Date: Wed, 22 Sep 2021 22:10:55 GMT From: Craig Leres <leres@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 1d63728bf1f6 - main - security/vuxml: Mark zeek < 4.0.4 as vulnerable as per: Message-ID: <202109222210.18MMAt1j041355@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=1d63728bf1f6d2710841f5d6bee89a7905fbc7a8 commit 1d63728bf1f6d2710841f5d6bee89a7905fbc7a8 Author: Craig Leres <leres@FreeBSD.org> AuthorDate: 2021-09-22 22:09:30 +0000 Commit: Craig Leres <leres@FreeBSD.org> CommitDate: 2021-09-22 22:09:30 +0000 security/vuxml: Mark zeek < 4.0.4 as vulnerable as per: https://github.com/zeek/zeek/releases/tag/v4.0.4 - Paths from log stream make it into system() unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity. - Fix potential unbounded state growth in the PIA analyzer when receiving a connection with either a large number of zero-length packets, or one which continues ack-ing unseen segments. It is possible to run Zeek out of memory in these instances and cause it to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. --- security/vuxml/vuln-2021.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index f36c9d6900f2..b79e50b7a119 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,40 @@ + <vuln vid="d4d21998-bdc4-4a09-9849-2898d9b41459"> + <topic>zeek -- several vulnerabilities</topic> + <affects> + <package> + <name></name> + <range><lt>4.0.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Tim Wojtulewicz of Corelight reports:</p> + <blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.4">; + <p> Paths from log stream make it into system() unchecked, + potentially leading to commands being run on the system + unintentionally. This requires either bad scripting or a + malicious package to be installed, and is considered low + severity. </p> + <p> Fix potential unbounded state growth in the PIA + analyzer when receiving a connection with either a large + number of zero-length packets, or one which continues + ack-ing unseen segments. It is possible to run Zeek out + of memory in these instances and cause it to crash. Due + to the possibility of this happening with packets received + from the network, this is a potential DoS vulnerability. + </p> + </blockquote> + </body> + </description> + <references> + <url>https://github.com/zeek/zeek/releases/tag/v4.0.4</url>; + </references> + <dates> + <discovery>2021-08-26</discovery> + <entry>2021-09-22</entry> + </dates> + </vuln> + <vuln vid="7bba5b3b-1b7f-11ec-b335-d4c9ef517024"> <topic>mod_auth_mellon -- Redirect URL validation bypass</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109222210.18MMAt1j041355>