CVE-2024-37151 Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. CVE-2024-38534 Crafted modbus traffic can lead to unlimited resource accumulation within a flow. CVE-2024-38535 Suricata can run out of memory when parsing crafted HTTP/2 traffic. CVE-2024-38536 A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. My PR I have created a pull request adding 7.0.6, which is said to be safe from those: https://github.com/gentoo/gentoo/pull/38398
As of yesterday evening Suricata is now at version 7.0.8, with further CVEs addressed (source: https://forum.suricata.io/t/suricata-7-0-7-released/, https://forum.suricata.io/t/suricata-7-0-8-released/) since Filip's initial report: CVE-2024-47187: CRITICAL datasets: missing hashtable random seed leads to potential DoS CVE-2024-47188: CRITICAL http/byte-ranges: missing hashtable random seed leads to potential DoS CVE-2024-47522: HIGH ja4: invalid alpn leads to panic CVE-2024-45795: HIGH detect/datasets: reachable assertion with unimplemented rule option CVE-2024-45796: HIGH defrag: off by one can lead to policy bypass CVE-2024-55605: CRITICAL Presently undisclosed CVE-2024-55626: LOW Presently undisclosed CVE-2024-55627: CRITICAL Presently undisclosed CVE-2024-55628: HIGH Presently undisclosed CVE-2024-55629: HIGH Presently undisclosed As far as I can see the only thing requiring changing in the existing ebuild will be the minimal supported version of net-libs/libhtp to >=0.5.49. Speaking of libhtp, 0.5.49 addresses the following: CVE-2024-45797: CRITICAL unbounded header handling leads to denial of service and the version bump should be trivial. BTW. suricata-7.0.7 and up appear to no longer suffer from Bug #937826 / #940295.
I've reset the whiteboard given that some of the bugs are still undisclosed.