Debian Patches
Status for suricata/1:6.0.1-3+deb11u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| avoid-to-include-if_tunnel-h.patch | [PATCH] ebpf: avoid to include if_tunnel.h This is causing a dependency issue as file from another architecture have to be installed. |
Eric Leblond <eric@regit.org> | no | 2019-10-31 | ||
| configure-clang-variable.patch | configure: Introduce CLANG variable | Hilko Bengen <bengen@debian.org> | no | 2019-01-22 | ||
| cross.patch | no | |||||
| CVE-2021-45098.patch | commit 50e2b973eeec7172991bf8f544ab06fb782b97df stream/tcp: handle RST with MD5 or AO header Special handling for RST packets if they have an TCP MD5 or AO header option. The options hash can't be validated. The end host might be able to validate it, as it can have a key/password that was communicated out of band. The sender could use this to move the TCP state to 'CLOSED', leading to a desync of the TCP session. This patch builds on top of 843d0b7a10bb ("stream: support RST getting lost/ignored") It flags the receiver as having received an RST and moves the TCP state into the CLOSED state. It then reverts this if the sender continues to send traffic. In this case it sets the following event: stream-event:suspected_rst_inject; Bug: #4710. =================================================================== |
Victor Julien <victor@inliniac.net> | no | 2021-10-05 | ||
| CVE-2023-35852-1.patch | commit aee1523b4591430ebed1ded0bb95508e6717a335 datasets: don't allow absolute or paths with directory traversal For dataset filenames coming from rules, do not allow filenames that are absolute or contain a directory traversal with "..". This prevents datasets from escaping the define data-directory which may allow a bad rule to overwrite any file that Suricata has permission to write to. Add a new configuration option, "datasets.rules.allow-absolute-filenames" to allow absolute filenames in dataset rules. This will be a way to revert back to the pre 6.0.13 behavior where save/state rules could use any filename. Ticket: #6118 =================================================================== |
Jason Ish <jason.ish@oisf.net> | no | 2023-05-23 | ||
| CVE-2023-35852-2.patch | commit 735f5aa9ca3b28cfacc7a443f93a44387fbacf17 datasets: flag to disable "write" actions Add a new configuration flag, "datasets.rules.allow-write" to control if rules can contain "save" or "state" rules which allow write access to the file system. Ticket: #6123 =================================================================== |
Jason Ish <jason.ish@oisf.net> | no | 2023-06-06 | ||
| CVE-2024-32663-1.patch | commit 08d93f7c3762781b743f88f9fdc4389eb9c3eb64 http2: use a reference counter for headers Ticket: 6892 As HTTP hpack header compression allows one single byte to express a previously seen arbitrary-size header block (name+value) we should avoid to copy the vectors data, but just point to the same data, while reamining memory safe, even in the case of later headers eviction from the dybnamic table. Rust std solution is Rc, and the use of clone, so long as the data is accessed by only one thread. (cherry picked from commit 390f09692eb99809c679d3f350c7cc185d163e1a) =================================================================== |
Philippe Antoine <pantoine@oisf.net> | no | 2024-03-27 | ||
| CVE-2024-32663-2.patch | commit d24b37a103c04bb2667e449e080ba4c8e56bb019 http2: do not log duplicate headers Ticket: 6900 And thus avoid DOS by logging a request using a compressed header block repeated many times and having a long value... (cherry picked from commit 03442c9071b8d863d26b609d54c6eacf4de9e340) =================================================================== |
Philippe Antoine <pantoine@oisf.net> | no | 2024-03-28 | ||
| CVE-2024-37151.patch | commit 9d5c4273cb7e5ca65f195f7361f0d848c85180e0 defrag: don't use completed tracker When a Tracker is set up for a IPID, frags come in for it and it's reassembled and complete, the `DefragTracker::remove` flag is set. This is mean to tell the hash cleanup code to recyle the tracker and to let the lookup code skip the tracker during lookup. A logic error lead to the following scenario: 1. there are sufficient frag trackers to make sure the hash table is filled with trackers 2. frags for a Packet with IPID X are processed correctly (X1) 3. frags for a new Packet that also has IPID X come in quickly after the first (X2). 4. during the lookup, the frag for X2 hashes to a hash row that holds more than one tracker 5. as the trackers in hash row are evaluated, it finds the tracker for X1, but since the `remove` bit is not checked, it is returned as the tracker for X2. 6. reassembly fails, as the tracker is already complete The logic error is that only for the first tracker in a row the `remove` bit was checked, leading to reuse to a closed tracker if there were more trackers in the hash row. Ticket: #7042. =================================================================== |
Victor Julien <vjulien@oisf.net> | no | 2024-06-04 | ||
| CVE-2024-45796.patch | commit 9203656496c4081260817cce018a0d8fd57869b5 defrag: fix off by one Ticket: 7067 This off by one could lead to an empty fragment being inserted in the rb tree, which led to integer underflow =================================================================== |
Philippe Antoine <pantoine@oisf.net> | no | 2024-07-15 | ||
| CVE-2024-55626.patch | commit 470795e65ba77cffba3aed850313a5f23c4b278d suricata/bpf: fix -Wshorten-64-to-32 warning Ticket: 7366 Ticket: 6186 (cherry picked from commit dd71ef0af222a566e54dfc479dd1951dd17d7ceb) =================================================================== |
Philippe Antoine <pantoine@oisf.net> | no | 2024-11-04 | ||
| CVE-2025-29918.patch | commit f6c9490e1f7b0b375c286d5313ebf3bc81a95eb6 detect/pcre: avoid infinite loop after negated pcre Ticket: 7526 The usage of negated pcre, followed by other relative payload content keywords could lead to an infinite loop. This is because regular (not negated) pcre can test multiple occurences, but negated pcre should be tried only once. (cherry picked from commit b14c67cbdf25fa6c7ffe0d04ddf3ebe67b12b50b) =================================================================== |
Philippe Antoine <pantoine@oisf.net> | no | 2025-01-28 | ||
| debian-default-cfg.patch | Debian default configuration This patch sets Debian defaults for suricata configuration. . Currently, it sets a proper path for suricata unix socket. |
Arturo Borrero Gonzalez <arturo@debian.org> | not-needed | 2016-12-01 | ||
| fix-repeated-builds.patch | do not clean vendor directory on distclean dh_auto_clean calls make distclean, which in the case of Suricata also removes the vendor directory. This breaks repeated builds. |
Sascha Steinbiss <satta@debian.org> | no | 2018-12-26 | ||
| import-sockio-h.patch | [PATCH] af-packet: fix build on recent Linux kernels | Eric Leblond <eric@regit.org> | no | 2019-07-17 | ||
| llc.patch | no | |||||
| no-use-gnu.patch | Don't use __USE_GNU __USE_GNU is a glibc-internal symbol. AC_USE_SYSTEM_EXTENSIONS is the proper autoconf way to enable extensions. |
Adrian Bunk <bunk@debian.org> | no | |||
| remove-conflicting-python-file.patch | do not install the suricata Python module Suricata's Python tools only import submodules of 'suricata'. Not installing this module ensures that there is no chance of having an __init__.py in the root module directory that might clash with other packages, e.g. suricata- update. |
Sascha Steinbiss <satta@debian.org> | yes | upstream | 2019-09-18 | |
| reproducible.patch | Patch to make the suricata build reproducible This patch makes some changes to the suricata build to make it reproducible . Currently, it only filters out the -fdebug-prefix-map CFLAG which embeds the build path. |
Arturo Borrero Gonzalez <arturo@debian.org> | not-needed | 2016-09-05 | ||
| stream-no-reject-bad-ack.patch | [PATCH] stream/tcp: don't reject on bad ack Not using a packet for the streaming analysis when a non zero ACK value and ACK bit was unset was leading to evasion as it was possible to start a session with a SYN packet with a non zero ACK value to see the full TCP stream to escape all stream and application layer detection. This addresses CVE-2021-35063. |
Eric Leblond <el@stamus-networks.com> | no | 2021-05-28 | ||
| with-ebpf-includes.patch | Add --with-ebpf-includes parameter | Hilko Bengen <bengen@debian.org> | no | 2019-07-23 |
Showing 1 to 21 of 21 entries
All known versions for source package 'suricata'
- 1:7.0.10-1 (sid, trixie)
- 1:7.0.10-1~bpo12+1 (bookworm-backports)
- 1:6.0.10-1 (bookworm)
- 1:6.0.10-1~bpo11+1 (bullseye-backports)
- 1:6.0.1-3+deb11u1 (bullseye-security)
- 1:6.0.1-3 (bullseye)