From da99a69c5be595cf9d35a02c18c4cb1a7d297fbb Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Wed, 14 Jun 2023 23:06:06 +0530 Subject: [PATCH] release: 7.0.0-rc2; update changelog --- ChangeLog | 143 +++++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 6 +- requirements.txt | 2 +- 3 files changed, 147 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 54a4dcfb60..a10240c565 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,146 @@ +7.0.0-rc2 -- 2023-06-14 + +Feature #6099: dpdk: add support for bonding interface +Feature #6085: detect: set explicit rule types +Feature #5975: Add support for 'inner' PF_RING clustering modes +Feature #5937: dpdk: Improve DPDK version checking +Feature #5876: eve: add stream tcp logging +Feature #5849: dpdk: add virtio-pmd support +Feature #5822: yaml: set suricata version in generated config +Feature #5803: github-ci: Add netmap as a Github Action +Feature #5784: detect: allow cross buffer inspection on multi-buffer matches +Feature #5746: http.connection - allow in server response +Feature #5717: rfb: add frame support +Security #6129: dcerpc: max-tx config parameter, also for UDP +Security #6118: datasets: absolute path in rules can overwrite arbitrary files +Security #5945: byte_math: Division by zero possible. +Bug #6137: SNMP: version is logged from state, instead of from transaction +Bug #6132: suricata-update: dump-sample-configs: configuration files not found +Bug #6120: streaming-buffer: exceeds limit when downloading large file with file-store enabled +Bug #6117: tcp regions streaming buffer: assert failed (!((region->stream_offset == sbb->offset && region->buf_offset > sbb->len))), function StreamingBufferSBBGetData +Bug #6109: exception/policy: reject changes flow action in IDS mode +Bug #6103: http2: cpu overconsumption in rust moving/memcpy in http2_parse_headers_blocks +Bug #6093: flow: occasional sudden spike in flow.memuse +Bug #6089: suricata --list-keywords does not work with debug validation +Bug #6087: FTP bounce detection doesn't work for big-endian platforms +Bug #6086: Decode-events of IPv6 packets are not triggered +Bug #6066: Memory Corruption in util-streaming-buffer +Bug #6064: dpdk: detect reload stuck if there are no packets +Bug #6062: flow: memory leaks at shutdown +Bug #6060: IP Datasets not supported from suricata.yaml +Bug #6057: rust/jsonbuilder: better handling of memory allocation errors +Bug #6054: ftp: long line discard logic should be separate for server and client +Bug #6053: smtp: long line discard logic should be separate for server and client +Bug #6046: runmode/unix-socket: http range memory leak +Bug #6043: detect: multi-tenancy fails to start +Bug #6041: ASSERT: !(sb->region.buf_offset != 0) +Bug #6038: TCP resets have incorrect len, nh in IPv6 +Bug #6025: detect: allow bsize 0 for existing empty buffers +Bug #6021: af-packet: reload not occurring until packets are seen +Bug #6019: smtp: fuzz debug assertion trigger +Bug #6008: smb: wrong offset when parse SMB_COM_WRITE_ANDX record +Bug #6006: dpdk: query eth stats only by the first worker +Bug #5998: exception/policy: make work with simulated flow memcap +Bug #5989: smtp: any command post a long command gets skipped +Bug #5981: smtp: Long DATA line post boundary is capped at 4k Bytes +Bug #5979: rust: update sawp dependencies to avoid future compile issues +Bug #5978: stream/reassembly: memcap exception policy incorrectly applied +Bug #5971: libhtp: differential fuzzing with rust version: only trim spaces at headers names end +Bug #5969: detect: reload can stall if flow housekeeping takes too long +Bug #5968: flowworker: per packet flow housekeeping can process too many flows +Bug #5963: dpdk: handle packets splitted in multiple segments +Bug #5960: Postpone setting of master exception policy +Bug #5957: bpf: postpone IPS check after IPS runmode is determined from the configuration file +Bug #5952: http: multipart data is not filled up to request.body-limit +Bug #5940: exception/policy: flow action doesn't fall back to packet action when there's no flow +Bug #5936: dpdk: Release mempool only after the device closes +Bug #5931: http2: urilen not supported +Bug #5929: fast_pattern assignment of specific content in combination with urilen results in FN +Bug #5927: smtp: quadratic complexity for tx iterator with linked list +Bug #5925: dpdk: VMXNET3 fails to configure +Bug #5924: AF_XDP compile error +Bug #5923: dpdk: change in NUMA-determining API +Bug #5919: flow/manager: fix unhandled division by 0 (prealloc: 0) +Bug #5917: http: libhtp errors on multiple 100 continue response +Bug #5909: http2: quadratic complexity when reducing dynamic headers table size +Bug #5907: tcp: failed assertion ASSERT: !(ssn->state != TCP_SYN_SENT) +Bug #5905: invalid bsize and distance rule being loaded by suricata +Bug #5900: UBSAN: undefined shift in DetectByteMathDoMatch +Bug #5885: base64_decode not populating up to an invalid character +Bug #5883: mime: debug assertion on fuzz input +Bug #5881: stream: overlap with different data false positive +Bug #5877: stream: connections time out too early +Bug #5875: stream/ips: dropping spurious retransmissions times out connections +Bug #5867: false-positive drop event_types possible on passed packets +Bug #5866: detect: multi-tenancy crash +Bug #5862: netmap: packet stalls +Bug #5856: stream: SYN/ACK timestamp checking blocks valid traffic +Bug #5855: af-xdp: may fail to build on Linux systems with kernel older than 5.11 +Bug #5850: frames: Assertion failed: buffer initialized +Bug #5843: tcp/stream: session reuse on tcp flows w/o sessions +Bug #5836: output: abort triggered on no permission test +Bug #5835: debug: segv on enabling debugging output +Bug #5834: tcp/regions: list corruption +Bug #5833: tcp/regions: use after free error +Bug #5825: stream.midstream: if enabled breaks exception policy +Bug #5823: smtp: config and built-in defaults mismatch +Bug #5819: SMTP does not handle LF post line limit properly +Bug #5818: time: integer comparison with different signs +Bug #5808: http2: leak with range files +Bug #5802: ips: txs still logged for dropped flow +Bug #5799: detect: sigs using DETECT_SM_LIST_PMATCH can break other signatures +Bug #5786: smb: possible evasion with trailing nbss data +Bug #5783: smb: wrong endian conversion when parse NTLM Negotiate Flags +Bug #5780: HTTP/2 - FN when matching on multiple http2.header contents +Bug #5770: smb: no consistency check between NBSS length and length field for some SMB operations +Bug #5740: content: within and distance lengths should be bounded +Bug #5667: Enable rule profiling via socket +Bug #5627: windows: windivert build broken +Bug #5621: security.limit-noproc: disabled if not provided in the configuration file +Bug #5563: stream: issue with stream debug tracking of memuse +Bug #5541: Unexpected behavior of `endswith` in combination with negated content matches +Bug #5526: tcp: Assertion failed: (!((last_ack_abs < left_edge && StreamTcpInlineMode() == 0 && !f->ffr && ssn->state < TCP_CLOSED))) +Bug #5498: flowworker: Assertion in CheckWorkQueue +Bug #5437: 'unseen' http midstream packets with TCP FIN flag set +Bug #5320: Key collisions in HTTP JSON eve-logs +Bug #5270: Flow hash table collision and flow state corruption between different capture interfaces +Bug #5261: rust: reconsider bundling Cargo.lock +Bug #5017: counters: tcp.syn, tcp.synack, tcp.rst depend on flow +Bug #4952: scan-build: Access to field 'de_state' results in a dereference of a null pointer +Bug #4759: TCP DNS query not found when tls filter is active +Bug #4578: perf shows excessive time in IPOnlyMatchPacket +Bug #4529: Not keyword matches in Kerberos requests +Bug #3152: scan-build warning for detect sigordering +Bug #3151: scan-build warning for detect port handling +Bug #3150: scan-build warnings for detect address handling +Bug #3149: scan-build warnings in radix implementation +Bug #3148: scan-build warnings for ac implementations +Bug #3147: scan-build warning for mime decoder +Optimization #6100: mqtt: quadratic complexity in get_tx_by_pkt_id +Optimization #6036: pgsql: remove unused Kerb5 auth message +Optimization #5959: detect using uninitialized engine mode +Optimization #5718: time: compact alternative to struct timeval +Optimization #5544: tls keywords: increase code coverage and update documentation (if need be) +Optimization #4378: file.data: split mpm per app_proto +Task #5993: rust: x509-parser 0.15 +Task #5992: rust: snmp-parser 0.9.0 +Task #5991: rust: der-parser 8.2.0 +Task #5983: libhtp 0.5.44 +Task #5965: tracking: Improving DPDK capture interface and docs +Task #5939: config: deprecate multiple "include" statements at the same level +Task #5918: libhtp 0.5.43 +Task #5741: rust/src/rfb/* add more unittests +Task #5628: github-ci: add windows + windivert build +Task #5474: test: review how 7 works with config from 5 and 6 +Task #4067: http2: overload existing http keywords to support http/2 +Task #4051: Convert unittests to new FAIL/PASS API: detect-lua.c +Documentation #5962: documentation: mention the use of http1 in rule protocol +Documentation #5884: docs: update CentOS names according to their new conventions +Documentation #5859: docs: add build instructions for DPDK capture interface +Documentation #5858: docs: add list of supported NICs in DPDK mode +Documentation #5857: docs: refactor DPDK documentation +Documentation #5596: doc/optimization: move 'suricata.git/doc/userguide/convert.py' to Python3 + 7.0.0-rc1 -- 2023-01-31 Feature #5761: Unknown ethertype packets are not counted diff --git a/configure.ac b/configure.ac index c4afb2b95c..d5ea85891b 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ - AC_INIT([suricata],[7.0.0-rc2-dev]) + AC_INIT([suricata],[7.0.0-rc2]) m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])])AM_SILENT_RULES([yes]) AC_CONFIG_HEADERS([src/autoconf.h]) AC_CONFIG_SRCDIR([src/suricata.c]) @@ -1574,12 +1574,12 @@ echo exit 1 fi - PKG_CHECK_MODULES(LIBHTPMINVERSION, [htp >= 0.5.42],[libhtp_minver_found="yes"],[libhtp_minver_found="no"]) + PKG_CHECK_MODULES(LIBHTPMINVERSION, [htp >= 0.5.44],[libhtp_minver_found="yes"],[libhtp_minver_found="no"]) if test "$libhtp_minver_found" = "no"; then PKG_CHECK_MODULES(LIBHTPDEVVERSION, [htp = 0.5.X],[libhtp_devver_found="yes"],[libhtp_devver_found="no"]) if test "$libhtp_devver_found" = "no"; then echo - echo " ERROR! libhtp was found but it is neither >= 0.5.42, nor the dev 0.5.X" + echo " ERROR! libhtp was found but it is neither >= 0.5.44, nor the dev 0.5.X" echo exit 1 fi diff --git a/requirements.txt b/requirements.txt index 111123bc7d..7d8737bd43 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,5 +3,5 @@ # Format: # # name {repo} {branch|tag} -libhtp https://github.com/OISF/libhtp 0.5.x +libhtp https://github.com/OISF/libhtp 0.5.44 suricata-update https://github.com/OISF/suricata-update 1.3.0rc1