From dbaa9bf33d26be80f820e73a550a25d4be2740a7 Mon Sep 17 00:00:00 2001 From: Tim Wojtulewicz Date: Fri, 27 Oct 2023 11:37:13 -0700 Subject: [PATCH] Update CHANGES, VERSION, and NEWS for 6.0.2 release --- CHANGES | 2 +- NEWS | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ VERSION | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 9cc3e0274a..dfb3390ef4 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,4 @@ -6.0.1-27 | 2023-10-27 10:52:58 -0700 +6.0.2 | 2023-10-27 11:37:13 -0700 * ftp: Do not base seq on number of pending commands (Arne Welzel, Corelight) diff --git a/NEWS b/NEWS index efa835215f..5f2723d86e 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,69 @@ This document summarizes the most important changes in the current Zeek release. For an exhaustive list of changes, see the ``CHANGES`` file (note that submodules, such as Broker, come with their own ``CHANGES``.) +Zeek 6.0.2 +========== + +This release fixes the following security issues: + +- A specially-crafted SSL packet could cause Zeek to leak memory and potentially + crash. Due to the possibility of receiving these packets from remote hosts, + this is a DoS risk. The fix included adds additional memory cleanup to the + x509 file analyzer. + +- A specially-crafted series of FTP packets could cause Zeek to log entries for + requests that have already been completed, using resources unnecessarily and + potentially causing Zeek to lose other traffic. Due to the possibility of + receiving these packets from remote hosts, this is a DoS risk. The fix + included changes the way that we track the pending FTP commands, avoiding + possibly reusing the same value for subsequent commands. + +- A specially-crafted series of SSL packets could cause Zeek to output a very + large number of unnecessary alerts for the same record. Due to the possibility + of receiving these packets from remote hosts, this is a DoS risk. The fix + included adds a new option SSL::max_alerts_per_record that caps the number of + alerts that can be generated for an SSL record. For TLS 1.3 this is capped at + 1 as defined in RFC 8446. For non-TLS 1.3 it is a configurable value. A + SSL_excessive_alerts_in_record weird will be raised if the cap is exceeded. + +- A specially-crafted series of SSL packets could cause Zeek to generate very + long ssl_history fields in the ssl.log, potentially using a large amount of + memory due to unbounded state growth. Due to the possibility of receiving + these packets from remote hosts, this is a DoS risk. The fix included adds a + new option SSL::max_ssl_history_length that caps this to 100 characters by + default. A SSL_max_ssl_history_length_reached weird will be raised if the cap + is exceeded. + +- A specially-crafted IEEE802.11 packet could cause Zeek to overflow memory and + potentially crash. Due to the possibility of receiving these packets from + remote hosts, this is a DoS risk. The fix included adds additional bounds + checking to the IEEE802.11 packet analyzer. + +This release fixes the following bugs: + +- Fixed Spicy type names from causing collisions with existing Zeek types. + +- On some systems with low values for the maximum number of file descriptors, it + was possible to run into crashes when doing DNS lookups if all of the file + descriptors were used. This is now avoided with better checking for the number + of available file descriptors before trying a lookup. Thank you to Zeek Slack + user h-mikami for reporting this issue. + +- Tables backed by a Broker backend now correctly support deletion if they have + complex index types. Zeek previously reported an error when trying to delete + elements from these tables. + +- A significant performance issue with Zeek's supervisor code was fixed, + revolving around the re-initialization of the Event Manager object used to + track events. Thank you to Jan Grashoefer for reporting this issue. + +- The MaxMind DB code now cleans up after itself, resolving a memory leak with + the loaded database files. + +- The ZeekJS submodule was updated to version 0.9.6, bringing fixes for + zeek.invoke and zeek.event crashes, garbage collection, and an issue where + Zeek may stop executing events from ZeekJS. + Zeek 6.0.1 ========== diff --git a/VERSION b/VERSION index 20f3e5597d..9b9a244206 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -6.0.1-27 +6.0.2