File suricata.changes of Package suricata

-------------------------------------------------------------------
Tue Apr 28 17:51:33 UTC 2020 - Martin Hauke <mardnh@gmx.de>

- Switch to python3
- Update to version 4.1.8
  * Bug #3492: Backport 4 BUG_ON(strcasecmp(str, “any”) in
    DetectAddressParseString
  * Bug #3508: rule parsing: memory leaks
  * Bug #3527: 4.1.x Kerberos vulnerable to TCP splitting evasion
  * Bug #3533: Skip over ERF_TYPE_META records
  * Bug #3551: file logging: complete files sometimes marked
    ‘TRUNCATED’
  * Bug #3572: rust: smb compile warnings
  * Bug #3579: Faulty signature with two threshold keywords does
    not generate an error and never match
  * Bug #3581: random failures on sip and http-evader
    suricata-verify tests
  * Bug #3596: ftp: asan detects leaks of expectations
  * Bug #3599: rules: memory leaks in pktvar keyword
  * Bug #3601: rules: bad address block leads to stack exhaustion
  * Bug #3603: rules: crash on ‘internal’-only keywords
  * Bug #3605: rules: missing ‘consumption’ of transforms
    before pkt_data would lead to crash
  * Bug #3607: rules: minor memory leak involving
    pcre_get_substring
  * Bug #3608: ssl/tls: ASAN issue in SSLv3ParseHandshakeType
  * Bug #3611: defrag: asan issue
  * Bug #3633: file-store.stream-depth not working as expected
    when configured to a specfic value (4.1.x)
  * Bug #3645: Invalid memory read on malformed rule with Lua
    script
  * Bug #3647: rules: memory leaks on failed rules
  * Bug #3648: CIDR Parsing Issue
  * Bug #3650: FTP response buffering against TCP stream
  * Bug #3652: Recursion stack-overflow in parsing YAML
    configuration
  * Bug #3659: Multiple DetectEngineReload and bad insertion
    into linked list lead to buffer overflow
  * Bug #3666: FTP: Incorrect ftp_memuse calculation.
  * Bug #3668: Signature with an IP range creates one
    IPOnlyCIDRItem by signe IP address
  * Bug #3671: Protocol detection evasion by packet splitting
  * Bug #3676: Segfault on SMTP TLS
  * Feature #3482: GRE ERSPAN Type 1 Support
  * Task #3479: libhtp 0.5.33 (4.1.x)
  * Task #3513: SMTP should place restraints on variable length
    items (e.g., filenames)

-------------------------------------------------------------------
Wed Feb 19 20:27:13 UTC 2020 - Martin Hauke <mardnh@gmx.de>

- Update to 4.1.7
  * Bug #3417: –disable-geoip does not work
  * Bug #3448: Suricata 4.1 Seg Fault: Socket Control pcap-file
    and corrupt pcap
  * Bug #3452: smb: post-GAP file tx handling
  * Bug #3453: coverity: CID 1456680: Incorrect expression
    (IDENTICAL_BRANCHES)
  * Bug #3470: gcc10: compilation failure unless -fcommon is
    supplied
  * Bug #3471: nfs: post-GAP some transactions never close
  * Bug #3472: nfs: post-GAP file tx handling
  * Bug #3474: Dropping privileges does not work with NFLOG
- Update to 4.1.6
  * Bug #3276: address parsing: memory leak in error path
  * Bug #3278: segfault when test a nfs pcap file
  * Bug #3279: ikev2 enabled in config even if Rust is disabled
  * Bug #3325: lua issues on arm (fedora:29)
  * Bug #3326: Static build with pcap fails
  * Bug #3327: tcp: empty SACK option leads to decoder event
  * Bug #3347: BPF filter on command line not honored for pcap
    file
  * Bug #3355: DNS: DNS over TCP transactions logged with wrong
    direction.
  * Bug #3356: DHCP: Slow down over time due to lack of detect
    flags
  * Bug #3369: byte_extract does not work in some situations
  * Bug #3385: fast-log: icmp type prints wrong value
  * Bug #3387: suricata is logging tls log repeatedly if custom
    mode is enabled
  * Bug #3388: TLS Lua output does not work without TLS log
  * Bug #3391: Suricata is unable to get MTU from NIC after
  * Bug #3393: http: pipelining tx id handling broken
  * Bug #3394: TCP evasion technique by overlapping a TCP segment
    with a fake packet
  * Bug #3395: TCP evasion technique by faking a closed TCP sessionl
  * Bug #3402: smb: post-GAP some transactions never close
  * Bug #3403: smb1: ‘event only’ transactions for bad requests
    never close
  * Bug #3404: smtp: file tracking issues when more than one
    attachment in a tx
  * Bug #3405: Filehash rule does not fire without filestore
    keyword
  * Bug #3410: intermittent abort()s at shutdown and in unix-socket
  * Bug #3412: detect/asn1: crashes on packets smaller than offset
    setting
  * Task #3367: configure: Rust 1.37+ has cargo-vendor support
    bundled into cargo
  * Bundle Suricata-Update 1.0.6
  * Bundle Libhtp 0.5.32

-------------------------------------------------------------------
Tue Oct 22 09:24:31 UTC 2019 - Lars Vogdt <lars@linux-schulserver.de>

- Update to 4.1.5
  * Feature #3068: protocol parser: vxlan (4.1.x)
  * Bug #2841: False positive alerts firing after upgrade suricata 3.0 -> 4.1.0 (4.1.x)
  * Bug #2966: filestore (v1 and v2): dropping of “unwanted” files (4.1.x)
  * Bug #3008: rust: updated libc crate causes depration warnings (4.1.x)
  * Bug #3044: tftp: missing logs because of broken tx handling (4.1.x)
  * Bug #3067: GeoIP keyword depends on now discontinued legacy GeoIP database (4.1.x)
  * Bug #3094: Fedora rawhide af-packet compilation err (4.1.x)
  * Bug #3123: bypass keyword: Suricata 4.1.x Segmentation Faults (4.1.x)
  * Bug #3129: Fixes warning about size of integers in string formats (4.1.x)
  * Bug #3159: SC_ERR_PCAP_DISPATCH with message “error code -2” upon rule reload completion (4.1.x)
  * Bug #3164: Suricata 4.1.4: NSS Shutdown triggers crashes in test mode
  * Bug #3168: tls: out of bounds read
  * Bug #3170: defrag: out of bounds read
  * Bug #3173: ipv4: ts field decoding oob read
  * Bug #3175: File_data inspection depth while inspecting base64 decoded data (4.1.x)
  * Bug #3184: decode/der: crafted input can lead to resource starvation
  * Bug #3186: Multiple Content-Length headers causes HTP_STREAM_ERROR (4.1.x)
  * Bug #3187: GET/POST HTTP-request with no Content-Length, http_client_body miss (4.1.x)
- build with lz4 and lzma support, especially to enable compression
- require python-yaml during build, which results in suricate-update 
  get's build and installed. This allows to update local 
  Suricata rules
- package /var/log/suricata directory instead of creating it during 
  post-installation of the package

-------------------------------------------------------------------
Tue May 14 09:35:39 UTC 2019 - Robert Frohl <rfrohl@suse.com>

- Update to version 4.1.4
  * CVE-2019-10053: ssh: heap buffer overflow (boo#1134993)
  * CVE-2019-10050: mpls: heapbuffer overflow in file decode-mpls.c (boo#1134991)
  * decode-ethernet: heapbuffer overflow in file decode-ethernet.c
  * smb 1 create andx request does not parse the filename correctly
  * rust/dhcp: panic in dhcp parser
  * mpls: cast of misaligned data leads to undefined behavior
  * rust/ftp: panic in ftp parser
  * rust/nfs: integer underflow
  * This release includes Suricata-Update 1.0.5

-------------------------------------------------------------------
Thu Mar  7 21:31:14 UTC 2019 - Martin Hauke <mardnh@gmx.de>

- Update to version 4.0.7
  * Failed Assertion, Suricata Abort - util-mpm-hs.c line 163
  * unix runmode deadlock when using too many threads
  * rule reload with workers mode and NFQUEUE not working stable
  * TCP FIN/ACK, RST/ACK in HTTP - detection bypass
  * afpacket doesn't wait for all capture threads to start
  * DNS Golden Transaction ID - detection bypass
  * Invalid detect-engine config could lead to segfault
  * suricata.c ConfigGetCaptureValue - PCAP/AFP fallthrough to
    strip_trailing_plus
  * Stats interval are 1 second too early each tick
  * rust/dns/lua - The Lua calls for DNS values when using Rust
    don't behave the same as the C implementation.
  * out of bounds read in detection
  * smtp: improve pipelining support

-------------------------------------------------------------------
Sun Dec 16 19:44:13 UTC 2018 - mardnh@gmx.de

- Use pkg-config style build dependencies
- Build with support for Hyperscan
- Add systemd service file
- Add logrotate configuration file
- Update to version 4.0.6
  * smtp segmentation fault (4.0.x)
  * negated fileext and filename do not work as expected (4.0.x)
  * filemd5 is not fired in some cases when there are invalid packets
  * File descriptor leak in af-packet mode (4.0.x)
  * Improve errors handling in AF_PACKET (4.0.x)
  * Support http events - Weird unicode characters and truncation in
    some of http_method/http_user_agent fields.

-------------------------------------------------------------------
Tue Jul 24 11:52:06 UTC 2018 - kbabioch@suse.com

- Applied spec-cleaner
- Removed gpg-offline, since we have GPG source validation by default now 
- Update to 4.0.5
  - Bug fixes
  - Private Suricata stops inspecting TCP stream if a TCP RST was met (4.0.x)
    (CVE-2018-14568 bsc#1102334)

-------------------------------------------------------------------
Tue Oct  4 23:06:57 UTC 2016 - Greg.Freemyer@gmail.com

- update to v3.1.2
- Fixed an issue with the handling of ICMPv4 error packets (CVE-2016-10728 bsc#1102402)
- build with libprelude suppport
- use libnetfilter_queue, libnfnetlink from the Factory repo instead of 5 year old versions
- use libhtp from server:monitoring
- run through spec-cleaner
- Still don't have man pages or user manual in the RPM
   - http://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide
- change license to GPL-2.0

-------------------------------------------------------------------
Fri Feb 12 08:28:27 UTC 2016 - christoph@stop.pe

- Initial release
openSUSE Build Service is sponsored by