Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 925747 (CVE-2024-23835, CVE-2024-23836, CVE-2024-23839, CVE-2024-24568)

Summary: <net-analyzer/suricata-7.0.3: multiple vulnerabilities
Product: Gentoo Security Reporter: Marek Szuba (RETIRED) <marecki>
Component: VulnerabilitiesAssignee: Marek Szuba (RETIRED) <marecki>
Status: RESOLVED FIXED    
Severity: trivial CC: ajak
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=925887
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description Marek Szuba (RETIRED) archtester gentoo-dev 2024-02-29 10:04:02 UTC 
1. Suricata:

* CVE-2024-23839 - Critical severity

Specially crafted traffic can cause a heap use after free if the ruleset uses the http.request_header or http.response_header keyword.

* CVE-2024-23836 - Critical severity

An attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service.

* CVE-2024-23835 - High severity

Excessive memory use during pgsql parsing could lead to OOM-related crashes.

* CVE-2024-24568 - Moderate severity

Rules inspecting HTTP2 headers can get bypassed by crafted traffic.


2. libHTP (which we package separately but which also comes bundled with Suricata tarballs):

* CVE-2024-23837 - Critical severity

Crafted traffic can cause excessive processing time of HTTP headers, leading to denial of service.

* * *

No vulnerable version of either package left in the tree.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2024-03-01 05:06:21 UTC 
Thanks for reporting. Please separate unique packages into unique bugs when there's no intersection between the sets of vulnerabilities for each package.