Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 635662 (CVE-2017-15377, CVE-2017-7177) - <net-analyzer/suricata-4.0.3: Multiple vulnerabilities
Summary: <net-analyzer/suricata-4.0.3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15377, CVE-2017-7177
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-28 08:05 UTC by GLSAMaker/CVETool Bot
Modified: 2018-01-24 18:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2017-10-28 08:05:38 UTC
CVE-2017-7177 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-7177):
  Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused by
  lack of a check for the IP protocol during fragment matching.

CVE-2017-15377 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15377):
  In Suricata before 4.x, it was possible to trigger lots of redundant checks
  on the content of crafted network traffic with a certain signature, because
  of DetectEngineContentInspection in detect-engine-content-inspection.c. The
  search engine doesn't stop when it should after no match is found; instead,
  it stops only upon reaching inspection-recursion-limit (3000 by default).
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-28 08:06:44 UTC
@Maintainer after the bump please let us know when tree is clean. 

Thank you
Comment 2 Wojciech Myrda 2018-01-23 09:05:21 UTC
Why there has been no progress on the issue? There have been few suricata versions available since than. I am running successfully suricata-3.2.5 with a simple bump of an ebuild and configuration files yet package in Gentoo has not been updated since 3.2-r1 released in July...
Comment 3 Sławek Lis (RETIRED) gentoo-dev 2018-01-23 09:16:56 UTC
Sorry for a delay.
I've pushed latest available version - 4.0.3
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-01-23 20:48:19 UTC
@maintainer, please cleanup the vulnerable versions.
Comment 5 Sławek Lis (RETIRED) gentoo-dev 2018-01-24 16:32:45 UTC
old versions cleared
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-01-24 18:26:31 UTC
(In reply to Sławek Lis from comment #5)
> old versions cleared

Thank you, Slawek!