package/suricata: security bump to version 6.0.14

- Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
  adversary who controls an external source of rules), a dataset
  filename, that comes from a rule, may trigger absolute or relative
  directory traversal, and lead to write access to a local filesystem.
  This is addressed in 6.0.13 by requiring allow-absolute-filenames and
  allow-write (in the datasets rules configuration section) if an
  installation requires traversal/writing in this situation.
- Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
  controls an external source of Lua rules may be able to execute Lua
  code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
  is true in the security lua configuration section.
- Drop first patch (not needed since
  c8a3aa608e)

https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
Fabrice Fontaine 2023-09-28 18:51:26 +02:00 committed by Yann E. MORIN
parent e7988c7060
commit ce17f93e82
5 changed files with 4 additions and 53 deletions

View File

@ -1355,8 +1355,7 @@ package/statserial/0001-ncurses-link.patch Upstream
package/stunnel/S50stunnel Indent Shellcheck Variables package/stunnel/S50stunnel Indent Shellcheck Variables
package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
package/supervisor/S99supervisord Variables package/supervisor/S99supervisord Variables
package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch Upstream package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
package/suricata/S99suricata Shellcheck package/suricata/S99suricata Shellcheck
package/swupdate/swupdate.sh Shellcheck package/swupdate/swupdate.sh Shellcheck
package/sylpheed/0001-harden-link-checker-before-accepting-click.patch Upstream package/sylpheed/0001-harden-link-checker-before-accepting-click.patch Upstream

View File

@ -1,47 +0,0 @@
From 44fe2328b715db25134ee095526d2fa47e6cd834 Mon Sep 17 00:00:00 2001
From: "Yann E. MORIN" <yann.morin.1998@free.fr>
Date: Wed, 1 Jan 2020 15:25:57 +0100
Subject: [PATCH] python: ensure proper shabang on python scripts
When instlling python scripts, distutils would use the python used to
run setup.py as shabang for the scripts it installs.
However, when cross-compiling, this is most often not correct.
Instead, using '/usr/bin/env python' is guaranteed to find the proper
python in the PATH, so we need to instruct setyup.py to use that as the
executable.
[yann.morin.1998@free.fr:
- author did not provide their SoB, but it's simple enough to
not require it for once
- provide proper commit log
]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
[Fabrice: update for 6.0.0]
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
python/Makefile.am | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/Makefile.am b/python/Makefile.am
index 59d195f29..a41604f72 100644
--- a/python/Makefile.am
+++ b/python/Makefile.am
@@ -6,11 +6,11 @@ EXTRA_DIST = setup.py \
if HAVE_PYTHON_DISTUTILS
all-local:
cd $(srcdir) && \
- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)"
+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)"
install-exec-local:
cd $(srcdir) && \
- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)" \
+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)" \
install --prefix $(DESTDIR)$(prefix)
uninstall-local:
--
2.20.1

View File

@ -1,5 +1,5 @@
# Locally computed: # Locally computed:
sha256 00173634fa76aee636e38a90b1c02616c903e42173107d47b4114960b5fbe839 suricata-6.0.6.tar.gz sha256 cfa93de900d0fd8ba67c79fddec58fb7afb8f6c45b0773040035a15407b796ce suricata-6.0.14.tar.gz
# Hash for license files: # Hash for license files:
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING

View File

@ -4,13 +4,12 @@
# #
################################################################################ ################################################################################
SURICATA_VERSION = 6.0.6 SURICATA_VERSION = 6.0.14
SURICATA_SITE = https://www.openinfosecfoundation.org/download SURICATA_SITE = https://www.openinfosecfoundation.org/download
SURICATA_LICENSE = GPL-2.0 SURICATA_LICENSE = GPL-2.0
SURICATA_LICENSE_FILES = COPYING LICENSE SURICATA_LICENSE_FILES = COPYING LICENSE
SURICATA_CPE_ID_VENDOR = oisf SURICATA_CPE_ID_VENDOR = oisf
# 0001-python-ensure-proper-shabang-on-python-scripts.patch # 0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
# 0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
SURICATA_AUTORECONF = YES SURICATA_AUTORECONF = YES
SURICATA_DEPENDENCIES = \ SURICATA_DEPENDENCIES = \