Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-12 03:28:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Update CHANGES, VERSION, and NEWS for 6.0.1 release

Browse source
This commit is contained in:
Tim Wojtulewicz 2023-09-12 09:52:31 -07:00
parent f0bf803dd2
commit 850723400e
3 changed files with 89 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

46
CHANGES
View file

@ -1,3 +1,49 @@
6.0.0-30 | 2023-09-12 09:52:31 -0700
* Update dump_events test baseline after fseek changes (Tim Wojtulewicz, Corelight)
* Add extract_limit_includes_missing option for file extraction (Johanna Amann, Corelight)
Setting this option to false does not count missing bytes in files towards the
extraction limits, and allows to extract data up to the desired limit,
even when partial files are written.
When missing bytes are encountered, files are now written as sparse
files.
Using this option requires the underlying storage and utilities to support
sparse files.
* File extraction: use fseek (Johanna Amann, Corelight)
In the past, we allocated a buffer with zeroes and wrote that with
fwrite. Now, instead we just fseek to the correct offset.
This changes the way in which the file extract limit is counted a bit;
skipped bytes do no longer count against the file size limit.
* ftp: Do not log non-pending commands (Arne Welzel, Corelight)
OSS Fuzz generated a CWD request and reply followed by very many EPRT
requests. This caused Zeek to re-log the CWD request and invoke `build_url_ftp()`
over and over again resulting in long processing times.
Avoid this scenario by not logging commands that aren't pending anymore.
* http/smtp: Fix wrong character class usage (Arne Welzel, Corelight)
A call to `extract_filename_from_content_disposition()` is only
efficient if the string is guaranteed to contain the pattern that
is removed by `sub()`. Due to missing brackets around the `[:blank:]`
character class, an overly long string (756kb) ending in
"Type:dtanameaa=" matched the wrong pattern causing `sub()` to
exhibit quadratic runtime. Besides that, we may have potentially
extracted wrong information from a crafted header value.
* Make sure that all sessions/connections are done before deleting plugins (Tim Wojtulewicz, Corelight)
* VLAN: Fix length checking for non-Ethernet type 2 frames (Tim Wojtulewicz, Corelight)
6.0.0-20 | 2023-09-07 18:31:19 -0700 6.0.0-20 | 2023-09-07 18:31:19 -0700
* GH-3278: spicy: Do not register port N+1 for port N in .evt file (Arne Welzel, Corelight) * GH-3278: spicy: Do not register port N+1 for port N in .evt file (Arne Welzel, Corelight)

42
NEWS
View file

@ -8,6 +8,40 @@ Zeek 6.0.1
This release fixes the following security issues: This release fixes the following security issues:
- File extraction limits were not correctly enforced for files containing large
amounts of missing bytes. Crafting files with large amounts of missing bytes
in them could cause Zeek to spend a long time processing data, allocate a lot
of main memory, and write a lot of data to disk. Due to the possibility of
receiving these packets from remote hosts, this is a DoS risk. The fix
included makes Zeek correctly enforce file size limits. We also added a new
option (default_limit_includes_missing) which allows to customize the behavior
when encountering large amounts of missed bytes in file. This issue was
discovered by Luca Cigarini.
- Sessions are sometimes not cleaned up completely within Zeek during shutdown,
potentially causing a crash when using the -B dpd flag for debug logging. This
is low priority because it only happens at shutdown and only when using that
flag. The fix included is to reorder shutdown to cleanup all the sessions
prior to tearing down the analyzers.
- A specially-crafted HTTP packet can cause Zeeks filename extraction code to
take a long time to process the data. Due to the possibility of receiving
these packets from remote hosts, this is a DoS risk. The fix included adjusts
the regular expression used in the extract_filename_from_content_disposition()
script function to more-correctly match the data.
- A specially-crafted series of FTP packets made up of a CWD request followed by
a large amount of ERPT requests may cause Zeek to spend a long time logging
the commands. Due to the possibility of receiving these packets from remote
hosts, this is a DoS risk. The fix included is to prevent logging of pending
commands for FTP packets.
- A specially-crafted VLAN packet can cause Zeek to overflow memory and
potentially crash. Due to the possibility of receiving these packets from
remote hosts, this is a DoS risk. The fix included is to add some additional
length checking to the VLAN analyzer. This patch does not affect the 5.0
baseline.
This release fixes the following bugs: This release fixes the following bugs:
- Fixed a base64 decoding issue with the authorization field of HTTP request - Fixed a base64 decoding issue with the authorization field of HTTP request
@ -48,6 +82,14 @@ This release fixes the following bugs:
- Spicy no longer registers an extra port for every port registered in a - Spicy no longer registers an extra port for every port registered in a
plugin's .evt file. plugin's .evt file.
- Timeouts in DNS resolution no longer cause uncontrolled memory growth.
- Fix check to skip DNS hostname lookups for notices that are not delivered via
email in ``policy/frameworks/notice/extend-email/hostnames``. Due to that
policy script being loaded in the Zeek's default ``local.zeek``, this
previously caused unneeded DNS lookups for every generated notice instead of
just those delivered via email.
Zeek 6.0.0 Zeek 6.0.0
========== ==========

2
VERSION
View file

@ -1 +1 @@
6.0.0-20 6.0.0-30