mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 06:38:20 +00:00
Update CHANGES, VERSION, and NEWS for 6.0.1 release
This commit is contained in:
Tim Wojtulewicz
parent
f0bf803dd2
commit
850723400e
3 changed files with 89 additions and 1 deletions
46
CHANGES
46
CHANGES
|
|
@ -1,3 +1,49 @@
|
|||
6.0.0-30 | 2023-09-12 09:52:31 -0700
|
||||
|
||||
* Update dump_events test baseline after fseek changes (Tim Wojtulewicz, Corelight)
|
||||
|
||||
* Add extract_limit_includes_missing option for file extraction (Johanna Amann, Corelight)
|
||||
|
||||
Setting this option to false does not count missing bytes in files towards the
|
||||
extraction limits, and allows to extract data up to the desired limit,
|
||||
even when partial files are written.
|
||||
|
||||
When missing bytes are encountered, files are now written as sparse
|
||||
files.
|
||||
|
||||
Using this option requires the underlying storage and utilities to support
|
||||
sparse files.
|
||||
|
||||
* File extraction: use fseek (Johanna Amann, Corelight)
|
||||
|
||||
In the past, we allocated a buffer with zeroes and wrote that with
|
||||
fwrite. Now, instead we just fseek to the correct offset.
|
||||
|
||||
This changes the way in which the file extract limit is counted a bit;
|
||||
skipped bytes do no longer count against the file size limit.
|
||||
|
||||
* ftp: Do not log non-pending commands (Arne Welzel, Corelight)
|
||||
|
||||
OSS Fuzz generated a CWD request and reply followed by very many EPRT
|
||||
requests. This caused Zeek to re-log the CWD request and invoke `build_url_ftp()`
|
||||
over and over again resulting in long processing times.
|
||||
|
||||
Avoid this scenario by not logging commands that aren't pending anymore.
|
||||
|
||||
* http/smtp: Fix wrong character class usage (Arne Welzel, Corelight)
|
||||
|
||||
A call to `extract_filename_from_content_disposition()` is only
|
||||
efficient if the string is guaranteed to contain the pattern that
|
||||
is removed by `sub()`. Due to missing brackets around the `[:blank:]`
|
||||
character class, an overly long string (756kb) ending in
|
||||
"Type:dtanameaa=" matched the wrong pattern causing `sub()` to
|
||||
exhibit quadratic runtime. Besides that, we may have potentially
|
||||
extracted wrong information from a crafted header value.
|
||||
|
||||
* Make sure that all sessions/connections are done before deleting plugins (Tim Wojtulewicz, Corelight)
|
||||
|
||||
* VLAN: Fix length checking for non-Ethernet type 2 frames (Tim Wojtulewicz, Corelight)
|
||||
|
||||
6.0.0-20 | 2023-09-07 18:31:19 -0700
|
||||
|
||||
* GH-3278: spicy: Do not register port N+1 for port N in .evt file (Arne Welzel, Corelight)
|
||||
|
|
|
|||
42
NEWS
42
NEWS
|
|
@ -8,6 +8,40 @@ Zeek 6.0.1
|
|||
|
||||
This release fixes the following security issues:
|
||||
|
||||
- File extraction limits were not correctly enforced for files containing large
|
||||
amounts of missing bytes. Crafting files with large amounts of missing bytes
|
||||
in them could cause Zeek to spend a long time processing data, allocate a lot
|
||||
of main memory, and write a lot of data to disk. Due to the possibility of
|
||||
receiving these packets from remote hosts, this is a DoS risk. The fix
|
||||
included makes Zeek correctly enforce file size limits. We also added a new
|
||||
option (default_limit_includes_missing) which allows to customize the behavior
|
||||
when encountering large amounts of missed bytes in file. This issue was
|
||||
discovered by Luca Cigarini.
|
||||
|
||||
- Sessions are sometimes not cleaned up completely within Zeek during shutdown,
|
||||
potentially causing a crash when using the -B dpd flag for debug logging. This
|
||||
is low priority because it only happens at shutdown and only when using that
|
||||
flag. The fix included is to reorder shutdown to cleanup all the sessions
|
||||
prior to tearing down the analyzers.
|
||||
|
||||
- A specially-crafted HTTP packet can cause Zeek’s filename extraction code to
|
||||
take a long time to process the data. Due to the possibility of receiving
|
||||
these packets from remote hosts, this is a DoS risk. The fix included adjusts
|
||||
the regular expression used in the extract_filename_from_content_disposition()
|
||||
script function to more-correctly match the data.
|
||||
|
||||
- A specially-crafted series of FTP packets made up of a CWD request followed by
|
||||
a large amount of ERPT requests may cause Zeek to spend a long time logging
|
||||
the commands. Due to the possibility of receiving these packets from remote
|
||||
hosts, this is a DoS risk. The fix included is to prevent logging of pending
|
||||
commands for FTP packets.
|
||||
|
||||
- A specially-crafted VLAN packet can cause Zeek to overflow memory and
|
||||
potentially crash. Due to the possibility of receiving these packets from
|
||||
remote hosts, this is a DoS risk. The fix included is to add some additional
|
||||
length checking to the VLAN analyzer. This patch does not affect the 5.0
|
||||
baseline.
|
||||
|
||||
This release fixes the following bugs:
|
||||
|
||||
- Fixed a base64 decoding issue with the authorization field of HTTP request
|
||||
|
|
@ -48,6 +82,14 @@ This release fixes the following bugs:
|
|||
- Spicy no longer registers an extra port for every port registered in a
|
||||
plugin's .evt file.
|
||||
|
||||
- Timeouts in DNS resolution no longer cause uncontrolled memory growth.
|
||||
|
||||
- Fix check to skip DNS hostname lookups for notices that are not delivered via
|
||||
email in ``policy/frameworks/notice/extend-email/hostnames``. Due to that
|
||||
policy script being loaded in the Zeek's default ``local.zeek``, this
|
||||
previously caused unneeded DNS lookups for every generated notice instead of
|
||||
just those delivered via email.
|
||||
|
||||
Zeek 6.0.0
|
||||
==========
|
||||
|
||||
|
|
|
|||
2
VERSION
2
VERSION
|
|
@ -1 +1 @@
|
|||
6.0.0-20
|
||||
6.0.0-30
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue