package/suricata: security bump to version 6.0.14
- Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
adversary who controls an external source of rules), a dataset
filename, that comes from a rule, may trigger absolute or relative
directory traversal, and lead to write access to a local filesystem.
This is addressed in 6.0.13 by requiring allow-absolute-filenames and
allow-write (in the datasets rules configuration section) if an
installation requires traversal/writing in this situation.
- Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
controls an external source of Lua rules may be able to execute Lua
code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
is true in the security lua configuration section.
- Drop first patch (not needed since
c8a3aa608e
)
https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
This commit is contained in:
parent
e7988c7060
commit
ce17f93e82
@ -1355,8 +1355,7 @@ package/statserial/0001-ncurses-link.patch Upstream
|
|||||||
package/stunnel/S50stunnel Indent Shellcheck Variables
|
package/stunnel/S50stunnel Indent Shellcheck Variables
|
||||||
package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
|
package/sudo/0001-configure.ac-fix-openssl-static-build.patch Upstream
|
||||||
package/supervisor/S99supervisord Variables
|
package/supervisor/S99supervisord Variables
|
||||||
package/suricata/0001-python-ensure-proper-shabang-on-python-scripts.patch Upstream
|
package/suricata/0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
|
||||||
package/suricata/0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch Upstream
|
|
||||||
package/suricata/S99suricata Shellcheck
|
package/suricata/S99suricata Shellcheck
|
||||||
package/swupdate/swupdate.sh Shellcheck
|
package/swupdate/swupdate.sh Shellcheck
|
||||||
package/sylpheed/0001-harden-link-checker-before-accepting-click.patch Upstream
|
package/sylpheed/0001-harden-link-checker-before-accepting-click.patch Upstream
|
||||||
|
@ -1,47 +0,0 @@
|
|||||||
From 44fe2328b715db25134ee095526d2fa47e6cd834 Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Yann E. MORIN" <yann.morin.1998@free.fr>
|
|
||||||
Date: Wed, 1 Jan 2020 15:25:57 +0100
|
|
||||||
Subject: [PATCH] python: ensure proper shabang on python scripts
|
|
||||||
|
|
||||||
When instlling python scripts, distutils would use the python used to
|
|
||||||
run setup.py as shabang for the scripts it installs.
|
|
||||||
|
|
||||||
However, when cross-compiling, this is most often not correct.
|
|
||||||
|
|
||||||
Instead, using '/usr/bin/env python' is guaranteed to find the proper
|
|
||||||
python in the PATH, so we need to instruct setyup.py to use that as the
|
|
||||||
executable.
|
|
||||||
|
|
||||||
[yann.morin.1998@free.fr:
|
|
||||||
- author did not provide their SoB, but it's simple enough to
|
|
||||||
not require it for once
|
|
||||||
- provide proper commit log
|
|
||||||
]
|
|
||||||
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
|
|
||||||
[Fabrice: update for 6.0.0]
|
|
||||||
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
|
||||||
---
|
|
||||||
python/Makefile.am | 4 ++--
|
|
||||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/python/Makefile.am b/python/Makefile.am
|
|
||||||
index 59d195f29..a41604f72 100644
|
|
||||||
--- a/python/Makefile.am
|
|
||||||
+++ b/python/Makefile.am
|
|
||||||
@@ -6,11 +6,11 @@ EXTRA_DIST = setup.py \
|
|
||||||
if HAVE_PYTHON_DISTUTILS
|
|
||||||
all-local:
|
|
||||||
cd $(srcdir) && \
|
|
||||||
- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)"
|
|
||||||
+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)"
|
|
||||||
|
|
||||||
install-exec-local:
|
|
||||||
cd $(srcdir) && \
|
|
||||||
- $(HAVE_PYTHON) setup.py build --build-base "$(abs_builddir)" \
|
|
||||||
+ $(HAVE_PYTHON) setup.py build -e "/usr/bin/env python" --build-base "$(abs_builddir)" \
|
|
||||||
install --prefix $(DESTDIR)$(prefix)
|
|
||||||
|
|
||||||
uninstall-local:
|
|
||||||
--
|
|
||||||
2.20.1
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
|||||||
# Locally computed:
|
# Locally computed:
|
||||||
sha256 00173634fa76aee636e38a90b1c02616c903e42173107d47b4114960b5fbe839 suricata-6.0.6.tar.gz
|
sha256 cfa93de900d0fd8ba67c79fddec58fb7afb8f6c45b0773040035a15407b796ce suricata-6.0.14.tar.gz
|
||||||
|
|
||||||
# Hash for license files:
|
# Hash for license files:
|
||||||
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
|
sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 COPYING
|
||||||
|
@ -4,13 +4,12 @@
|
|||||||
#
|
#
|
||||||
################################################################################
|
################################################################################
|
||||||
|
|
||||||
SURICATA_VERSION = 6.0.6
|
SURICATA_VERSION = 6.0.14
|
||||||
SURICATA_SITE = https://www.openinfosecfoundation.org/download
|
SURICATA_SITE = https://www.openinfosecfoundation.org/download
|
||||||
SURICATA_LICENSE = GPL-2.0
|
SURICATA_LICENSE = GPL-2.0
|
||||||
SURICATA_LICENSE_FILES = COPYING LICENSE
|
SURICATA_LICENSE_FILES = COPYING LICENSE
|
||||||
SURICATA_CPE_ID_VENDOR = oisf
|
SURICATA_CPE_ID_VENDOR = oisf
|
||||||
# 0001-python-ensure-proper-shabang-on-python-scripts.patch
|
# 0001-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
|
||||||
# 0002-configure.ac-allow-the-user-to-override-RUST_TARGET.patch
|
|
||||||
SURICATA_AUTORECONF = YES
|
SURICATA_AUTORECONF = YES
|
||||||
|
|
||||||
SURICATA_DEPENDENCIES = \
|
SURICATA_DEPENDENCIES = \
|
||||||
|
Loading…
Reference in New Issue
Block a user