suricata - Debian Package Tracker

general

source: suricata (main)
version: 1:7.0.1-1
maintainer: Pierre Chifflier (DMD)
uploaders: Sascha Steinbiss [DMD]
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:4.1.2-2+deb10u1
o-o-bpo: 1:6.0.1-2~bpo10+1
oldstable: 1:6.0.1-3
old-bpo: 1:6.0.10-1~bpo11+1
stable: 1:6.0.10-1
testing: 1:7.0.1-1
unstable: 1:7.0.1-1

versioned links

1:4.1.2-2+deb10u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0.1-2~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0.10-1~bpo11+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.0.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

suricata (3 bugs: 0, 3, 0, 0)

action needed

18 security issues in buster high

There are 18 open security issues in buster.

2 important issues:

CVE-2023-35852: In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
CVE-2023-35853: In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

16 issues postponed or untriaged:

CVE-2019-10050: (needs triaging) A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash.
CVE-2019-10051: (needs triaging) An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.
CVE-2019-10052: (needs triaging) An issue was discovered in Suricata 4.1.3. If the network packet does not have the right length, the parser tries to access a part of a DHCP packet. At this point, the Rust environment runs into a panic in parse_clientid_option in the dhcp/parser.rs file.
CVE-2019-10053: (needs triaging) An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow.
CVE-2019-10054: (needs triaging) An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 lacks a check for the length of reply.data. It causes an invalid memory access and the program crashes within the nfs/nfs3.rs file.
CVE-2019-10055: (needs triaging) An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.
CVE-2019-10056: (needs triaging) An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and doesn't determine the current length. Specifically, if the packet is exactly 28 long, in the first iteration it subtracts 14 bytes. Then, it is working with a packet length of 14. At this point, the case distinction says it is a valid packet. After that it casts the packet, but this packet has no type, and the program crashes at the type case distinction.
CVE-2019-15699: (needs triaging) An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon receiving a corrupted SSLv3 (TLS 1.2) packet, the parser function TLSDecodeHSHelloExtensions tries to access a memory region that is not allocated, because the expected length of HSHelloExtensions does not match the real length of the HSHelloExtensions part of the packet.
CVE-2019-16410: (needs triaging) An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.
CVE-2019-16411: (needs triaging) An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 packets that have invalid IPv4Options, the function IPV4OptValidateTimestamp in decode-ipv4.c tries to access a memory region that is not allocated. There is a check for o->len < 5 (corresponding to 2 bytes of header and 3 bytes of data). Then, "flag = *(o->data + 3)" places one beyond the 3 bytes, because the code should have been "flag = *(o->data + 1)" instead.
CVE-2019-18625: (needs triaging) An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. After the TCP SYN packet, it is possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client will ignore the RST ACK and the FIN ACK packets because of the bad TCP Timestamp option. Both linux and windows client are ignoring the injected packets.
CVE-2019-18792: (needs triaging) An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.
CVE-2021-35063: (needs triaging) Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."
CVE-2021-37592: (needs triaging) Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.
CVE-2021-45098: (needs triaging) An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
CVE-2019-1010279: (needs triaging) Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3.

Created: 2023-06-19 Last update: 2023-09-19 03:30

lintian reports 1 error and 3 warnings high

Lintian reports 1 error and 3 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-07-20 Last update: 2023-07-21 05:36

4 low-priority security issues in bullseye low

There are 4 open security issues in bullseye.

4 issues left for the package maintainer to handle:

CVE-2021-37592: (needs triaging) Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.
CVE-2021-45098: (needs triaging) An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
CVE-2023-35852: (needs triaging) In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
CVE-2023-35853: (needs triaging) In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-09-19 03:30

2 low-priority security issues in bookworm low

There are 2 open security issues in bookworm.

2 issues left for the package maintainer to handle:

CVE-2023-35852: (needs triaging) In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
CVE-2023-35853: (needs triaging) In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-19 Last update: 2023-09-19 03:30

debian/patches: 8 patches to forward upstream low

Among the 10 debian patches available in version 1:7.0.1-1 of the package, we noticed the following issues:

8 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-09-16 23:20

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2022-10-16 Last update: 2022-10-16 06:01

testing migrations

This package will soon be part of the auto-hiredis transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.

news

[rss feed]

[2023-09-19] suricata 1:7.0.1-1 MIGRATED to testing (Debian testing watch)
[2023-09-16] Accepted suricata 1:7.0.1-1 (source) into unstable (Sascha Steinbiss)
[2023-07-22] suricata 1:7.0.0-2 MIGRATED to testing (Debian testing watch)
[2023-07-22] suricata 1:7.0.0-2 MIGRATED to testing (Debian testing watch)
[2023-07-20] Accepted suricata 1:7.0.0-2 (source) into unstable (Sascha Steinbiss)
[2023-07-19] Accepted suricata 1:7.0.0-1 (source) into unstable (Sascha Steinbiss)
[2023-07-17] suricata REMOVED from testing (Debian testing watch)
[2023-06-23] suricata 1:6.0.13-1 MIGRATED to testing (Debian testing watch)
[2023-06-16] Accepted suricata 1:6.0.13-1 (source) into unstable (Sascha Steinbiss)
[2023-02-03] Accepted suricata 1:6.0.10-1~bpo11+1 (source) into bullseye-backports (Sascha Steinbiss)
[2023-02-03] suricata 1:6.0.10-1 MIGRATED to testing (Debian testing watch)
[2023-01-31] Accepted suricata 1:6.0.10-1 (source) into unstable (Sascha Steinbiss)
[2022-12-01] Accepted suricata 1:6.0.9-1~bpo11+1 (source amd64) into bullseye-backports (Sascha Steinbiss)
[2022-12-01] suricata 1:6.0.9-1 MIGRATED to testing (Debian testing watch)
[2022-11-29] Accepted suricata 1:6.0.9-1 (source) into unstable (Sascha Steinbiss)
[2022-10-04] Accepted suricata 1:6.0.8-1~bpo11+1 (source amd64) into bullseye-backports (Sascha Steinbiss)
[2022-10-03] suricata 1:6.0.8-1 MIGRATED to testing (Debian testing watch)
[2022-09-28] Accepted suricata 1:6.0.8-1 (source) into unstable (Sascha Steinbiss)
[2022-09-27] suricata 1:6.0.6-2 MIGRATED to testing (Debian testing watch)
[2022-09-21] Accepted suricata 1:6.0.6-2 (source) into unstable (Sascha Steinbiss)
[2022-09-04] Accepted suricata 1:6.0.6-1~bpo10+1 (source) into oldstable-backports-sloppy->backports-policy, oldstable-backports-sloppy (Debian FTP Masters) (signed by: Sascha Steinbiss)
[2022-09-04] Accepted suricata 1:6.0.6-1~bpo11+1 (source) into bullseye-backports (Sascha Steinbiss)
[2022-07-18] suricata 1:6.0.6-1 MIGRATED to testing (Debian testing watch)
[2022-07-13] Accepted suricata 1:6.0.6-1 (source) into unstable (Sascha Steinbiss)
[2022-06-06] suricata 1:6.0.5-3 MIGRATED to testing (Debian testing watch)
[2022-06-01] Accepted suricata 1:6.0.5-3 (source) into unstable (Sascha Steinbiss)
[2022-05-23] Accepted suricata 1:6.0.5-2~bpo10+1 (source amd64) into oldstable-backports-sloppy->backports-policy, oldstable-backports-sloppy (Debian FTP Masters) (signed by: Sascha Steinbiss)
[2022-05-05] Accepted suricata 1:6.0.5-2~bpo11+1 (source amd64) into bullseye-backports (Sascha Steinbiss)
[2022-05-05] suricata 1:6.0.5-2 MIGRATED to testing (Debian testing watch)
[2022-04-30] Accepted suricata 1:6.0.5-2 (source) into unstable (Sascha Steinbiss)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (1, 3)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:7.0.0-2
1 bug