From owner-dev-commits-ports-main@freebsd.org Wed Sep 22 22:10:56 2021 Return-Path: Delivered-To: dev-commits-ports-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 14FE5672DE6; Wed, 22 Sep 2021 22:10:56 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4HFCDH71GVz3hkN; Wed, 22 Sep 2021 22:10:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id C7C061F4B9; Wed, 22 Sep 2021 22:10:55 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 18MMAtpp041356; Wed, 22 Sep 2021 22:10:55 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 18MMAt1j041355; Wed, 22 Sep 2021 22:10:55 GMT (envelope-from git) Date: Wed, 22 Sep 2021 22:10:55 GMT Message-Id: <202109222210.18MMAt1j041355@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Craig Leres Subject: git: 1d63728bf1f6 - main - security/vuxml: Mark zeek < 4.0.4 as vulnerable as per: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: leres X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 1d63728bf1f6d2710841f5d6bee89a7905fbc7a8 Auto-Submitted: auto-generated X-BeenThere: dev-commits-ports-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the main branch of the FreeBSD ports repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2021 22:10:56 -0000 The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=1d63728bf1f6d2710841f5d6bee89a7905fbc7a8 commit 1d63728bf1f6d2710841f5d6bee89a7905fbc7a8 Author: Craig Leres AuthorDate: 2021-09-22 22:09:30 +0000 Commit: Craig Leres CommitDate: 2021-09-22 22:09:30 +0000 security/vuxml: Mark zeek < 4.0.4 as vulnerable as per: https://github.com/zeek/zeek/releases/tag/v4.0.4 - Paths from log stream make it into system() unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity. - Fix potential unbounded state growth in the PIA analyzer when receiving a connection with either a large number of zero-length packets, or one which continues ack-ing unseen segments. It is possible to run Zeek out of memory in these instances and cause it to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability. --- security/vuxml/vuln-2021.xml | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml index f36c9d6900f2..b79e50b7a119 100644 --- a/security/vuxml/vuln-2021.xml +++ b/security/vuxml/vuln-2021.xml @@ -1,3 +1,40 @@ + + zeek -- several vulnerabilities + + + + 4.0.4 + + + + +

Tim Wojtulewicz of Corelight reports:

+
+

Paths from log stream make it into system() unchecked, + potentially leading to commands being run on the system + unintentionally. This requires either bad scripting or a + malicious package to be installed, and is considered low + severity.

+

Fix potential unbounded state growth in the PIA + analyzer when receiving a connection with either a large + number of zero-length packets, or one which continues + ack-ing unseen segments. It is possible to run Zeek out + of memory in these instances and cause it to crash. Due + to the possibility of this happening with packets received + from the network, this is a potential DoS vulnerability. +

+
+ +
+ + https://github.com/zeek/zeek/releases/tag/v4.0.4 + + + 2021-08-26 + 2021-09-22 + +
+ mod_auth_mellon -- Redirect URL validation bypass