From the upstream release notes for 7.0.5, edited to remove mentions of the 6.0.x series (which we haven't had in the tree for a long time): "CVE IDs Addressed CVE-2024-32663 CRITICAL CVE-2024-32664 HIGH CVE-2024-32867 MODERATE" 7.0.5 pushed, no vulnerable versions left in the tree.
Also, gentle reminder about Bug #918589 still being open!
It looks like there is no information available for these security issues yet. This means we can't make a severity assessment for now.
CVE-2024-32663 (https://github.com/OISF/suricata/security/advisories/GHSA-9jxm-qw9v-266r): Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536). CVE-2024-32664 (https://github.com/OISF/suricata/security/advisories/GHSA-79vh-hpwq-3jh7): Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false. CVE-2024-32867 (https://github.com/OISF/suricata/security/advisories/GHSA-xvrx-88mv-xcq5): Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19.
