Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 635662 (CVE-2017-15377, CVE-2017-7177)

Summary: <net-analyzer/suricata-4.0.3: Multiple vulnerabilities
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: slis
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa cve]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-28 08:05:38 UTC
CVE-2017-7177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7177):
  Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused by
  lack of a check for the IP protocol during fragment matching.

CVE-2017-15377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15377):
  In Suricata before 4.x, it was possible to trigger lots of redundant checks
  on the content of crafted network traffic with a certain signature, because
  of DetectEngineContentInspection in detect-engine-content-inspection.c. The
  search engine doesn't stop when it should after no match is found; instead,
  it stops only upon reaching inspection-recursion-limit (3000 by default).
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-28 08:06:44 UTC
@Maintainer after the bump please let us know when tree is clean. 

Thank you
Comment 2 Wojciech Myrda 2018-01-23 09:05:21 UTC
Why there has been no progress on the issue? There have been few suricata versions available since than. I am running successfully suricata-3.2.5 with a simple bump of an ebuild and configuration files yet package in Gentoo has not been updated since 3.2-r1 released in July...
Comment 3 Sławek Lis (RETIRED) gentoo-dev 2018-01-23 09:16:56 UTC
Sorry for a delay.
I've pushed latest available version - 4.0.3
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-01-23 20:48:19 UTC
@maintainer, please cleanup the vulnerable versions.
Comment 5 Sławek Lis (RETIRED) gentoo-dev 2018-01-24 16:32:45 UTC
old versions cleared
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-01-24 18:26:31 UTC
(In reply to Sławek Lis from comment #5)
> old versions cleared

Thank you, Slawek!