsL/LVimGIfQZDWgGvJd/ggAXZcCeSiWblCqs7isGpGwGktv
+O6M824BZo2tmqBOtcL/nn3xD5v3dOM2uUr4N7qEmVQgJpYY/d5GNy2576jLT1EQ7
+Nq8VW0b76yZ7SQqX/mRA3KGJRi3/qnXsuxDdQd8hzxr4+QnH1cFjYtwsJlzzf2gm
+87ZbcuNf/BccH0Nt/hRkm7wIfJgXADKdCUAb60F6Ov95+aZ4hpK/Q6jJcCF9WSEZ
+UjklpYzWhSoC5AvqKcLOOnfLGfdF+gKwCD+hLvBwtkDZyYnLSkaKQ3eWbesoZnl0
+uDZAgy+4UCsh4c6DmtF2YeByybmd+cOfxZqRNIGUzC5u5ROsulB4gNjCtaTrY2ug
+r0br16ypXHA8M3PB+EAF08pg1PNETecdQ+uWZmYn2vAAi0lh1YREuIaFK+P5RziU
+m1uwfmsTEy7xnrHfWTZyiWdDCsjhppRiUNCqXh76ChDh2cNbiiGK7EgNLeUEyplx
+s60hfa4Ht0tmo3S3R2JRs4Usn0fKigR1Vv589qjDI1DNbFC/01/IFXrKjERzdm20
+ruUEU7TOqiUwuQINBF8tFVkBEADCAk7fTNtLlFDOAmXNxW+5ILRBehswEaZvAN5J
+rhc9bz4dMSWQajprEAl8HFRctEUkYHyi7cwcUPrelhwjnxOH3LuVeLLtm9i3wTCX
+NUvHeOWr4DBLYnwiYZ6t7U+Isd/IQRTo9l1vBEwdMOAs7FfqSmoGvJspd42dOi4r
+ph6JNss4FE5GTrb4oTx0ZrAIh7mT17e16TZywrZWKFZnl+G/YqmSolGtOrkhzm18
+l3mTa/v4hq4u+ZS8Qd9ng62sl8Ls5Krx3JCBdxn849WRJ6myS7R+hvQeLR9YH/YL
+ioUVzxHXmF2xlENYsbEsVAEsHUb2G5Ot+uQcUpC2u9uzw05L+zhCbd4ffW5eTsGv
+d51LvBMV1b0VUjWEmTgzqFNI5ElBnpjZ3W2eiAAWrLnGACO5Lxzf5VeWYaTDJo8O
+GBYSoHovjYrFI8ZQq7J1skM/YBXROTb4zSc8rL1w81VFLvFu6lOzIA15s5iLRko7
+LSKKom04Q8BNZ1nUydlxvo/5fu4VGYtWMliWUOIePIMT1EgBqYDfQyZ/h4gSMc7j
+jgb2JDfq/7WueoVTy8CNuOzewRYQOU/5P34o341Q0WO2tFNrohUqG9oDHf3Fj8eg
+VwWuRv+eDUmgbpisqVoj2hH1PM45Hcp62RHJasMWUmPIlCNKfvd8+fj3+zjaAN8r
+4Fv0YwARAQABiQI8BBgBCgAmFiEEs2/a8mB+EOj/qJ5eK6nJjM3x6ToFAl8tFVkC
+GwwFCQlmAYAACgkQK6nJjM3x6TpE0Q/7B31BrekzAIqV4gu6wE6xXe4GwzHYsQjW
+MJ0zQFXy3xPeRwVuFhfEOfX23HIpzvlM5h8OJCyifYu8vpbjqJ0/bEoUIERjQ0qe
+24H8tETRWsF5xRn8FwItdU+8dBsdH77JopAf3qmKPi6PZoobb0mf6mvqK/ootiIg
+8ATzbaIizw5oa4XZsjOwTh9vP7/VUAD7I8i2sxjw4BzLI9Ee4Mx+3ei95TQEXdRl
+jLEIH+2DLkKZTY1czfMuWAJsWpE+xewVBgm6zB0eS51HPZAhSaMmJefJeybnG4Er
+MFdWPPMXzNbr056TQzL1WIdHvB3SLSnA+MSHI8tp3LpHIqHibL1HQpUwDZo1G7jK
+hXcfEMAjwVJInNPOKJo93+mgTOqt0HZvnrGtFpUGBWivGLXguDW/m++Cv7hY3M7g
+I48G8dSmATEfyC0zaMACD2xmfjg86gkWsgio1Hpym/4oVDBVdT7CEXuN53QsQH5Y
+4XlEJh2l/fDMBAqtPmOkH6Zl3v6PLnzrkDbVEl1Nid/Oak6h6RSbAaI+uSACPTMq
+bHEYDF5K/2N6gu6/6aS6JzgCqr7G63Jghh1NtoKzmDfMl2nVL2virZDREUP7tBGa
+HegFin/SNaQ/vyu4kp/Y0Q6/BnN8Pa/1ngrkxwu/fAm4wq0DNArbf15fjCC0AgYZ
+z9qESk6L8Cs=
+=Rr5U
+-----END PGP PUBLIC KEY BLOCK-----
--- /dev/null
+# watch control file for uscan
+# run the "uscan" command to check for upstream updates and more.
+# See uscan(1) for format
+
+version=4
+opts=pgpsigurlmangle=s/$/.sig/ https://openinfosecfoundation.org/download/ suricata-([\d\.]*)\.tar\.gz
projects / suricata.git / commitdiff