Download raw body.
Update: suricata 7.0.6
Simple update to the latest release of suricata. Release announcement
at https://suricata.io/2024/06/27/suricata-7-0-6-and-6-0-20-released/
This fixes 4 security issues, so I plan to backport to -stable.
Other than version bump, only port change is regenerating patches.
OKs?
Thanks,
Jeremy
Index: Makefile
===================================================================
RCS file: /cvs/ports/security/suricata/Makefile,v
diff -u -p -u -p -r1.71 Makefile
--- Makefile 29 May 2024 08:04:35 -0000 1.71
+++ Makefile 27 Jun 2024 15:12:03 -0000
@@ -3,13 +3,12 @@ NOT_FOR_ARCHS = powerpc64 riscv64
COMMENT = high performance network IDS, IPS and security monitoring
-SURICATA_V = 7.0.5
+SURICATA_V = 7.0.6
SUPDATE_V = 1.3.3
DISTNAME = suricata-${SURICATA_V}
CATEGORIES = security
SHARED_LIBS += htp 0.1 # 2.0
-REVISION = 1
HOMEPAGE = https://suricata.io/
Index: distinfo
===================================================================
RCS file: /cvs/ports/security/suricata/distinfo,v
diff -u -p -u -p -r1.24 distinfo
--- distinfo 30 Apr 2024 14:30:46 -0000 1.24
+++ distinfo 27 Jun 2024 15:12:12 -0000
@@ -1,2 +1,2 @@
-SHA256 (suricata-7.0.5.tar.gz) = H/tWgVjyZcCFVEZL+4VOZWjvaDvwMxKSO1HyjFB5Ck4=
-SIZE (suricata-7.0.5.tar.gz) = 23612189
+SHA256 (suricata-7.0.6.tar.gz) = IYJPf/Egh8DJud4gcZmnWpwxsDA2aIx8ucF48KO1f40=
+SIZE (suricata-7.0.6.tar.gz) = 23644184
Index: patches/patch-configure_ac
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-configure_ac,v
diff -u -p -u -p -r1.13 patch-configure_ac
--- patches/patch-configure_ac 22 Feb 2024 09:49:35 -0000 1.13
+++ patches/patch-configure_ac 27 Jun 2024 15:15:29 -0000
@@ -3,7 +3,7 @@ To remove the pid file, its directory mu
Index: configure.ac
--- configure.ac.orig
+++ configure.ac
-@@ -2562,7 +2562,7 @@ if test "$WINDOWS_PATH" = "yes"; then
+@@ -2597,7 +2597,7 @@ if test "$WINDOWS_PATH" = "yes"; then
fi
else
EXPAND_VARIABLE(localstatedir, e_logdir, "/log/suricata/")
Index: patches/patch-src_suricata_c
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-src_suricata_c,v
diff -u -p -u -p -r1.15 patch-src_suricata_c
--- patches/patch-src_suricata_c 27 Mar 2024 21:31:15 -0000 1.15
+++ patches/patch-src_suricata_c 27 Jun 2024 15:15:26 -0000
@@ -4,7 +4,7 @@ Suricata uses libcap-ng on Linux and run
Index: src/suricata.c
--- src/suricata.c.orig
+++ src/suricata.c
-@@ -1597,7 +1597,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1609,7 +1609,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
return TM_ECODE_FAILED;
#endif /* UNITTESTS */
} else if (strcmp((long_opts[option_index]).name, "user") == 0) {
@@ -13,7 +13,7 @@ Index: src/suricata.c
SCLogError("libcap-ng is required to"
" drop privileges, but it was not compiled into Suricata.");
return TM_ECODE_FAILED;
-@@ -1606,7 +1606,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
+@@ -1618,7 +1618,7 @@ static TmEcode ParseCommandLine(int argc, char** argv,
suri->do_setuid = TRUE;
#endif /* HAVE_LIBCAP_NG */
} else if (strcmp((long_opts[option_index]).name, "group") == 0) {
@@ -22,7 +22,7 @@ Index: src/suricata.c
SCLogError("libcap-ng is required to"
" drop privileges, but it was not compiled into Suricata.");
return TM_ECODE_FAILED;
-@@ -3040,6 +3040,7 @@ int SuricataMain(int argc, char **argv)
+@@ -3055,6 +3055,7 @@ int SuricataMain(int argc, char **argv)
SystemHugepageSnapshotDestroy(prerun_snap);
SystemHugepageSnapshotDestroy(postrun_snap);
}
Index: patches/patch-suricata_yaml_in
===================================================================
RCS file: /cvs/ports/security/suricata/patches/patch-suricata_yaml_in,v
diff -u -p -u -p -r1.21 patch-suricata_yaml_in
--- patches/patch-suricata_yaml_in 27 Mar 2024 21:31:15 -0000 1.21
+++ patches/patch-suricata_yaml_in 27 Jun 2024 15:15:26 -0000
@@ -35,7 +35,7 @@ Index: suricata.yaml.in
# Enable for multi-threaded eve.json output; output files are amended with
# an identifier, e.g., eve.9.json
#threaded: false
-@@ -334,6 +336,7 @@ outputs:
+@@ -340,6 +342,7 @@ outputs:
- http-log:
enabled: no
filename: http.log
@@ -43,7 +43,7 @@ Index: suricata.yaml.in
append: yes
#extended: yes # enable this for extended logging information
#custom: yes # enable the custom logging format (defined by customformat)
-@@ -344,6 +347,7 @@ outputs:
+@@ -350,6 +353,7 @@ outputs:
- tls-log:
enabled: no # Log TLS connections.
filename: tls.log # File to store TLS logs.
@@ -51,7 +51,7 @@ Index: suricata.yaml.in
append: yes
#extended: yes # Log extended information like fingerprint
#custom: yes # enabled the custom logging format (defined by customformat)
-@@ -391,6 +395,7 @@ outputs:
+@@ -397,6 +401,7 @@ outputs:
- pcap-log:
enabled: no
filename: log.pcap
@@ -59,7 +59,7 @@ Index: suricata.yaml.in
# File size limit. Can be specified in kb, mb, gb. Just a number
# is parsed as bytes.
-@@ -429,6 +434,7 @@ outputs:
+@@ -435,6 +440,7 @@ outputs:
- alert-debug:
enabled: no
filename: alert-debug.log
@@ -67,7 +67,7 @@ Index: suricata.yaml.in
append: yes
#filetype: regular # 'regular', 'unix_stream' or 'unix_dgram'
-@@ -436,6 +442,7 @@ outputs:
+@@ -442,6 +448,7 @@ outputs:
- stats:
enabled: yes
filename: stats.log
@@ -75,7 +75,7 @@ Index: suricata.yaml.in
append: yes # append to file (yes) or overwrite it (no)
totals: yes # stats for all threads merged together
threads: no # per thread stats
-@@ -529,6 +536,7 @@ outputs:
+@@ -535,6 +542,7 @@ outputs:
enabled: no
type: file
filename: tcp-data.log
@@ -83,7 +83,7 @@ Index: suricata.yaml.in
# Log HTTP body data after normalization, de-chunking and unzipping.
# Two types: file or dir.
-@@ -542,6 +550,7 @@ outputs:
+@@ -548,6 +556,7 @@ outputs:
enabled: no
type: file
filename: http-data.log
@@ -91,7 +91,7 @@ Index: suricata.yaml.in
# Lua Output Support - execute lua script to generate alert and event
# output.
-@@ -1195,9 +1204,9 @@ datasets:
+@@ -1203,9 +1212,9 @@ datasets:
##
# Run Suricata with a specific user-id and group-id:
@@ -104,7 +104,7 @@ Index: suricata.yaml.in
security:
# if true, prevents process creation from Suricata by calling
-@@ -1208,13 +1217,11 @@ security:
+@@ -1216,13 +1225,11 @@ security:
enabled: no
directories:
#write:
@@ -118,7 +118,7 @@ Index: suricata.yaml.in
lua:
# Allow Lua rules. Disabled by default.
-@@ -1227,7 +1234,7 @@ security:
+@@ -1235,7 +1242,7 @@ security:
# Default location of the pid file. The pid file is only used in
# daemon mode (start Suricata with -D). If not running in daemon mode
# the --pidfile command line option must be used to create a pid file.
@@ -127,17 +127,17 @@ Index: suricata.yaml.in
# Daemon working directory
# Suricata will change directory to this one if provided
-@@ -1295,8 +1302,7 @@ unix-command:
+@@ -1303,8 +1310,7 @@ unix-command:
#filename: custom.socket
# Magic file. The extension .mgc is added to the value here.
-#magic-file: /usr/share/file/magic
-+#magic-file: ${SYSCONFDIR}/magic
-@e_magic_file_comment@magic-file: @e_magic_file@
++#magic-file: ${SYSCONFDIR}/magic
# GeoIP2 database file. Specify path and filename of GeoIP2 database
# if using rules with "geoip" rule option.
-@@ -1334,8 +1340,8 @@ legacy:
+@@ -1342,8 +1348,8 @@ legacy:
exception-policy: auto
# IP Reputation
@@ -148,7 +148,7 @@ Index: suricata.yaml.in
#reputation-files:
# - reputation.list
-@@ -1813,7 +1819,7 @@ profiling:
+@@ -1825,7 +1831,7 @@ profiling:
limit: 10
# output to json
@@ -157,7 +157,7 @@ Index: suricata.yaml.in
# per keyword profiling
keywords:
-@@ -2143,22 +2149,44 @@ napatech:
+@@ -2155,22 +2161,44 @@ napatech:
#
hashmode: hash5tuplesorted
Update: suricata 7.0.6