Date: Fri, 27 Oct 2023 22:26:09 GMT From: Craig Leres <leres@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: f85e384228a2 - main - security/vuxml: Mark zeek < 6.0.2 as vulnerable as per: Message-ID: <202310272226.39RMQ9jC077894@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=f85e384228a28b33a3bd9c076a2ad4d1f22d021d commit f85e384228a28b33a3bd9c076a2ad4d1f22d021d Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2023-10-27 22:25:39 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2023-10-27 22:25:39 +0000 security/vuxml: Mark zeek < 6.0.2 as vulnerable as per: https://github.com/zeek/zeek/releases/tag/v6.0.2 This release fixes the following potential DoS vulnerabilities: - A specially-crafted SSL packet could cause Zeek to leak memory and potentially crash. - A specially-crafted series of FTP packets could cause Zeek to log entries for requests that have already been completed, using resources unnecessarily and potentially causing Zeek to lose other traffic. - A specially-crafted series of SSL packets could cause Zeek to output a very large number of unnecessary alerts for the same record. - A specially-crafted series of SSL packets could cause Zeek to generate very long ssl_history fields in the ssl.log, potentially using a large amount of memory due to unbounded state growth - A specially-crafted IEEE802.11 packet could cause Zeek to overflow memory and potentially crash Reported by: Tim Wojtulewicz --- security/vuxml/vuln/2023.xml | 39 +++++++++++++++++++++++++++++++++++++++ security/zeek/Makefile | 2 +- security/zeek/distinfo | 6 +++--- 3 files changed, 43 insertions(+), 4 deletions(-) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index c619e019378f..7f47de9a2486 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,42 @@ + <vuln vid="386a14bb-1a21-41c6-a2cf-08d79213379b"> + <topic>zeek -- potential DoS vulnerabilities</topic> + <affects> + <package> + <name>zeek</name> + <range><lt>6.0.2</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Tim Wojtulewicz of Corelight reports:</p> + <blockquote cite="https://github.com/zeek/zeek/releases/tag/v6.0.2">; + <p> A specially-crafted SSL packet could cause Zeek to + leak memory and potentially crash. </p> + <p> A specially-crafted series of FTP packets could cause + Zeek to log entries for requests that have already been + completed, using resources unnecessarily and potentially + causing Zeek to lose other traffic. </p> + <p> A specially-crafted series of SSL packets could cause + Zeek to output a very large number of unnecessary alerts + for the same record. </p> + <p> A specially-crafted series of SSL packets could cause + Zeek to generate very long ssl_history fields in the + ssl.log, potentially using a large amount of memory due + to unbounded state growth </p> + <p> A specially-crafted IEEE802.11 packet could cause + Zeek to overflow memory and potentially crash </p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/zeek/zeek/releases/tag/v6.0.2</url>; + </references> + <dates> + <discovery>2023-10-27</discovery> + <entry>2023-10-27</entry> + </dates> + </vuln> + <vuln vid="db33e250-74f7-11ee-8290-a8a1599412c6"> <topic>chromium -- multiple vulnerabilities</topic> <affects> diff --git a/security/zeek/Makefile b/security/zeek/Makefile index c82778ba542a..4623ee6c804a 100644 --- a/security/zeek/Makefile +++ b/security/zeek/Makefile @@ -1,5 +1,5 @@ PORTNAME= zeek -DISTVERSION= 6.0.1 +DISTVERSION= 6.0.2 CATEGORIES= security MASTER_SITES= https://download.zeek.org/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} diff --git a/security/zeek/distinfo b/security/zeek/distinfo index 760fbcbfb021..2f9b2eae87e8 100644 --- a/security/zeek/distinfo +++ b/security/zeek/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1694552456 -SHA256 (zeek-6.0.1.tar.gz) = cfc329a170439195d7070ec5387d95cdda7eb6b86ac85ec707b9ed0e9d576a29 -SIZE (zeek-6.0.1.tar.gz) = 60152791 +TIMESTAMP = 1698437165 +SHA256 (zeek-6.0.2.tar.gz) = 2421989adcee6a29f48a8f7272f719edbe954d66c2e86e3a52e79cae177f887c +SIZE (zeek-6.0.2.tar.gz) = 60175209
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202310272226.39RMQ9jC077894>