Update CHANGES, VERSION, and NEWS for 6.0.8 release

2025-10-02 06:38:20 +00:00 · 2024-10-04 14:50:18 -07:00 · 2024-10-04 14:50:18 -07:00 · 32214ef983
commit 32214ef983
parent 49acb2a030
3 changed files with 17 additions and 1 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+6.0.8 | 2024-10-04 14:50:18 -0700
+
+  * Update CHANGES, VERSION, and NEWS for 6.0.8 release (Christian Kreibich, Corelight)
+
 6.0.7-1 | 2024-10-04 10:49:29 -0700

  * Merge remote-tracking branch 'security/topic/awelzel/215-pop3-mail-null-deref' (Christian Kreibich, Corelight)
--- a/12
+++ b/12
@ -3,6 +3,18 @@ This document summarizes the most important changes in the current Zeek
 release. For an exhaustive list of changes, see the ``CHANGES`` file
 (note that submodules, such as Broker, come with their own ``CHANGES``.)

+Zeek 6.0.8
+==========
+
+This release fixes the following security issue:
+
+- Adding to the POP3 hardening in 6.0.7, the parser now simply discards too many
+  pending commands, rather than any attempting to process them. Further, invalid
+  server responses do not result in command completion anymore.  Processing
+  out-of-order commands or finishing commands based on invalid server responses
+  could result in inconsistent analyzer state, potentially triggering null
+  pointer references for crafted traffic.
+
 Zeek 6.0.7
 ==========

--- a/2
+++ b/2
@ -1 +1 @@
-6.0.7-1
+6.0.8
 @ -1 +1 @@
 .0.7-1
 .0.8