suricata - Debian Package Tracker

general

source: suricata (main)
version: 1:8.0.1-3
maintainer: Pierre Chifflier (DMD)
uploaders: Sascha Steinbiss [DMD]
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1:6.0.1-3
o-o-sec: 1:6.0.1-3+deb11u1
oldstable: 1:6.0.10-1
old-bpo: 1:7.0.10-1~bpo12+1
stable: 1:7.0.10-1
stable-bpo: 1:8.0.1-3~bpo13+1
testing: 1:8.0.1-3
unstable: 1:8.0.1-3

versioned links

1:6.0.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0.1-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:6.0.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.0.10-1~bpo12+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:7.0.10-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:8.0.1-3~bpo13+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1:8.0.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

suricata (3 bugs: 0, 3, 0, 0)

action needed

22 security issues in bullseye high

There are 22 open security issues in bullseye.

9 important issues:

CVE-2024-55605: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricata to crash. The issue has been addressed in Suricata 7.0.8.
CVE-2024-55627: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8.
CVE-2024-55628: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8.
CVE-2024-55629: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the packets with urgent flag set.
CVE-2025-29915: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets. Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.
CVE-2025-29916: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.
CVE-2025-29917: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations of up to 4 GiB per thread. This vulnerability is fixed in 7.0.9.
CVE-2025-53538: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.
CVE-2025-59147: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fail to pick up the TCP session. In IDS mode this can lead to a detection and logging bypass. In IPS mode this will lead to the flow getting blocked. This issue is fixed in versions 7.0.12 and 8.0.1.

13 issues postponed or untriaged:

CVE-2021-37592: (needs triaging) Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.
CVE-2023-35853: (needs triaging) In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.
CVE-2024-23836: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability is patched in 6.0.16 or 7.0.3. Workarounds include disabling the affected protocol app-layer parser in the yaml and reducing the `stream.reassembly.depth` value helps reduce the severity of the issue.
CVE-2024-28870: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4.
CVE-2024-32664: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false.
CVE-2024-32867: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19.
CVE-2024-38534: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.
CVE-2024-38535: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6.
CVE-2024-38536: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
CVE-2024-45795: (postponed; to be fixed through a stable update) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use only trusted and well tested rulesets.
CVE-2024-47187: (postponed; to be fixed through a stable update) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance issues during traffic handling. This issue has been addressed in 7.0.7. As a workaround, avoid loading datasets from untrusted sources. Avoid dataset rules that track traffic in rules.
CVE-2024-47188: (postponed; to be fixed through a stable update) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to severe performance degradation. This issue has been addressed in 7.0.7.
CVE-2024-47522: (postponed; to be fixed through a stable update) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround.

Created: 2025-01-06 Last update: 2025-10-25 22:00

23 security issues in buster high

There are 23 open security issues in buster.

4 important issues:

CVE-2024-28870: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4.
CVE-2024-32663: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536).
CVE-2024-32664: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false.
CVE-2024-32867: Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19.

19 issues postponed or untriaged:

CVE-2019-10050: (needs triaging) A buffer over-read issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the decode-mpls.c function DecodeMPLS is composed only of a packet of source address and destination address plus the correct type field and the right number for shim, an attacker can manipulate the control flow, such that the condition to leave the loop is true. After leaving the loop, the network packet has a length of 2 bytes. There is no validation of this length. Later on, the code tries to read at an empty position, leading to a crash.
CVE-2019-10051: (needs triaging) An issue was discovered in Suricata 4.1.3. If the function filetracker_newchunk encounters an unsafe "Some(sfcm) => { ft.new_chunk }" item, then the program enters an smb/files.rs error condition and crashes.
CVE-2019-10052: (needs triaging) An issue was discovered in Suricata 4.1.3. If the network packet does not have the right length, the parser tries to access a part of a DHCP packet. At this point, the Rust environment runs into a panic in parse_clientid_option in the dhcp/parser.rs file.
CVE-2019-10053: (needs triaging) An issue was discovered in Suricata 4.1.x before 4.1.4. If the input of the function SSHParseBanner is composed only of a \n character, then the program runs into a heap-based buffer over-read. This occurs because the erroneous search for \r results in an integer underflow.
CVE-2019-10054: (needs triaging) An issue was discovered in Suricata 4.1.3. The function process_reply_record_v3 lacks a check for the length of reply.data. It causes an invalid memory access and the program crashes within the nfs/nfs3.rs file.
CVE-2019-10055: (needs triaging) An issue was discovered in Suricata 4.1.3. The function ftp_pasv_response lacks a check for the length of part1 and part2, leading to a crash within the ftp/mod.rs file.
CVE-2019-10056: (needs triaging) An issue was discovered in Suricata 4.1.3. The code mishandles the case of sending a network packet with the right type, such that the function DecodeEthernet in decode-ethernet.c is executed a second time. At this point, the algorithm cuts the first part of the packet and doesn't determine the current length. Specifically, if the packet is exactly 28 long, in the first iteration it subtracts 14 bytes. Then, it is working with a packet length of 14. At this point, the case distinction says it is a valid packet. After that it casts the packet, but this packet has no type, and the program crashes at the type case distinction.
CVE-2019-15699: (needs triaging) An issue was discovered in app-layer-ssl.c in Suricata 4.1.4. Upon receiving a corrupted SSLv3 (TLS 1.2) packet, the parser function TLSDecodeHSHelloExtensions tries to access a memory region that is not allocated, because the expected length of HSHelloExtensions does not match the real length of the HSHelloExtensions part of the packet.
CVE-2019-16410: (needs triaging) An issue was discovered in Suricata 4.1.4. By sending multiple fragmented IPv4 packets, the function Defrag4Reassemble in defrag.c tries to access a memory region that is not allocated, because of a lack of header_len checking.
CVE-2019-16411: (needs triaging) An issue was discovered in Suricata 4.1.4. By sending multiple IPv4 packets that have invalid IPv4Options, the function IPV4OptValidateTimestamp in decode-ipv4.c tries to access a memory region that is not allocated. There is a check for o->len < 5 (corresponding to 2 bytes of header and 3 bytes of data). Then, "flag = *(o->data + 3)" places one beyond the 3 bytes, because the code should have been "flag = *(o->data + 1)" instead.
CVE-2019-18625: (needs triaging) An issue was discovered in Suricata 5.0.0. It was possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. After the TCP SYN packet, it is possible to inject a RST ACK and a FIN ACK packet with a bad TCP Timestamp option. The client will ignore the RST ACK and the FIN ACK packets because of the bad TCP Timestamp option. Both linux and windows client are ignoring the injected packets.
CVE-2019-18792: (needs triaging) An issue was discovered in Suricata 5.0.0. It is possible to bypass/evade any tcp based signature by overlapping a TCP segment with a fake FIN packet. The fake FIN packet is injected just before the PUSH ACK packet we want to bypass. The PUSH ACK packet (containing the data) will be ignored by Suricata because it overlaps the FIN packet (the sequence and ack number are identical in the two packets). The client will ignore the fake FIN packet because the ACK flag is not set. Both linux and windows clients are ignoring the injected packet.
CVE-2021-35063: (needs triaging) Suricata before 5.0.7 and 6.x before 6.0.3 has a "critical evasion."
CVE-2021-37592: (needs triaging) Suricata before 5.0.8 and 6.x before 6.0.4 allows TCP evasion via a client with a crafted TCP/IP stack that can send a certain sequence of segments.
CVE-2021-45098: (needs triaging) An issue was discovered in Suricata before 6.0.4. It is possible to bypass/evade any HTTP-based signature by faking an RST TCP packet with random TCP options of the md5header from the client side. After the three-way handshake, it's possible to inject an RST ACK with a random TCP md5header option. Then, the client can send an HTTP GET request with a forbidden URL. The server will ignore the RST ACK and send the response HTTP packet for the client's request. These packets will not trigger a Suricata reject action.
CVE-2023-35852: (needs triaging) In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
CVE-2023-35853: (needs triaging) In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.
CVE-2024-23836: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability is patched in 6.0.16 or 7.0.3. Workarounds include disabling the affected protocol app-layer parser in the yaml and reducing the `stream.reassembly.depth` value helps reduce the severity of the issue.
CVE-2019-1010279: (needs triaging) Open Information Security Foundation Suricata prior to version 4.1.3 is affected by: Denial of Service - TCP/HTTP detection bypass. The impact is: An attacker can evade a signature detection with a specialy formed sequence of network packets. The component is: detect.c (https://github.com/OISF/suricata/pull/3625/commits/d8634daf74c882356659addb65fb142b738a186b). The attack vector is: An attacker can trigger the vulnerability by a specifically crafted network TCP session. The fixed version is: 4.1.3.

Created: 2024-04-04 Last update: 2024-06-29 05:38

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 1:8.0.1-4, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit dbc886b747b42390f22697ad23736cff90006564
Author: Sascha Steinbiss <satta@debian.org>
Date:   Thu Oct 23 14:03:54 2025 +0200

    add Andreas Dolp to Uploaders

commit c25aa4e824d649e06d8b1feadc61340f6401170c
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Sat Oct 11 22:19:02 2025 +0200

    Fix non-existent '.ft C' in manpages to avoid lintian warnings
    
    Lintian warns about the upstream manpages containing the pattern
    '.ft C' to select the font C, which is not defined for Debian groff.
    
    'override_dh_installman' now installs the manpages as regular, but
    searches for *.1 files in debian/ and appends the following line
    after the '.TH' line: 'if n .ftr C R''
    The appended line instructs groff to use the normal regular font R
    instead of C, if running in nroff / text mode, which fixes the
    lintian warnings.
    
    If upstream uses another version of rst2man in the release process,
    which does not generate the '.ft C' lines in the resulting manpages
    (*.1), this fix can be removed.
    
    I will not use a Debian patch, as generally the upstream manpages are
    formatted correctly, but Debian's groff does not implement font C.
    In contrast to a Debian patch, this solution is more generic and
    would not need to be adjusted, if upstream adds or changes manpages.

commit d2b282838f9ea1d883c42c0d0d6e39540fc734bb
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Sun Oct 12 12:47:17 2025 +0200

    blhc: Set ignore pattern for rust to avoid false-positives
    
    According to the blhc manpage, only gcc is supported.
    Tried to build the rust code with '--verbose', but this doesn't
    improve anything, so I think this warning can be disabled to make
    the salsa pipeline green.

commit a5ed33c21e40d1823ec98e8396c19b3921c50c48
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Sun Oct 12 01:45:17 2025 +0200

    lintian: Fix file permissions of python/suricata/config/defaults.py
    
    Lintian warns of 'executable-not-elf-or-script', because the file
    is marked executable, but it is not a script nor an executable.

commit 28980b36bf30a338f1bf85484bfee45aece7d1ef
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Sun Oct 12 00:49:27 2025 +0200

    lintian: Remove lintian override 'executable-in-usr-lib'
    
    This override produced another warning 'mismatched-override' because
    the override is not needed any more.

commit 1626958715c68d44982962f812e5f5f031d2ae07
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Sun Oct 12 00:11:56 2025 +0200

     d/copyright: Remove superfluous file patterns for some deleted files
    
    Detected thanks to lintian warnings 'superfluous-file-pattern'.

commit 26623cd70d30a776f487f689d53f2d78cd70ffe5
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Sun Oct 12 00:06:32 2025 +0200

    lintian: Fix 'incorrect-packaging-filename' warning for d/NEWS
    
    In the source tree the file has to be named d/NEWS.
    Debhelper scripts will then copy to file to its final destination
    at /usr/share/doc/*pkg*/NEWS.Debian.gz. Refer to #1061453 for
    clarification.

commit d340d7077cc291a1f7031df312e6714f8bc4d11f
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Tue Oct 21 20:20:26 2025 +0200

    d/control: Bump standards version from 4.6.2 to 4.7.2
    
    No special changes required.

commit b94c04691edb731bc0204684f1bf677ae712e69d
Author: Andreas Dolp <dev@andreas-dolp.de>
Date:   Tue Oct 21 20:05:02 2025 +0200

    Use /usr/bin/kill instead of /bin/kill
    
    This is not directly related to the standards upgrade to 4.7.2,
    but I think we should comply to the normal, modern paths /usr/.

Created: 2025-10-23 Last update: 2025-10-23 13:31

lintian reports 21 warnings normal

Lintian reports 21 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2025-09-26 Last update: 2025-09-26 22:32

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2025-59147: (needs triaging) Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fail to pick up the TCP session. In IDS mode this can lead to a detection and logging bypass. In IPS mode this will lead to the flow getting blocked. This issue is fixed in versions 7.0.12 and 8.0.1.

You can find information about how to handle this issue in the security team's documentation.

1 issue that should be fixed with the next stable update:

CVE-2025-53538: Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.

Created: 2025-10-02 Last update: 2025-10-25 22:00

27 low-priority security issues in bookworm low

There are 27 open security issues in bookworm.

27 issues left for the package maintainer to handle:

CVE-2023-35852: (needs triaging) In Suricata before 6.0.13 (when there is an adversary who controls an external source of rules), a dataset filename, that comes from a rule, may trigger absolute or relative directory traversal, and lead to write access to a local filesystem. This is addressed in 6.0.13 by requiring allow-absolute-filenames and allow-write (in the datasets rules configuration section) if an installation requires traversal/writing in this situation.
CVE-2023-35853: (needs triaging) In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.
CVE-2024-23836: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to versions 6.0.16 and 7.0.3, an attacker can craft traffic to cause Suricata to use far more CPU and memory for processing the traffic than needed, which can lead to extreme slow downs and denial of service. This vulnerability is patched in 6.0.16 or 7.0.3. Workarounds include disabling the affected protocol app-layer parser in the yaml and reducing the `stream.reassembly.depth` value helps reduce the severity of the issue.
CVE-2024-28870: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine developed by the OISF and the Suricata community. When parsing an overly long SSH banner, Suricata can use excessive CPU resources, as well as cause excessive logging volume in alert records. This issue has been patched in versions 6.0.17 and 7.0.4.
CVE-2024-32663: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, a small amount of HTTP/2 traffic can lead to Suricata using a large amount of memory. The issue has been addressed in Suricata 7.0.5 and 6.0.19. Workarounds include disabling the HTTP/2 parser and reducing `app-layer.protocols.http2.max-table-size` value (default is 65536).
CVE-2024-32664: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, specially crafted traffic or datasets can cause a limited buffer overflow. This vulnerability is fixed in 7.0.5 and 6.0.19. Workarounds include not use rules with `base64_decode` keyword with `bytes` option with value 1, 2 or 5 and for 7.0.x, setting `app-layer.protocols.smtp.mime.body-md5` to false.
CVE-2024-32867: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.5 and 6.0.19, various problems in handling of fragmentation anomalies can lead to mis-detection of rules and policy. This vulnerability is fixed in 7.0.5 or 6.0.19.
CVE-2024-37151: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Mishandling of multiple fragmented packets using the same IP ID value can lead to packet reassembly failure, which can lead to policy bypass. Upgrade to 7.0.6 or 6.0.20. When using af-packet, enable `defrag` to reduce the scope of the problem.
CVE-2024-38534: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Crafted modbus traffic can lead to unlimited resource accumulation within a flow. Upgrade to 7.0.6. Set a limited stream.reassembly.depth to reduce the issue.
CVE-2024-38535: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Suricata can run out of memory when parsing crafted HTTP/2 traffic. Upgrade to 6.0.20 or 7.0.6.
CVE-2024-38536: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
CVE-2024-45795: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to denial of service. This issue is addressed in 7.0.7. As a workaround, use only trusted and well tested rulesets.
CVE-2024-45796: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this behavior.This issue has been addressed in 7.0.7.
CVE-2024-47187: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset file loading to use excessive time to load, as well as runtime performance issues during traffic handling. This issue has been addressed in 7.0.7. As a workaround, avoid loading datasets from untrusted sources. Avoid dataset rules that track traffic in rules.
CVE-2024-47188: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead to an attacker forcing lots of data into a single hash bucket, leading to severe performance degradation. This issue has been addressed in 7.0.7.
CVE-2024-47522: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addressed in 7.0.7. One may disable ja4 as a workaround.
CVE-2024-55605: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, url_decode, or xor transform can lead to a stack overflow causing Suricata to crash. The issue has been addressed in Suricata 7.0.8.
CVE-2024-55626: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricata 7.0.8.
CVE-2024-55627: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsigned integer underflow. The issue has been addressed in Suricata 7.0.8.
CVE-2024-55628: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to very large DNS log records. While there are limits in place, they were too generous. The issue has been addressed in Suricata 7.0.8.
CVE-2024-55629: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, leading to possible evasions. Suricata 7.0.8 includes options to allow users to configure how to handle TCP urgent data. In IPS mode, you can use a rule such as drop tcp any any -> any any (sid:1; tcp.flags:U*;) to drop all the packets with urgent flag set.
CVE-2025-29915: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size in Suricata is based on the network interface MTU which leads to Suricata seeing truncated packets. Upgrade to Suricata 7.0.9, which uses better defaults and adds warnings for user configurations that may lead to issues.
CVE-2025-29916: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. Untrusted rules can lead to large memory allocations, potentially leading to denial of service due to resource starvation. This vulnerability is fixed in 7.0.9.
CVE-2025-29917: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations of up to 4 GiB per thread. This vulnerability is fixed in 7.0.9.
CVE-2025-29918: (needs triaging) Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability in inline mode. This vulnerability is fixed in 7.0.9.
CVE-2025-53538: (needs triaging) Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0.
CVE-2025-59147: (needs triaging) Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different sequence numbers within the same flow tuple, which can cause Suricata to fail to pick up the TCP session. In IDS mode this can lead to a detection and logging bypass. In IPS mode this will lead to the flow getting blocked. This issue is fixed in versions 7.0.12 and 8.0.1.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-06-19 Last update: 2025-10-25 22:00

debian/patches: 8 patches to forward upstream low

Among the 12 debian patches available in version 1:8.0.1-3 of the package, we noticed the following issues:

8 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-09-26 19:31

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-09-26 19:00

news

[rss feed]

[2025-10-15] Accepted suricata 1:8.0.1-3~bpo13+1 (source amd64) into stable-backports (Andreas Dolp) (signed by: Sascha Steinbiss)
[2025-09-28] suricata 1:8.0.1-3 MIGRATED to testing (Debian testing watch)
[2025-09-26] Accepted suricata 1:8.0.1-3 (source) into unstable (Sascha Steinbiss)
[2025-09-23] Accepted suricata 1:8.0.1-2 (source) into unstable (Sascha Steinbiss)
[2025-09-21] Accepted suricata 1:8.0.1-1 (source) into unstable (Sascha Steinbiss)
[2025-09-18] Accepted suricata 1:8.0.0-1~exp5 (source amd64) into experimental (Sascha Steinbiss)
[2025-09-15] Accepted suricata 1:8.0.0-1~exp4 (source amd64) into experimental (Sascha Steinbiss)
[2025-09-09] Accepted suricata 1:8.0.0-1~exp2 (source amd64) into experimental (Sascha Steinbiss)
[2025-09-09] Accepted suricata 1:8.0.0-1~exp1 (source amd64) into experimental (Andreas Dolp) (signed by: Sascha Steinbiss)
[2025-08-28] Accepted suricata 1:7.0.11-1~bpo13+1 (source amd64) into stable-backports (Debian FTP Masters) (signed by: Sascha Steinbiss)
[2025-08-23] suricata 1:7.0.11-1 MIGRATED to testing (Debian testing watch)
[2025-08-18] Accepted suricata 1:7.0.11-1 (source) into unstable (Sascha Steinbiss)
[2025-03-31] Accepted suricata 1:6.0.1-3+deb11u1 (source) into oldstable-security (Thorsten Alteholz)
[2025-03-29] Accepted suricata 1:7.0.10-1~bpo12+1 (source) into stable-backports (Sascha Steinbiss)
[2025-03-28] suricata 1:7.0.10-1 MIGRATED to testing (Debian testing watch)
[2025-03-26] Accepted suricata 1:7.0.10-1 (source) into unstable (Sascha Steinbiss)
[2025-03-23] suricata 1:7.0.9-1 MIGRATED to testing (Debian testing watch)
[2025-03-19] suricata 1:7.0.8-2 MIGRATED to testing (Debian testing watch)
[2025-03-18] Accepted suricata 1:7.0.9-1 (source) into unstable (Sascha Steinbiss)
[2025-03-15] Accepted suricata 1:7.0.8-2 (source) into unstable (Sascha Steinbiss)
[2025-01-13] Accepted suricata 1:7.0.8-1~bpo12+1 (source amd64) into stable-backports (Sascha Steinbiss)
[2024-12-15] suricata 1:7.0.8-1 MIGRATED to testing (Debian testing watch)
[2024-12-13] Accepted suricata 1:7.0.8-1 (source) into unstable (Sascha Steinbiss)
[2024-10-20] Accepted suricata 1:7.0.7-1~bpo12+1 (source amd64) into stable-backports (Sascha Steinbiss)
[2024-10-16] suricata 1:7.0.7-1 MIGRATED to testing (Debian testing watch)
[2024-10-14] Accepted suricata 1:7.0.7-1 (source) into unstable (Sascha Steinbiss)
[2024-08-05] Accepted suricata 1:7.0.6-2~exp1 (source amd64) into experimental (Sascha Steinbiss)
[2024-06-30] Accepted suricata 1:7.0.6-1~bpo12+1 (source amd64) into stable-backports (Sascha Steinbiss)
[2024-06-29] suricata 1:7.0.6-1 MIGRATED to testing (Debian testing watch)
[2024-06-27] Accepted suricata 1:7.0.6-1 (source) into unstable (Sascha Steinbiss)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 21)
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1:7.0.10-1
1 bug