Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 27 Oct 2023 22:26:09 GMT
From:      Craig Leres <leres@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: f85e384228a2 - main - security/vuxml: Mark zeek < 6.0.2 as vulnerable as per:
Message-ID:  <202310272226.39RMQ9jC077894@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by leres:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f85e384228a28b33a3bd9c076a2ad4d1f22d021d

commit f85e384228a28b33a3bd9c076a2ad4d1f22d021d
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2023-10-27 22:25:39 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2023-10-27 22:25:39 +0000

    security/vuxml: Mark zeek < 6.0.2 as vulnerable as per:
    
        https://github.com/zeek/zeek/releases/tag/v6.0.2
    
    This release fixes the following potential DoS vulnerabilities:
    
     - A specially-crafted SSL packet could cause Zeek to leak memory
       and potentially crash.
    
     - A specially-crafted series of FTP packets could cause Zeek to
       log entries for requests that have already been completed, using
       resources unnecessarily and potentially causing Zeek to lose
       other traffic.
    
     - A specially-crafted series of SSL packets could cause Zeek to
       output a very large number of unnecessary alerts for the same
       record.
    
     - A specially-crafted series of SSL packets could cause Zeek to
       generate very long ssl_history fields in the ssl.log, potentially
       using a large amount of memory due to unbounded state growth
    
     - A specially-crafted IEEE802.11 packet could cause Zeek to overflow
       memory and potentially crash
    
    Reported by:    Tim Wojtulewicz
---
 security/vuxml/vuln/2023.xml | 39 +++++++++++++++++++++++++++++++++++++++
 security/zeek/Makefile       |  2 +-
 security/zeek/distinfo       |  6 +++---
 3 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml
index c619e019378f..7f47de9a2486 100644
--- a/security/vuxml/vuln/2023.xml
+++ b/security/vuxml/vuln/2023.xml
@@ -1,3 +1,42 @@
+  <vuln vid="386a14bb-1a21-41c6-a2cf-08d79213379b">
+    <topic>zeek -- potential DoS vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>zeek</name>
+	<range><lt>6.0.2</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Tim Wojtulewicz of Corelight reports:</p>
+	<blockquote cite="https://github.com/zeek/zeek/releases/tag/v6.0.2">;
+	  <p> A specially-crafted SSL packet could cause Zeek to
+	  leak memory and potentially crash. </p>
+	  <p> A specially-crafted series of FTP packets could cause
+	  Zeek to log entries for requests that have already been
+	  completed, using resources unnecessarily and potentially
+	  causing Zeek to lose other traffic. </p>
+	  <p> A specially-crafted series of SSL packets could cause
+	  Zeek to output a very large number of unnecessary alerts
+	  for the same record. </p>
+	  <p> A specially-crafted series of SSL packets could cause
+	  Zeek to generate very long ssl_history fields in the
+	  ssl.log, potentially using a large amount of memory due
+	  to unbounded state growth </p>
+	  <p> A specially-crafted IEEE802.11 packet could cause
+	  Zeek to overflow memory and potentially crash </p>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <url>https://github.com/zeek/zeek/releases/tag/v6.0.2</url>;
+    </references>
+    <dates>
+      <discovery>2023-10-27</discovery>
+      <entry>2023-10-27</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="db33e250-74f7-11ee-8290-a8a1599412c6">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>
diff --git a/security/zeek/Makefile b/security/zeek/Makefile
index c82778ba542a..4623ee6c804a 100644
--- a/security/zeek/Makefile
+++ b/security/zeek/Makefile
@@ -1,5 +1,5 @@
 PORTNAME=	zeek
-DISTVERSION=	6.0.1
+DISTVERSION=	6.0.2
 CATEGORIES=	security
 MASTER_SITES=	https://download.zeek.org/
 DISTFILES=	${DISTNAME}${EXTRACT_SUFX}
diff --git a/security/zeek/distinfo b/security/zeek/distinfo
index 760fbcbfb021..2f9b2eae87e8 100644
--- a/security/zeek/distinfo
+++ b/security/zeek/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1694552456
-SHA256 (zeek-6.0.1.tar.gz) = cfc329a170439195d7070ec5387d95cdda7eb6b86ac85ec707b9ed0e9d576a29
-SIZE (zeek-6.0.1.tar.gz) = 60152791
+TIMESTAMP = 1698437165
+SHA256 (zeek-6.0.2.tar.gz) = 2421989adcee6a29f48a8f7272f719edbe954d66c2e86e3a52e79cae177f887c
+SIZE (zeek-6.0.2.tar.gz) = 60175209



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202310272226.39RMQ9jC077894>