Suricata before 3.2.1 has an IPv4 defragmentation evasion issue caused by
lack of a check for the IP protocol during fragment matching.
In Suricata before 4.x, it was possible to trigger lots of redundant checks
on the content of crafted network traffic with a certain signature, because
of DetectEngineContentInspection in detect-engine-content-inspection.c. The
search engine doesn't stop when it should after no match is found; instead,
it stops only upon reaching inspection-recursion-limit (3000 by default).
@Maintainer after the bump please let us know when tree is clean.
Why there has been no progress on the issue? There have been few suricata versions available since than. I am running successfully suricata-3.2.5 with a simple bump of an ebuild and configuration files yet package in Gentoo has not been updated since 3.2-r1 released in July...
Sorry for a delay.
I've pushed latest available version - 4.0.3
@maintainer, please cleanup the vulnerable versions.
old versions cleared
(In reply to Sławek Lis from comment #5)
> old versions cleared
Thank you, Slawek!