Andreas Dolp [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
Merge suricata (1:7.0.10-1+deb13u3) import into refs/heads/workingbranch
Philippe Antoine [Tue, 9 Dec 2025 08:38:31 +0000 (09:38 +0100)]
[PATCH 2/2] output: use tx iterator for finding alert http xff
Ticket: 8156
Allows better performance.
(cherry picked from commit
ab2e128176744ead5130707bb53fa59038e19634)
Origin: upstream, https://github.com/OISF/suricata/commit/
7e704a3f50690b5f5d5cc573147ef41449fe37ac.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8156
Subject: Upstream fix for CVE-2026-22261 part 2
Gbp-Pq: Name CVE-2026-22261_2.patch
Philippe Antoine [Tue, 9 Dec 2025 08:21:58 +0000 (09:21 +0100)]
[PATCH 1/2] output: optimize loop for finding alert http xff
Ticket: 8156
In case of non-tx alerts, we try to loop over all the txs to find
the xff header. Do not start from tx_id 0, but from min_id
as AppLayerParserTransactionsCleanup to skip txs that were freed
(cherry picked from commit
3b1a6c1711b8f7d0bde4cb05f15cf50c751eda60)
Origin: upstream, https://github.com/OISF/suricata/commit/
44d0c81f537f230e9215c769453fb4d7214217a1.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8156
Subject: Upstream fix for CVE-2026-22261 part 1
Gbp-Pq: Name CVE-2026-22261_1.patch
Jason Ish [Tue, 6 Jan 2026 23:14:21 +0000 (17:14 -0600)]
[PATCH 4/4] dnp3: bound the maximum number of objects per tx
Default to 2048, but provide a user configuration value.
Ticket: #8181
(cherry picked from commit
2c95f1ff44e17c3bc8693d5e23e175f2bc90ea10)
Origin: upstream, https://github.com/OISF/suricata/commit/
a6d950315d9b6c1e35c10c24d9bb7128d422c21f.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8181
Subject: Upstream fix for CVE-2026-22259 part 4
Gbp-Pq: Name CVE-2026-22259_4.patch
Jason Ish [Wed, 7 Jan 2026 15:23:09 +0000 (09:23 -0600)]
[PATCH 3/4] dnp3: set a bound on the number of points per message
16384 is used as the max, but a configuration parameter has been
provided. The reason for setting an upper bound is that bit flags can
create a memory amplification as we parse them into individual data
structures.
Ticket: #8181
(cherry picked from commit
3a32bb5743c35afb3278a6448f7e9669512dbe92)
Origin: upstream, https://github.com/OISF/suricata/commit/
fdd79bdb14488244604729f1d68ca4bc60000dbd.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8181
Subject: Upstream fix for CVE-2026-22259 part 3
Gbp-Pq: Name CVE-2026-22259_3.patch
Jason Ish [Tue, 6 Jan 2026 17:06:40 +0000 (11:06 -0600)]
[PATCH 2/4] dnp3: reduce flood threshold to 32 and make configurable
Lower the number of unreplied requests from 500 to 32 to consider a
flood. At the very least this is an anomaly given the DNP3 spec mentions
that DNP3 should only have one outstanding request at a time, with an
exception for unsolicited responses, so in practice no more than 2
should be seen.
Additionally make this value configurable by introducing the max-tx
parameter.
Ticket: #8181
(cherry picked from commit
a16f087b93be1ff2f2edf47371866ad9b28593c1)
Origin: upstream, https://github.com/OISF/suricata/commit/
635af8dc8be09667689be71d781912718ca1aa49.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8181
Subject: Upstream fix for CVE-2026-22259 part 2
Gbp-Pq: Name CVE-2026-22259_2.patch
Jason Ish [Tue, 6 Jan 2026 22:15:09 +0000 (16:15 -0600)]
[PATCH 1/4] dnp3: check done state, not complete state for progress
Complete is a flag used to tell if the message was completely parsed,
as not all messages may be completely parsed if we don't know all
their objects. However, they are still "done".
In the alstate-progress callback, check the done flag, not the
complete flag.
Ticket: #8181
(cherry picked from commit
d61eef9a8a0d92921989479de15e5cbfec3251a9)
Origin: upstream, https://github.com/OISF/suricata/commit/
63225d5f8ef64cc65164c0bb1800730842d54942.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8181
Subject: Upstream fix for CVE-2026-22259 part 1
Gbp-Pq: Name CVE-2026-22259_1.patch
Shivani Bhardwaj [Mon, 5 Jan 2026 13:57:11 +0000 (19:27 +0530)]
[PATCH] detect/alert: check alert queue capacity before expanding
So far, the alert queue was expanded by doubling in size w/o any
boundary checks in place. This led to situations where doubling
the alert_queue_capacity meant overflow of the very same value
stored in det_ctx.
This led to heap-use-after-free in some conditions where
det_ctx->alert_queue_capacity overflowed.
Fix this by capping the max of alert_queue_capacity by checking if its
expansion could result in an overflow.
Security 8190
(cherry picked from commit
ac1eb394181530430fb7262969f423a1bf8f209b)
Origin: upstream, https://github.com/OISF/suricata/commit/
5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8190
Subject: Upstream fix for CVE-2026-22264
Gbp-Pq: Name CVE-2026-22264.patch
Philippe Antoine [Tue, 25 Nov 2025 13:43:18 +0000 (14:43 +0100)]
[PATCH 2/2] datasets: allocates on the heap if string base64 is long
Ticket: 8110
(cherry picked from commit
d6bc718e303ecbec5999066b8bc88eeeca743658)
Origin: upstream, https://github.com/OISF/suricata/commit/
27a2180bceaa3477419c78c54fce364398d011f1.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8110
Subject: Upstream fix for CVE-2026-22262 part 2
Gbp-Pq: Name CVE-2026-22262_2.patch
Philippe Antoine [Mon, 17 Nov 2025 12:27:54 +0000 (13:27 +0100)]
[PATCH 1/2] datasets: explicitly errors on too long string
Also avoids stack allocation
Ticket: 8110
(cherry picked from commit
0eff24213763c2aa2bb0957901d5dc1e18414dbf)
Origin: upstream, https://github.com/OISF/suricata/commit/
32609e6896f9079c175665a94005417cec7637eb.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8110
Subject: Upstream fix for CVE-2026-22262 part 1
Gbp-Pq: Name CVE-2026-22262_1.patch
Philippe Antoine [Thu, 8 Jan 2026 13:48:40 +0000 (14:48 +0100)]
[PATCH 3/3] dcerpc: use saturating_add to count fragments
And do not overflow if we have traffic with more than 65K fragments
(cherry picked from commit
a48200b9e5befb1f0aa45ad5b33e2664e6a9fa41)
Origin: upstream, https://github.com/OISF/suricata/commit/
c9b80e5affe073ce9d95d0c935a8d67647c83bf7.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8182
Subject: Upstream fix for CVE-2026-22258 part 3
Gbp-Pq: Name CVE-2026-22258_3.patch
Shivani Bhardwaj [Wed, 7 Jan 2026 05:03:57 +0000 (10:33 +0530)]
[PATCH 2/3] doc: add dcerpc.max-stub-size config param
(cherry picked from commit
6702791a9c4463858c8b54ee8678fd4f5fbe831a)
Origin: upstream, https://github.com/OISF/suricata/commit/
df389f8a43a06c718bb336ea082d6c80d6fefda0.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8182
Subject: Upstream fix for CVE-2026-22258 part 2
Gbp-Pq: Name CVE-2026-22258_2.patch
Shivani Bhardwaj [Tue, 6 Jan 2026 11:14:52 +0000 (16:44 +0530)]
[PATCH 1/3] dcerpc: add upper limit on stub data
DCERPC parsers had no upper bounds when it came to extending the stub
data buffer. Traffic can be crafted to bypass some internal parser
conditions to create an indefinite buffering in the stub_data array that
can make Suricata crash.
Add a default limit of 1MiB and make it configurable for the user.
Security 8182
Co-authored-by: Philippe Antoine <pantoine@oisf.net>
(cherry picked from commit
e412215af990feeffbb66c7dd9f392813a20ae50)
Origin: upstream, https://github.com/OISF/suricata/commit/
f82a388d0283725cb76782cf64e8341cab370830.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8182
Subject: Upstream fix for CVE-2026-22258 part 1
Gbp-Pq: Name CVE-2026-22258_1.patch
Juliana Fajardini [Sat, 1 Nov 2025 04:38:12 +0000 (21:38 -0700)]
[PATCH] output/alert: fix alert index access for verdict
The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.
Bug #8021
Bug #7630
Origin: upstream, https://github.com/OISF/suricata/commit/
5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8021
Subject: Upstream fix for CVE-2025-64330
Gbp-Pq: Name CVE-2025-64330.patch
Philippe Antoine [Thu, 30 Oct 2025 10:18:15 +0000 (11:18 +0100)]
[PATCH] output/jsonbuilder: helper function SCJbSetPrintAsciiString
To replace C PrintStringsToBuffer and avoid a stack alloc
+ copy
Ticket: 8004
(cherry picked from commit
7447651fa0956ff4ce55283a51b4a9494ec8cc6a)
Origin: upstream, https://github.com/OISF/suricata/commit/
5abf9b81e78476f49ab074f3a74b5840747cd069.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8004
Subject: Upstream fix for CVE-2025-64331
Gbp-Pq: Name CVE-2025-64331.patch
Philippe Antoine [Thu, 30 Oct 2025 10:27:22 +0000 (11:27 +0100)]
[PATCH] util/swf: move allocation from stack to heap
As it can overflow the stack
Ticket: 8055
(cherry picked from commit
a84addb771846f6d4d55ec535a4591f58369e49c)
Origin: upstream, https://github.com/OISF/suricata/commit/
f67d72702a2601d0a86ac1450686e70d7176f629.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8055
Subject: Upstream fix for CVE-2025-64332
Gbp-Pq: Name CVE-2025-64332.patch
Philippe Antoine [Thu, 30 Oct 2025 10:43:27 +0000 (11:43 +0100)]
[PATCH] output/http: log content-type like other headers
Ticket: 8056
Avoid stack allocation.
Do not handle null and ; especially
(cherry picked from commit
b8411fcc8dfc16910c3080d4d8c03a9a64c3a1f7)
Origin: upstream, https://github.com/OISF/suricata/commit/
4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8056
Subject: Upstream fix for CVE-2025-64333
Gbp-Pq: Name CVE-2025-64333.patch
Victor Julien [Fri, 31 Oct 2025 08:38:55 +0000 (09:38 +0100)]
[PATCH] lua: remove luajit pushlstring workaround
81ee6f5aadeb ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
added a workaround for valgrind warnings in pushing a string buffer
into the lua state. This is no longer needed as tested with both
address sanitizer and valgrind.
(cherry picked from commit
52fd61dffdfa50c9a2d4ec24865a54da0b8f0a2a)
Origin: upstream, https://github.com/OISF/suricata/commit/
a7ff4c9ba53009680c7cd128b16c28d0aeda9886.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8065
Subject: Upstream fix for CVE-2025-64344
Gbp-Pq: Name CVE-2025-64344.patch
Victor Julien [Wed, 20 Aug 2025 10:43:27 +0000 (12:43 +0200)]
CVE-2025-59147
From
e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
Take SEQ and ACK into account for more scenarios.
SYN on SYN_SENT
In this case the SYN packets with different SEQ and other properties are
queued up. Each packet updates the ssn to reflect the last packet to
come in. The old ssn data is added to a TcpStateQueue entry in
TcpSession::queue. If the max queue length is exceeded, the oldest entry
is evicted. The queue is actually a single linked list, where the list
head reflects the oldest entry.
SYN/ACK on SYN_SENT
In this case the first check is if the SYN/ACK matches the session. If
it doesn't, the queue is checked to see if there SYN's stored. If one is
found that matches, it is used and the session is updated to reflect
that.
SYN/ACK on SYN_RECV
SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
from the current packet. The old settings are stored in a TcpStateQueue
entry in the TcpSession::queue.
ACK on SYN_RECV
Checks any stored SYN/ACKs before checking the session. If a queued
SYN/ACK was sound, the session is updated to match it.
Ticket: #3844.
Ticket: #7657.
(cherry picked from commit
be6315dba0d9101b11d16e9dacfe2822b3792f1b)
Patch adjusted for Debian to fit for Suricata 7.0.10.
Origin: upstream, https://github.com/OISF/suricata/commit/
e91b03c90385db15e21cf1a0e85b921bf92b039e.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7852
Subject: Upstream fix for CVE-2025-59147
Gbp-Pq: Name CVE-2025-59147.patch
Philippe Antoine [Tue, 15 Apr 2025 10:34:37 +0000 (12:34 +0200)]
CVE-2025-53538
From
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001
# Subject: [PATCH] http2: forbid data on stream 0
# Subject: [PATCH] http2: forbid data on stream 0
Ticket: 7658
Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.
RFC 9113 section 6.1 states:
If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
of type PROTOCOL_ERROR.
(cherry picked from commit
1d6d331752e933c46aca0ae7a9679b27462246e3)
Origin: upstream, https://github.com/OISF/suricata/commit/
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7659
Bug-Debian: https://bugs.debian.org/
1109806
Subject: Upstream fix for CVE-2025-53538
Gbp-Pq: Name CVE-2025-53538.patch
Pierre Chifflier [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
llc
Gbp-Pq: Name llc.patch
Eric Leblond [Thu, 31 Oct 2019 12:29:56 +0000 (13:29 +0100)]
[PATCH] ebpf: avoid to include if_tunnel.h
This is causing a dependency issue as file from another architecture
have to be installed.
Gbp-Pq: Name avoid-to-include-if_tunnel-h.patch
Eric Leblond [Wed, 17 Jul 2019 10:35:12 +0000 (12:35 +0200)]
[PATCH] af-packet: fix build on recent Linux kernels
Gbp-Pq: Name import-sockio-h.patch
Hilko Bengen [Tue, 23 Jul 2019 12:43:21 +0000 (14:43 +0200)]
Add --with-ebpf-includes parameter
Gbp-Pq: Name with-ebpf-includes.patch
Hilko Bengen [Tue, 22 Jan 2019 17:10:47 +0000 (18:10 +0100)]
configure: Introduce CLANG variable
Gbp-Pq: Name configure-clang-variable.patch
Sascha Steinbiss [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
do not clean vendor directory on distclean
Last-Update: 2018-12-26
dh_auto_clean calls make distclean, which in the case of Suricata also
removes the vendor directory. This breaks repeated builds.
Gbp-Pq: Name fix-repeated-builds.patch
Adrian Bunk [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
Don't use __USE_GNU
__USE_GNU is a glibc-internal symbol.
AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
way to enable extensions.
Gbp-Pq: Name no-use-gnu.patch
Pierre Chifflier [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
cross
Gbp-Pq: Name cross.patch
Arturo Borrero Gonzalez [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket.
Forwarded: not-needed
Last-Update: 2016-12-01
Gbp-Pq: Name debian-default-cfg.patch
Arturo Borrero Gonzalez [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path.
Forwarded: not-needed
Last-Update: 2016-09-05
Gbp-Pq: Name reproducible.patch
Andreas Dolp [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
suricata (1:7.0.10-1+deb13u3) trixie; urgency=medium
* Fix CVE-2026-22258 in 7.0.10.
Cherry-Picked from:
*
f82a388d0283725cb76782cf64e8341cab370830
*
df389f8a43a06c718bb336ea082d6c80d6fefda0
*
c9b80e5affe073ce9d95d0c935a8d67647c83bf7
* Fix CVE-2026-22262 in 7.0.10.
Cherry-Picked from:
*
32609e6896f9079c175665a94005417cec7637eb
*
27a2180bceaa3477419c78c54fce364398d011f1
* Fix CVE-2026-22264 in 7.0.10.
Cherry-Picked from
5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2.
* Fix CVE-2026-22259 in 7.0.10.
Cherry-Picked from:
*
63225d5f8ef64cc65164c0bb1800730842d54942
*
635af8dc8be09667689be71d781912718ca1aa49
*
fdd79bdb14488244604729f1d68ca4bc60000dbd
*
a6d950315d9b6c1e35c10c24d9bb7128d422c21f
With this fix, DNP3 has reduced the default maximum number of
outstanding transactions from 500 down to 32.
Read the update instructions for Suricata 7.0.14 for more details.
* Fix CVE-2026-22261 in 7.0.10.
Cherry-Picked from:
*
44d0c81f537f230e9215c769453fb4d7214217a1
*
7e704a3f50690b5f5d5cc573147ef41449fe37ac
[dgit import unpatched suricata 1:7.0.10-1+deb13u3]
Andreas Dolp [Sun, 22 Feb 2026 12:28:52 +0000 (13:28 +0100)]
Import suricata_7.0.10-1+deb13u3.debian.tar.xz
[dgit import tarball suricata 1:7.0.10-1+deb13u3 suricata_7.0.10-1+deb13u3.debian.tar.xz]
Andreas Dolp [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
Merge suricata (1:7.0.10-1+deb13u2) import into refs/heads/workingbranch
Juliana Fajardini [Sat, 1 Nov 2025 04:38:12 +0000 (21:38 -0700)]
[PATCH] output/alert: fix alert index access for verdict
The engine uses p.alerts.cnt as an index to access the packet alert that
has the `pass` action for the verdict.
For IDS/IPS mode, a `pass` will always be the last signature in the
alert queue. However, that position could be either `p.alerts.cnt` or
`p.alerts.cnt-1`, depending on whether the `pass` rule has the `alert`
keyword or not.
This patch fix corner-case scenarios of:
- accessing an index out of boundaries
- off-by-one access
Without changing how the engine increments the alerts.cnt, as this is
used in many places, and would be a more invasive change.
It checks the two different scenarios, plus the case when there is only
a single match as a silent `pass` rule.
Bug #8021
Bug #7630
Origin: upstream, https://github.com/OISF/suricata/commit/
5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8021
Subject: Upstream fix for CVE-2025-64330
Gbp-Pq: Name CVE-2025-64330.patch
Philippe Antoine [Thu, 30 Oct 2025 10:18:15 +0000 (11:18 +0100)]
[PATCH] output/jsonbuilder: helper function SCJbSetPrintAsciiString
To replace C PrintStringsToBuffer and avoid a stack alloc
+ copy
Ticket: 8004
(cherry picked from commit
7447651fa0956ff4ce55283a51b4a9494ec8cc6a)
Origin: upstream, https://github.com/OISF/suricata/commit/
5abf9b81e78476f49ab074f3a74b5840747cd069.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8004
Subject: Upstream fix for CVE-2025-64331
Gbp-Pq: Name CVE-2025-64331.patch
Philippe Antoine [Thu, 30 Oct 2025 10:27:22 +0000 (11:27 +0100)]
[PATCH] util/swf: move allocation from stack to heap
As it can overflow the stack
Ticket: 8055
(cherry picked from commit
a84addb771846f6d4d55ec535a4591f58369e49c)
Origin: upstream, https://github.com/OISF/suricata/commit/
f67d72702a2601d0a86ac1450686e70d7176f629.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8055
Subject: Upstream fix for CVE-2025-64332
Gbp-Pq: Name CVE-2025-64332.patch
Philippe Antoine [Thu, 30 Oct 2025 10:43:27 +0000 (11:43 +0100)]
[PATCH] output/http: log content-type like other headers
Ticket: 8056
Avoid stack allocation.
Do not handle null and ; especially
(cherry picked from commit
b8411fcc8dfc16910c3080d4d8c03a9a64c3a1f7)
Origin: upstream, https://github.com/OISF/suricata/commit/
4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8056
Subject: Upstream fix for CVE-2025-64333
Gbp-Pq: Name CVE-2025-64333.patch
Victor Julien [Fri, 31 Oct 2025 08:38:55 +0000 (09:38 +0100)]
[PATCH] lua: remove luajit pushlstring workaround
81ee6f5aadeb ("lua: push correct length back through ScFlowvarGet, work around valgrind warning")
added a workaround for valgrind warnings in pushing a string buffer
into the lua state. This is no longer needed as tested with both
address sanitizer and valgrind.
(cherry picked from commit
52fd61dffdfa50c9a2d4ec24865a54da0b8f0a2a)
Origin: upstream, https://github.com/OISF/suricata/commit/
a7ff4c9ba53009680c7cd128b16c28d0aeda9886.patch
Bug: https://redmine.openinfosecfoundation.org/issues/8065
Subject: Upstream fix for CVE-2025-64344
Gbp-Pq: Name CVE-2025-64344.patch
Victor Julien [Wed, 20 Aug 2025 10:43:27 +0000 (12:43 +0200)]
CVE-2025-59147
From
e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
Take SEQ and ACK into account for more scenarios.
SYN on SYN_SENT
In this case the SYN packets with different SEQ and other properties are
queued up. Each packet updates the ssn to reflect the last packet to
come in. The old ssn data is added to a TcpStateQueue entry in
TcpSession::queue. If the max queue length is exceeded, the oldest entry
is evicted. The queue is actually a single linked list, where the list
head reflects the oldest entry.
SYN/ACK on SYN_SENT
In this case the first check is if the SYN/ACK matches the session. If
it doesn't, the queue is checked to see if there SYN's stored. If one is
found that matches, it is used and the session is updated to reflect
that.
SYN/ACK on SYN_RECV
SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
from the current packet. The old settings are stored in a TcpStateQueue
entry in the TcpSession::queue.
ACK on SYN_RECV
Checks any stored SYN/ACKs before checking the session. If a queued
SYN/ACK was sound, the session is updated to match it.
Ticket: #3844.
Ticket: #7657.
(cherry picked from commit
be6315dba0d9101b11d16e9dacfe2822b3792f1b)
Patch adjusted for Debian to fit for Suricata 7.0.10.
Origin: upstream, https://github.com/OISF/suricata/commit/
e91b03c90385db15e21cf1a0e85b921bf92b039e.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7852
Subject: Upstream fix for CVE-2025-59147
Gbp-Pq: Name CVE-2025-59147.patch
Philippe Antoine [Tue, 15 Apr 2025 10:34:37 +0000 (12:34 +0200)]
CVE-2025-53538
From
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001
# Subject: [PATCH] http2: forbid data on stream 0
# Subject: [PATCH] http2: forbid data on stream 0
Ticket: 7658
Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.
RFC 9113 section 6.1 states:
If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
of type PROTOCOL_ERROR.
(cherry picked from commit
1d6d331752e933c46aca0ae7a9679b27462246e3)
Origin: upstream, https://github.com/OISF/suricata/commit/
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7659
Bug-Debian: https://bugs.debian.org/
1109806
Subject: Upstream fix for CVE-2025-53538
Gbp-Pq: Name CVE-2025-53538.patch
Pierre Chifflier [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
llc
Gbp-Pq: Name llc.patch
Eric Leblond [Thu, 31 Oct 2019 12:29:56 +0000 (13:29 +0100)]
[PATCH] ebpf: avoid to include if_tunnel.h
This is causing a dependency issue as file from another architecture
have to be installed.
Gbp-Pq: Name avoid-to-include-if_tunnel-h.patch
Eric Leblond [Wed, 17 Jul 2019 10:35:12 +0000 (12:35 +0200)]
[PATCH] af-packet: fix build on recent Linux kernels
Gbp-Pq: Name import-sockio-h.patch
Hilko Bengen [Tue, 23 Jul 2019 12:43:21 +0000 (14:43 +0200)]
Add --with-ebpf-includes parameter
Gbp-Pq: Name with-ebpf-includes.patch
Hilko Bengen [Tue, 22 Jan 2019 17:10:47 +0000 (18:10 +0100)]
configure: Introduce CLANG variable
Gbp-Pq: Name configure-clang-variable.patch
Sascha Steinbiss [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
do not clean vendor directory on distclean
Last-Update: 2018-12-26
dh_auto_clean calls make distclean, which in the case of Suricata also
removes the vendor directory. This breaks repeated builds.
Gbp-Pq: Name fix-repeated-builds.patch
Adrian Bunk [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
Don't use __USE_GNU
__USE_GNU is a glibc-internal symbol.
AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
way to enable extensions.
Gbp-Pq: Name no-use-gnu.patch
Pierre Chifflier [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
cross
Gbp-Pq: Name cross.patch
Arturo Borrero Gonzalez [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket.
Forwarded: not-needed
Last-Update: 2016-12-01
Gbp-Pq: Name debian-default-cfg.patch
Arturo Borrero Gonzalez [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path.
Forwarded: not-needed
Last-Update: 2016-09-05
Gbp-Pq: Name reproducible.patch
Andreas Dolp [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
suricata (1:7.0.10-1+deb13u2) trixie; urgency=medium
* Fix CVE-2025-64344 in 7.0.10.
Cherry-Picked from upstream
a7ff4c9ba53009680c7cd128b16c28d0aeda9886.
* Fix CVE-2025-64333 in 7.0.10.
Cherry-Picked from upstream
4b1d284bb57219b6677a8bda5cdc14a24a6aa22d.
* Fix CVE-2025-64332 in 7.0.10.
Cherry-Picked from upstream
f67d72702a2601d0a86ac1450686e70d7176f629.
* Fix CVE-2025-64331 in 7.0.10.
Cherry-Picked from upstream
5abf9b81e78476f49ab074f3a74b5840747cd069.
Added missing function declaration and refreshed patch by quilt.
* Fix CVE-2025-64330 in 7.0.10.
Cherry-Picked from upstream
5d6c24cc2ce6a390c0956b7ecb2c5efc47e72abc.
[dgit import unpatched suricata 1:7.0.10-1+deb13u2]
Andreas Dolp [Wed, 10 Dec 2025 19:12:20 +0000 (20:12 +0100)]
Import suricata_7.0.10-1+deb13u2.debian.tar.xz
[dgit import tarball suricata 1:7.0.10-1+deb13u2 suricata_7.0.10-1+deb13u2.debian.tar.xz]
Andreas Dolp [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
Merge suricata (1:7.0.10-1+deb13u1) import into refs/heads/workingbranch
Victor Julien [Wed, 20 Aug 2025 10:43:27 +0000 (12:43 +0200)]
CVE-2025-59147
From
e91b03c90385db15e21cf1a0e85b921bf92b039e Mon Sep 17 00:00:00 2001
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
# Subject: [PATCH] stream: improve SYN and SYN/ACK retransmission handling
Take SEQ and ACK into account for more scenarios.
SYN on SYN_SENT
In this case the SYN packets with different SEQ and other properties are
queued up. Each packet updates the ssn to reflect the last packet to
come in. The old ssn data is added to a TcpStateQueue entry in
TcpSession::queue. If the max queue length is exceeded, the oldest entry
is evicted. The queue is actually a single linked list, where the list
head reflects the oldest entry.
SYN/ACK on SYN_SENT
In this case the first check is if the SYN/ACK matches the session. If
it doesn't, the queue is checked to see if there SYN's stored. If one is
found that matches, it is used and the session is updated to reflect
that.
SYN/ACK on SYN_RECV
SYN/ACK resent on the SYN_RECV state. In this case the ssn is updated
from the current packet. The old settings are stored in a TcpStateQueue
entry in the TcpSession::queue.
ACK on SYN_RECV
Checks any stored SYN/ACKs before checking the session. If a queued
SYN/ACK was sound, the session is updated to match it.
Ticket: #3844.
Ticket: #7657.
(cherry picked from commit
be6315dba0d9101b11d16e9dacfe2822b3792f1b)
Patch adjusted for Debian to fit for Suricata 7.0.10.
Origin: upstream, https://github.com/OISF/suricata/commit/
e91b03c90385db15e21cf1a0e85b921bf92b039e.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7852
Subject: Upstream fix for CVE-2025-59147
Gbp-Pq: Name CVE-2025-59147.patch
Philippe Antoine [Tue, 15 Apr 2025 10:34:37 +0000 (12:34 +0200)]
CVE-2025-53538
From
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56 Mon Sep 17 00:00:00 2001
# Subject: [PATCH] http2: forbid data on stream 0
# Subject: [PATCH] http2: forbid data on stream 0
Ticket: 7658
Suricata will not handle well if we open a file for this tx,
do not close it, but set the transaction state to completed.
RFC 9113 section 6.1 states:
If a DATA frame is received whose Stream Identifier field is 0x00,
the recipient MUST respond with a connection error (Section 5.4.1)
of type PROTOCOL_ERROR.
(cherry picked from commit
1d6d331752e933c46aca0ae7a9679b27462246e3)
Origin: upstream, https://github.com/OISF/suricata/commit/
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.patch
Bug: https://redmine.openinfosecfoundation.org/issues/7659
Bug-Debian: https://bugs.debian.org/
1109806
Subject: Upstream fix for CVE-2025-53538
Gbp-Pq: Name CVE-2025-53538.patch
Pierre Chifflier [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
llc
Gbp-Pq: Name llc.patch
Eric Leblond [Thu, 31 Oct 2019 12:29:56 +0000 (13:29 +0100)]
[PATCH] ebpf: avoid to include if_tunnel.h
This is causing a dependency issue as file from another architecture
have to be installed.
Gbp-Pq: Name avoid-to-include-if_tunnel-h.patch
Eric Leblond [Wed, 17 Jul 2019 10:35:12 +0000 (12:35 +0200)]
[PATCH] af-packet: fix build on recent Linux kernels
Gbp-Pq: Name import-sockio-h.patch
Hilko Bengen [Tue, 23 Jul 2019 12:43:21 +0000 (14:43 +0200)]
Add --with-ebpf-includes parameter
Gbp-Pq: Name with-ebpf-includes.patch
Hilko Bengen [Tue, 22 Jan 2019 17:10:47 +0000 (18:10 +0100)]
configure: Introduce CLANG variable
Gbp-Pq: Name configure-clang-variable.patch
Sascha Steinbiss [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
do not clean vendor directory on distclean
Last-Update: 2018-12-26
dh_auto_clean calls make distclean, which in the case of Suricata also
removes the vendor directory. This breaks repeated builds.
Gbp-Pq: Name fix-repeated-builds.patch
Adrian Bunk [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
Don't use __USE_GNU
__USE_GNU is a glibc-internal symbol.
AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
way to enable extensions.
Gbp-Pq: Name no-use-gnu.patch
Pierre Chifflier [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
cross
Gbp-Pq: Name cross.patch
Arturo Borrero Gonzalez [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket.
Forwarded: not-needed
Last-Update: 2016-12-01
Gbp-Pq: Name debian-default-cfg.patch
Arturo Borrero Gonzalez [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path.
Forwarded: not-needed
Last-Update: 2016-09-05
Gbp-Pq: Name reproducible.patch
Andreas Dolp [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
suricata (1:7.0.10-1+deb13u1) trixie; urgency=medium
* Fix CVE-2025-53538 in 7.0.10.
Cherry-Picked from upstream
97eee2cadacf3423a1ebcdd1943a7a7917f5cc56.
Closes: #1109806
Reference: #
1116945
* Fix CVE-2025-59147 in 7.0.10.
Cherry-Picked from upstream
e91b03c90385db15e21cf1a0e85b921bf92b039e
and slightly modified to fit for Suricata 7.0.10.
Reference: #
1119940
[dgit import unpatched suricata 1:7.0.10-1+deb13u1]
Andreas Dolp [Sat, 27 Sep 2025 19:43:45 +0000 (21:43 +0200)]
Import suricata_7.0.10-1+deb13u1.debian.tar.xz
[dgit import tarball suricata 1:7.0.10-1+deb13u1 suricata_7.0.10-1+deb13u1.debian.tar.xz]
Sascha Steinbiss [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
Import suricata_7.0.10.orig.tar.xz
[dgit import orig suricata_7.0.10.orig.tar.xz]
Sascha Steinbiss [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
Merge suricata (1:7.0.10-1) import into refs/heads/workingbranch
Pierre Chifflier [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
llc
Gbp-Pq: Name llc.patch
Eric Leblond [Thu, 31 Oct 2019 12:29:56 +0000 (13:29 +0100)]
[PATCH] ebpf: avoid to include if_tunnel.h
This is causing a dependency issue as file from another architecture
have to be installed.
Gbp-Pq: Name avoid-to-include-if_tunnel-h.patch
Eric Leblond [Wed, 17 Jul 2019 10:35:12 +0000 (12:35 +0200)]
[PATCH] af-packet: fix build on recent Linux kernels
Gbp-Pq: Name import-sockio-h.patch
Hilko Bengen [Tue, 23 Jul 2019 12:43:21 +0000 (14:43 +0200)]
Add --with-ebpf-includes parameter
Gbp-Pq: Name with-ebpf-includes.patch
Hilko Bengen [Tue, 22 Jan 2019 17:10:47 +0000 (18:10 +0100)]
configure: Introduce CLANG variable
Gbp-Pq: Name configure-clang-variable.patch
Sascha Steinbiss [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
do not clean vendor directory on distclean
Last-Update: 2018-12-26
dh_auto_clean calls make distclean, which in the case of Suricata also
removes the vendor directory. This breaks repeated builds.
Gbp-Pq: Name fix-repeated-builds.patch
Adrian Bunk [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
Don't use __USE_GNU
__USE_GNU is a glibc-internal symbol.
AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
way to enable extensions.
Gbp-Pq: Name no-use-gnu.patch
Pierre Chifflier [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
cross
Gbp-Pq: Name cross.patch
Arturo Borrero Gonzalez [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket.
Forwarded: not-needed
Last-Update: 2016-12-01
Gbp-Pq: Name debian-default-cfg.patch
Arturo Borrero Gonzalez [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path.
Forwarded: not-needed
Last-Update: 2016-09-05
Gbp-Pq: Name reproducible.patch
Sascha Steinbiss [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
suricata (1:7.0.10-1) unstable; urgency=medium
* New upstream release.
[dgit import unpatched suricata 1:7.0.10-1]
Sascha Steinbiss [Wed, 26 Mar 2025 08:28:20 +0000 (09:28 +0100)]
Import suricata_7.0.10-1.debian.tar.xz
[dgit import tarball suricata 1:7.0.10-1 suricata_7.0.10-1.debian.tar.xz]
Sascha Steinbiss [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
Merge suricata (1:7.0.9-1) import into refs/heads/workingbranch
Pierre Chifflier [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
llc
Gbp-Pq: Name llc.patch
Eric Leblond [Thu, 31 Oct 2019 12:29:56 +0000 (13:29 +0100)]
[PATCH] ebpf: avoid to include if_tunnel.h
This is causing a dependency issue as file from another architecture
have to be installed.
Gbp-Pq: Name avoid-to-include-if_tunnel-h.patch
Eric Leblond [Wed, 17 Jul 2019 10:35:12 +0000 (12:35 +0200)]
[PATCH] af-packet: fix build on recent Linux kernels
Gbp-Pq: Name import-sockio-h.patch
Hilko Bengen [Tue, 23 Jul 2019 12:43:21 +0000 (14:43 +0200)]
Add --with-ebpf-includes parameter
Gbp-Pq: Name with-ebpf-includes.patch
Hilko Bengen [Tue, 22 Jan 2019 17:10:47 +0000 (18:10 +0100)]
configure: Introduce CLANG variable
Gbp-Pq: Name configure-clang-variable.patch
Sascha Steinbiss [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
do not clean vendor directory on distclean
Last-Update: 2018-12-26
dh_auto_clean calls make distclean, which in the case of Suricata also
removes the vendor directory. This breaks repeated builds.
Gbp-Pq: Name fix-repeated-builds.patch
Adrian Bunk [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
Don't use __USE_GNU
__USE_GNU is a glibc-internal symbol.
AC_USE_SYSTEM_EXTENSIONS is the proper autoconf
way to enable extensions.
Gbp-Pq: Name no-use-gnu.patch
Pierre Chifflier [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
cross
Gbp-Pq: Name cross.patch
Arturo Borrero Gonzalez [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket.
Forwarded: not-needed
Last-Update: 2016-12-01
Gbp-Pq: Name debian-default-cfg.patch
Arturo Borrero Gonzalez [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path.
Forwarded: not-needed
Last-Update: 2016-09-05
Gbp-Pq: Name reproducible.patch
Sascha Steinbiss [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
suricata (1:7.0.9-1) unstable; urgency=medium
* New upstream release.
* Bump versioned libhtp dependency to 0.5.50 or later.
[dgit import unpatched suricata 1:7.0.9-1]
Sascha Steinbiss [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
Import suricata_7.0.9.orig.tar.xz
[dgit import orig suricata_7.0.9.orig.tar.xz]
Sascha Steinbiss [Tue, 18 Mar 2025 17:15:01 +0000 (18:15 +0100)]
Import suricata_7.0.9-1.debian.tar.xz
[dgit import tarball suricata 1:7.0.9-1 suricata_7.0.9-1.debian.tar.xz]
Sascha Steinbiss [Sat, 15 Mar 2025 13:37:24 +0000 (14:37 +0100)]
Merge suricata (1:7.0.8-2) import into refs/heads/workingbranch
Pierre Chifflier [Sat, 15 Mar 2025 13:37:24 +0000 (14:37 +0100)]
llc
Gbp-Pq: Name llc.patch
Eric Leblond [Thu, 31 Oct 2019 12:29:56 +0000 (13:29 +0100)]
[PATCH] ebpf: avoid to include if_tunnel.h
This is causing a dependency issue as file from another architecture
have to be installed.
Gbp-Pq: Name avoid-to-include-if_tunnel-h.patch
Eric Leblond [Wed, 17 Jul 2019 10:35:12 +0000 (12:35 +0200)]
[PATCH] af-packet: fix build on recent Linux kernels
Gbp-Pq: Name import-sockio-h.patch
Hilko Bengen [Tue, 23 Jul 2019 12:43:21 +0000 (14:43 +0200)]
Add --with-ebpf-includes parameter
Gbp-Pq: Name with-ebpf-includes.patch
projects / suricata.git / log