From nobody Wed Apr 12 06:21:15 2023 X-Original-To: dev-commits-ports-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PxCJr0qjGz45MCw; Wed, 12 Apr 2023 06:21:16 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PxCJr01Fsz3pP7; Wed, 12 Apr 2023 06:21:16 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681280476; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XNUqvrUlFi46hEAMdthvPUZWxzaMPp6jrVSEV976rAc=; b=FOWGSTAQ+u5Zvat21x/GXtwcZD4dJJPD6f/W7aWGuMlww0bFdXiG1Kg/lylLrOUefq1f5l kVwl7EcHtCnm8wE6cIlxLMqDwt0Wkuy4nWmrXtBf8eAuttmOWdEyWsg2dL4B8KwWNSYCOT tQsoZIB2R870Lrek/qPPPSlVKnqQYsRpygt5AD3kxGIJOpT0qlntxsW0EUMBVvgEtm18PV jBqAGbYht3nDeOByYcg9Wz3jp0m2SmvD/LvbDChP54nbMdCv8ukXB+TYK3kNFDHJLfrLl3 sXcJdMt18A12w5sT+6ZZSZ6TNpp3JIP+U+apOhlJCqB/Xf96PNOOq5XSc+UWAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1681280476; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=XNUqvrUlFi46hEAMdthvPUZWxzaMPp6jrVSEV976rAc=; b=j0dfV9bPjII/+ieWKY/hxc2tQB+mR0p4IPbR80oS7iYSfJVk5oOx6HjwG2b7tfEL6AGAQy xmQgUAO6Tx7Tur0ZOtygjNWOQtQiOw27CkrxEF0tdL2F6os05AASftwD2py3Rp59mgFdXK X3EKDJd9l5qpHZxB7Q8yoSI7lHXthasBAs6B7ajlTMXJYMnUf2YJcVanfzM9YLxw6tGF4A vgdi2Q//ojdYLjE4yaB3eztp/oW82/WENsErhfC+GFre5eks7eV+YespP7YG7roSu6eM+R I4jwDTcBwf+r8lYopWJim0mH//LgfahP3jDSKbS02I+gUdOf1iUiFaXDWJmTAg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1681280476; a=rsa-sha256; cv=none; b=FBOdZrgNv4erPtBfr5RtZt/PWAjvFc1Ogny2mx0i9/qjz3igLG0ciRRl1T596evk+s3m/9 SI5FgZO+58GEY2YVyZG7Rzcm6L14Lucec2AJlg6UIraGT3yy6jzvqYLQpv5sjAqb6Nc146 2//mW2Ltb0GVrpOe735kC+io6cyJ0cMGkUUwihdzLlFAbC2lVbh7sRr8QgZX00q/NcjDQ8 oGLwmSdSnAeOOZwCwHSOyty7rqjE+ZYmOSt8eKWnv9QWe0a7t2GhHsacnmtK7qiT6tLAy9 USicbAxlLcu4lTzeLQZxX8f+u0wObgd1X0kahv7H6lD8bMRd4/KOYdK79cyl0Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PxCJq5tFHzpCG; Wed, 12 Apr 2023 06:21:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33C6LFdM093878; Wed, 12 Apr 2023 06:21:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33C6LFJc093877; Wed, 12 Apr 2023 06:21:15 GMT (envelope-from git) Date: Wed, 12 Apr 2023 06:21:15 GMT Message-Id: <202304120621.33C6LFJc093877@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org From: Craig Leres Subject: git: 5dc2ee9224b8 - 2023Q2 - security/zeek: Update to 5.0.8 List-Id: Commits to the quarterly branches of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-branches@freebsd.org X-BeenThere: dev-commits-ports-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: leres X-Git-Repository: ports X-Git-Refname: refs/heads/2023Q2 X-Git-Reftype: branch X-Git-Commit: 5dc2ee9224b8a4f7ce7f49f67d34a43a2a4044a0 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch 2023Q2 has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=5dc2ee9224b8a4f7ce7f49f67d34a43a2a4044a0 commit 5dc2ee9224b8a4f7ce7f49f67d34a43a2a4044a0 Author: Craig Leres AuthorDate: 2023-04-12 06:18:39 +0000 Commit: Craig Leres CommitDate: 2023-04-12 06:21:00 +0000 security/zeek: Update to 5.0.8 https://github.com/zeek/zeek/releases/tag/v5.0.8 This release fixes the following potential DoS vulnerabilities: - A specially-crafted stream of FTP packets containing a command reply with many intermediate lines can cause Zeek to spend a large amount of time processing data. - A specially-crafted set of packets containing extremely large file offsets cause cause the reassembler code to allocate large amounts of memory. - The DNS manager does not correctly expire responses that don't contain any data, such those containing NXDOMAIN or NODATA status codes. This can lead to Zeek allocating large amounts of memory for these responses and never deallocating them. - A specially-crafted stream of RDP packets can cause Zeek to spend large protocol validation. - A specially-crafted stream of SMTP packets can cause Zeek to spend large amounts of time processing data. This release fixes the following bugs: - Data stores used by the known-{hosts,certs,services} policies now default to using local stores instead of Broker stores. - The VXLAN and Geneve report analyzer confirmations once their protocols have been fully parsed, but before attempting to forward to the tunneled packets to other analyzers. - New wierds were added to the AYIYA, Geneve, and VXLAN analyzers (ayiya_empty_packet, geneve_empty_packet, and vxlan_empty_packet). - A new script-level option Pcap::non_fd_timeout was added to allow fine-tuning the amount of time to sleep on each IO loop when using a packet source that doesn't provide a file descriptor (e.g. Myricom). - Avoid attempting to retrieve packets during every loop for a packet source, instead switching to a predictive approach that keeps track of whether or not that packet source has previously seen traffic. Reported by: Tim Wojtulewicz Security: 96d6809a-81df-46d4-87ed-2f78c79f06b1 (cherry picked from commit 7705f7bbc42db52bc8bb6686738580b89b49f347) --- security/zeek/Makefile | 2 +- security/zeek/distinfo | 6 +++--- security/zeek/pkg-plist | 1 + 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/security/zeek/Makefile b/security/zeek/Makefile index bd19db02f84e..c574c4be6b51 100644 --- a/security/zeek/Makefile +++ b/security/zeek/Makefile @@ -1,5 +1,5 @@ PORTNAME= zeek -DISTVERSION= 5.0.7 +DISTVERSION= 5.0.8 CATEGORIES= security MASTER_SITES= https://download.zeek.org/ DISTFILES= ${DISTNAME}${EXTRACT_SUFX} diff --git a/security/zeek/distinfo b/security/zeek/distinfo index e7a1a8a92fc2..a0457e156766 100644 --- a/security/zeek/distinfo +++ b/security/zeek/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1677013835 -SHA256 (zeek-5.0.7.tar.gz) = dbb9788260269c5a75eb5d18fd9ad0df1f06f00757cdde9d86994b35428b5776 -SIZE (zeek-5.0.7.tar.gz) = 42798267 +TIMESTAMP = 1681277857 +SHA256 (zeek-5.0.8.tar.gz) = 82fd72c7078fbdb4c025569a6e31fa7f8b9876ca37aab8ac24db92b0c589d2bf +SIZE (zeek-5.0.8.tar.gz) = 42896663 SHA256 (zeek-zeek-netmap-v2.0.0_GH0.tar.gz) = d37a69babfbb62a51a2413d6b83ae792ce1e7f1ccb1d51bd6b209a10fe5c4d75 SIZE (zeek-zeek-netmap-v2.0.0_GH0.tar.gz) = 9100 diff --git a/security/zeek/pkg-plist b/security/zeek/pkg-plist index 687552ce21bc..bfae01ab3d1e 100644 --- a/security/zeek/pkg-plist +++ b/security/zeek/pkg-plist @@ -1288,6 +1288,7 @@ lib/zeek/python/broker/zeek.py %%ZEEKCTL%%lib/zeek/python/zeekctl/plugins/lb_myricom.py %%ZEEKCTL%%lib/zeek/python/zeekctl/plugins/lb_pf_ring.py %%ZEEKCTL%%lib/zeek/python/zeekctl/plugins/ps.py +%%ZEEKCTL%%lib/zeek/python/zeekctl/plugins/zeek_port_warning.py %%ZEEKCTL%%man/man1/trace-summary.1.gz man/man1/zeek-cut.1.gz man/man8/zeek.8.gz