1. Suricata: * CVE-2024-23839 - Critical severity Specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword. * CVE-2024-23836 - Critical severity An attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. * CVE-2024-23835 - High severity Excessive memory use during pgsql parsing could lead to OOM-related crashes. * CVE-2024-24568 - Moderate severity Rules inspecting HTTP2 headers can get bypassed by crafted traffic. 2. libHTP (which we package separately but which also comes bundled with Suricata tarballs): * CVE-2024-23837 - Critical severity Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service. * * * No vulnerable version of either package left in the tree.
Thanks for reporting. Please separate unique packages into unique bugs when there's no intersection between the sets of vulnerabilities for each package.
