From owner-svn-ports-all@freebsd.org Wed Mar 18 00:24:52 2020 Return-Path: Delivered-To: svn-ports-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BB175276D2C; Wed, 18 Mar 2020 00:24:52 +0000 (UTC) (envelope-from leres@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48hrQW2phTz4HZv; Wed, 18 Mar 2020 00:24:51 +0000 (UTC) (envelope-from leres@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EFB94199F0; Wed, 18 Mar 2020 00:24:50 +0000 (UTC) (envelope-from leres@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 02I0Oofl059145; Wed, 18 Mar 2020 00:24:50 GMT (envelope-from leres@FreeBSD.org) Received: (from leres@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 02I0OoK5059143; Wed, 18 Mar 2020 00:24:50 GMT (envelope-from leres@FreeBSD.org) Message-Id: <202003180024.02I0OoK5059143@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: leres set sender to leres@FreeBSD.org using -f From: Craig Leres Date: Wed, 18 Mar 2020 00:24:50 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r528617 - branches/2020Q1/security/zeek X-SVN-Group: ports-branches X-SVN-Commit-Author: leres X-SVN-Commit-Paths: branches/2020Q1/security/zeek X-SVN-Commit-Revision: 528617 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Mar 2020 00:24:52 -0000 Author: leres Date: Wed Mar 18 00:24:50 2020 New Revision: 528617 URL: https://svnweb.freebsd.org/changeset/ports/528617 Log: MFH: r528508 security/bro: Update to 3.0.3 and address a number of potential denial of service issues: https://github.com/zeek/zeek/releases/tag/v3.0.2 https://github.com/zeek/zeek/releases/tag/v3.0.3 - Potential Denial of Service due to memory leak in DNS TSIG message parsing. - Potential Denial of Service due to memory leak (or assertion when compiling with assertions enabled) when receiving a second SSH KEX message after a first. - Potential Denial of Service due to buffer read overflow and/or memory leaks in Kerberos analyzer. The buffer read overflow could occur when the Kerberos message indicates it contains an IPv6 address, but does not send enough data to parse out a full IPv6 address. A memory leak could occur when processing KRB_KDC_REQ KRB_KDC_REP messages for message types that do not match a known/expected type. - Potential Denial of Service when sending many zero-length SSL/TLS certificate data. Such messages underwent the full Zeek file analysis treatment which is expensive (and meaninguless here) compared to how cheaply one can "create" or otherwise indicate many zero-length contained in an SSL message. - Potential Denial of Service due to buffer read overflow in SMB transaction data string handling. The length of strings being parsed from SMB messages was trusted to be whatever the message claimed instead of the actual length of data found in the message. - Potential Denial of Service due to null pointer dereference in FTP ADAT Base64 decoding. - Potential Denial of Service due buffer read overflow in FTP analyzer word/whitespace handling. This typically won't be a problem in most default deployments of Zeek since the FTP analyzer receives data from a ContentLine (NVT) support analyzer which first null-terminates the buffer used for further FTP parsing. Approved by: ler (mentor, implicit) Security: 4ae135f7-85cd-4c32-ad94-358271b31f7f Approved by: ports-secteam (joneum) Modified: branches/2020Q1/security/zeek/Makefile branches/2020Q1/security/zeek/distinfo Directory Properties: branches/2020Q1/ (props changed) Modified: branches/2020Q1/security/zeek/Makefile ============================================================================== --- branches/2020Q1/security/zeek/Makefile Wed Mar 18 00:21:59 2020 (r528616) +++ branches/2020Q1/security/zeek/Makefile Wed Mar 18 00:24:50 2020 (r528617) @@ -2,9 +2,9 @@ # $FreeBSD$ PORTNAME= zeek -PORTVERSION= 3.0.1 +PORTVERSION= 3.0.3 CATEGORIES= security -MASTER_SITES= https://www.zeek.org/downloads/ +MASTER_SITES= https://old.zeek.org/downloads/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} MAINTAINER= leres@FreeBSD.org Modified: branches/2020Q1/security/zeek/distinfo ============================================================================== --- branches/2020Q1/security/zeek/distinfo Wed Mar 18 00:21:59 2020 (r528616) +++ branches/2020Q1/security/zeek/distinfo Wed Mar 18 00:24:50 2020 (r528617) @@ -1,5 +1,5 @@ -TIMESTAMP = 1576099434 -SHA256 (zeek-3.0.1.tar.gz) = 79f4f3efd883c9c2960295778dc290372d10874380fd88450271652e829811d2 -SIZE (zeek-3.0.1.tar.gz) = 29253371 +TIMESTAMP = 1584248063 +SHA256 (zeek-3.0.3.tar.gz) = 42a178cc9d28e4f20373e415727845a2c52bacdab535d6f810fe2d3cd02e9c76 +SIZE (zeek-3.0.3.tar.gz) = 29270043 SHA256 (bro-bro-netmap-f3620df_GH0.tar.gz) = e51f420781c9a01b0494f93d82f94a1b045725c1cff406c33887974a9940c655 SIZE (bro-bro-netmap-f3620df_GH0.tar.gz) = 24661