Summary: | net-analyzer/suricata: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Filip Kobierski <fkobi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | UNCONFIRMED --- | ||
Severity: | normal | CC: | maintainer-needed, marek.szuba |
Priority: | Normal | Keywords: | PullRequest |
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://forum.suricata.io/t/suricata-7-0-6-and-6-0-20-released/4728 | ||
Whiteboard: | ?? [ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
Filip Kobierski
2024-09-04 12:49:12 UTC
As of yesterday evening Suricata is now at version 7.0.8, with further CVEs addressed (source: https://forum.suricata.io/t/suricata-7-0-7-released/, https://forum.suricata.io/t/suricata-7-0-8-released/) since Filip's initial report: CVE-2024-47187: CRITICAL datasets: missing hashtable random seed leads to potential DoS CVE-2024-47188: CRITICAL http/byte-ranges: missing hashtable random seed leads to potential DoS CVE-2024-47522: HIGH ja4: invalid alpn leads to panic CVE-2024-45795: HIGH detect/datasets: reachable assertion with unimplemented rule option CVE-2024-45796: HIGH defrag: off by one can lead to policy bypass CVE-2024-55605: CRITICAL Presently undisclosed CVE-2024-55626: LOW Presently undisclosed CVE-2024-55627: CRITICAL Presently undisclosed CVE-2024-55628: HIGH Presently undisclosed CVE-2024-55629: HIGH Presently undisclosed As far as I can see the only thing requiring changing in the existing ebuild will be the minimal supported version of net-libs/libhtp to >=0.5.49. Speaking of libhtp, 0.5.49 addresses the following: CVE-2024-45797: CRITICAL unbounded header handling leads to denial of service and the version bump should be trivial. BTW. suricata-7.0.7 and up appear to no longer suffer from Bug #937826 / #940295. I've reset the whiteboard given that some of the bugs are still undisclosed. |