commit 05877ded9d658eb051b4482833bc333e57e5ab29 Author: Michael Tremer Date: Sat Oct 25 12:55:42 2025 +0000 core198: Ship changes in apache configuration Signed-off-by: Michael Tremer commit 018db0afbc778057f2fe03dfdbb2f03c05e5c1bd Author: Michael Tremer Date: Wed Oct 22 10:01:53 2025 +0000 core198: Update squid.conf and reload Signed-off-by: Michael Tremer commit e99655e9c77c67b19fdf10575755b8d4f392570e Author: Adolf Belka Date: Mon Oct 20 12:48:29 2025 +0200 proxy.cgi: Mitigation for CVE-2025-62168 on squid - The full fix for CVE-2025-62168 is in version squid-7.2 - However there are a lot of changes in squid from version 6 to 7 with all the error language files no longer provided directly, they have to be obtained from separate langauage packs now. Also several tools like cachmgr.cgi have been removed as the options can be obtained via different approaches. - I have had a look at squid-7.2 and I believe I can do the upgrade but it will take some time to be sure it is working properly. - In the interim, this patch adds the mitigation "email_err_data off" into squid.conf that is referenced in the CVE report. - If someone else has already worked on squid-7.2 and has it ready to go now or soon, then this patch can be dropped. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d451f131ff19cc090d78712adc9309dd5bed2990 Author: Michael Tremer Date: Thu Oct 16 18:40:08 2025 +0200 general-functions.pl: Read output first before we wait for the process to terminate When generating IPS reports, the reporter could not write to the output, therefore blocked and the CGI script timed out. Signed-off-by: Michael Tremer commit f1e4331fa76b628c91057aca8e501c87de90283b Author: Michael Tremer Date: Thu Oct 16 09:25:52 2025 +0000 Run "./make.sh lang" Signed-off-by: Michael Tremer commit 998a8382ff0de6f9c830fe694c13dcb160cb4485 Author: Adolf Belka Date: Mon Oct 13 11:18:29 2025 +0200 core198: Ship dns.cgi Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 8e88814df7c9d647cf0d7e5636979016ef43d1f9 Author: Adolf Belka Date: Mon Oct 13 11:18:28 2025 +0200 dns.cgi: Correction to typo - Spotted by a new user on the forum as part of their CU198 Testing. - Causes an Internal Server Error when trying to access the Domain Name System page. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c1618483dec4b1421106b8f42cdeaa3d779175b8 Author: Michael Tremer Date: Tue Oct 7 15:27:43 2025 +0000 core198: Update permissions of auth.conf Signed-off-by: Michael Tremer commit 68063bc7e7878c60dfc5c736a5b07b0e8f31ad43 Author: Michael Tremer Date: Tue Oct 7 15:24:25 2025 +0000 Add the suricata user to the mail group Signed-off-by: Michael Tremer commit c3b8ba152daf7ba6faa99d307d87b2f8eb85cfcb Author: Michael Tremer Date: Tue Oct 7 15:22:57 2025 +0000 dma: Change ownership of auth.conf This file only needs to be written to by nobody (i.e. the web UI), but there are other users which need to read it in order to send emails. Signed-off-by: Michael Tremer commit 1081a699c68ba4d2aa39aee21607767208565382 Author: Michael Tremer Date: Tue Oct 7 15:09:52 2025 +0000 suricata-reporter: Update to 0.4 Signed-off-by: Michael Tremer commit 4290085d84bf2f8986b5f36045989a048f5a6e00 Author: Michael Tremer Date: Tue Oct 7 16:05:39 2025 +0100 ids.dat: Only allow downloading daily reports Signed-off-by: Michael Tremer commit 1370241b59a4a124c3009455890aa3cc2aafee09 Author: Michael Tremer Date: Tue Oct 7 15:54:58 2025 +0100 ids.dat: Fix date offset The CGI is starting from zero. Signed-off-by: Michael Tremer commit be69dd03ad9b268c10e29533fd91462d3172ebb2 Author: Michael Tremer Date: Tue Oct 7 15:53:01 2025 +0100 ids.dat: Remove extra space from command line arguments Signed-off-by: Michael Tremer commit 25a006fd6cd06e559fbc913d31d4662b6831e2ac Author: Michael Tremer Date: Tue Oct 7 15:52:33 2025 +0100 ids.dat: Remove database path We don't want to have any configuration in random CGI files. Signed-off-by: Michael Tremer commit 3d5dba3246228752368ac2ec73acf86101bdd754 Author: Stefan Schantl Date: Mon Oct 6 17:15:58 2025 +0200 logs.cgi/ids.dat: Add support for generating reports This commit allows to manaully generate certain reports of logged suricata alerts. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 54e9e66841b8fc97dd46ba419228c3fb6d488b69 Author: Michael Tremer Date: Thu Oct 2 16:57:10 2025 +0000 core198: Ship header.pl Signed-off-by: Michael Tremer commit 6d107e8683fb816f0f63fd6022b30a277ea9d191 Author: Adolf Belka Date: Thu Oct 2 13:10:15 2025 +0200 firewall.cgi: Fixes XSS potential - Related to CVE-2025-50975 - Fixes PROT - ruleremark was already escaped when firewall.cgi was initially merged back in Core Update 77. - SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as ports or port ranges. - std_net_tgt is a string defined in the code and not a variable - The variable key ignores any input that is not a digit and subsequently uses the next free rulenumber digit Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 8726b465430f59a18e3704c47d886662ca59ad22 Author: Adolf Belka Date: Thu Oct 2 13:10:14 2025 +0200 dns.cgi: Fix for XSS potential - Related to CVE-2025-50976 - Fixes NAMESERVER & REMARK - TLS_HOSTNAME was already fixed in a previous patch Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b46ccb021ed46cac8690c6f16f08f813beb12f5c Author: Michael Tremer Date: Thu Sep 25 17:32:51 2025 +0200 proxy.cgi: Escape parameters in the right place Signed-off-by: Michael Tremer commit 9a4fbd0bac49ee76006f732701c6fea8d2338f8a Author: Michael Tremer Date: Thu Sep 25 17:29:35 2025 +0200 dns.cgi: Validate the TLS hostname irregardless of TLS being used That way, we won't have to perform escaping later on and can rely on having a valid value. Signed-off-by: Michael Tremer commit 841d9dab524bfe6572471f4e14b97534e840bed1 Author: Michael Tremer Date: Thu Sep 25 17:19:59 2025 +0200 mail.cgi: Escape username/password in the right place Signed-off-by: Michael Tremer commit 0560cc7c4d06ce05e37c397f38be05907e098601 Author: Michael Tremer Date: Thu Sep 25 17:12:20 2025 +0200 firewalllogcountry.dat: Escape pienumber in the correct place Signed-off-by: Michael Tremer commit 3aad228b56bd2a87d3eeca1d027197734e0fac8c Author: Michael Tremer Date: Thu Sep 25 17:10:56 2025 +0200 firewalllogip.dat: Escape pienumber in the right place Signed-off-by: Michael Tremer commit 43ce8d752e79453e99fccb33bd8a4176bba4c670 Author: Michael Tremer Date: Thu Sep 25 17:07:36 2025 +0200 ids.cgi: Escape the remark before sending it back to the browser Signed-off-by: Michael Tremer commit 2398cc431a3fb2cd4141b6a846f0cd0742f6a97c Author: Michael Tremer Date: Thu Sep 25 17:05:32 2025 +0200 fwhosts.cgi: Escape PROT in the right place Signed-off-by: Michael Tremer commit ad995081302f6b28ea11c74e56306d94a7bee076 Author: Michael Tremer Date: Thu Sep 25 17:02:18 2025 +0200 fwhosts.cgi: Check country code before proceeding Signed-off-by: Michael Tremer commit 0b946b848c72511922fa211b6a4db0da092d204c Author: Michael Tremer Date: Thu Sep 25 16:37:27 2025 +0200 ddns.cgi: Escape the variables when they are being sent back to the browser Signed-off-by: Michael Tremer commit 9ceb7c7e8b3191109e7dd7c84444dce126996ee2 Author: Adolf Belka Date: Thu Sep 25 13:12:52 2025 +0200 proxy.cgi: Further fix for bug 13893 - Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the description for that bug. - bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi which is incorrect except for TLS_HOSTNAME. - The other parameters are from proxy.cgi but no mitigation was shown for those in the bug report. - This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD, ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e6a0ecf248d26c72f015d082e84ecd2772823c08 Author: Adolf Belka Date: Thu Sep 25 13:12:51 2025 +0200 proxy.cgi: Fixes bug 13893 Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit df17d1adafb5629ecd4d80634002028d7ab4cf58 Author: Adolf Belka Date: Thu Sep 25 13:12:50 2025 +0200 dns.cgi: Fixes bug 13892 Fixes: bug 13892 - dns.cgi TLS_HOSTNAME Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit a31550706f590193f63f2a9c57c943a9ab572642 Author: Adolf Belka Date: Thu Sep 25 13:12:49 2025 +0200 mail.cgi: Fixes bug 13891 Fixes: bug 13891 - mail.cgi txt_mailuser txt_mailpass Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c431d86ab882f1305f831a37c04491a7ae771e28 Author: Adolf Belka Date: Thu Sep 25 13:12:48 2025 +0200 config.dat: Fixes bug 13890 Fixes: bug 13890 - config.dat REMOTELOG_ADDR Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit fc3f7f4a179b26b6ef255a3ab46b6fe6faf208c9 Author: Adolf Belka Date: Thu Sep 25 13:12:47 2025 +0200 urlfilter.cgi: Fixes bugs 13887, 13888 & 13889 Fixes: bug 13887 - urlfilter.cgi BE_NAME Command Injection Fixes: bug 13888 - urlfilter.cgi USERQUOTA QUOTA_USERS Stored Cross-Site Scripting Fixes: bug 13889 - urlfilter.cgi TIMECONSTRAINT SRC DST COMMENT Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 7dca07fdcf018320bc10eb4d5fcd019dd1a7029a Author: Adolf Belka Date: Thu Sep 25 13:12:46 2025 +0200 calamaris.dat: Fixes bug 13886 Fixes: bug 13886 - calamaris.dat Multiple Parameters Command Injection Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 32f22c92e19c2d94c5f0b667f27e7a5ccd65ac61 Author: Adolf Belka Date: Thu Sep 25 13:12:45 2025 +0200 qos.cgi: Fixes bug 13885 Fixes: bug 13885 - qos.cgi INC_SPD OUT_SPD DEFCLASS_INC DEFCLASS_OUT Stored Cross-Site Scripting Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 67db35c8a536b54d169336269853aaa6eae85ab5 Author: Adolf Belka Date: Thu Sep 25 13:12:44 2025 +0200 ddns.cgi: Fixes bug 13884 Fixes: bug 13884 - ddns.cgi LOGIN PASSWORD SERVICE Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 8025aa78fb52933666e13a7e9e782edf4ddf8b42 Author: Adolf Belka Date: Thu Sep 25 13:12:43 2025 +0200 time.cgi: Fixes bug 13883 Fixes: bug 13883 - time.cgi UPDATE_VALUE Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 8d78fb4b816e032738b08e724d51c200364e5037 Author: Adolf Belka Date: Thu Sep 25 13:12:42 2025 +0200 firewalllogcountry.dat: Fixes bug 13882 Fixes: bug 13882 - firewalllogcountry.dat pienumber Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit dd6d272b6828e443478d2e6e40c1ce19d54f3c2a Author: Adolf Belka Date: Thu Sep 25 13:12:41 2025 +0200 firewalllogip.dat: Fixes bug 13881 Fixes: bug 13881 - firewalllogip.dat pienumber Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit f04e5fb1c91582d2bfbcdcebfe2aa9a47a5edb43 Author: Adolf Belka Date: Thu Sep 25 13:12:40 2025 +0200 header.pl: Fixes bug 13880 Fixes: bug 13880 - cleanhtml() Unchecked Return Value Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 0400a1009439d0ffeddb1e449c8bd656341f5f44 Author: Adolf Belka Date: Thu Sep 25 13:12:39 2025 +0200 ovpnclients.dat: Fixes bug 13879 Fixes: bug 13879 - CONNECTION_NAME SQL Injection Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit eb257423df48f233312d06b2a7cd48cf5dfd21fd Author: Adolf Belka Date: Thu Sep 25 13:12:38 2025 +0200 ids.cgi: Fixes bug 13878 Fixes: bug 13878 - IGNORE_ENTRY_REMARK Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit a2c624b99dbcecb469e6001505731049ef5cbbd3 Author: Adolf Belka Date: Thu Sep 25 13:12:37 2025 +0200 fwhosts.cgi Fix for bug 13876 & bug 13877 Fixes: Bug 13876 savelocationgrp COUNTRY_CODE Stored Cross-Site Scripting Fixes: Bug 13877 saveservice PROT Stored Cross-Site Scripting Signed-off-by: Adolf Belka Reviewed-by: Bernhard Bitsch Signed-off-by: Michael Tremer commit 9150cbddeb913ce093f2f7e0669e4a8ab3265bb0 Author: Michael Tremer Date: Tue Sep 30 15:09:23 2025 +0000 core198: Ship the cleanfs initscript This is required to create /var/run/suricata at boot time. Signed-off-by: Michael Tremer commit a950be6cd698adb9d16c458c0189c7ec2bf7494c Author: Michael Tremer Date: Mon Sep 22 10:26:35 2025 +0000 suricata-reporter: Fix path to database Signed-off-by: Michael Tremer commit 87ee4f876f329015cc4a4cece800e4744d3f89cb Author: Adolf Belka Date: Thu Sep 25 19:22:53 2025 +0200 expat: Update to version 2.7.3 - Update from version 2.7.2 to 2.7.3 - Update of rootfile - Changelog 2.7.3 Security fixes: Fix alignment of internal allocations for some non-amd64 architectures (e.g. sparc32); fixes up on the fix to CVE-2025-59375 from #1034 (of Expat 2.7.2 and related backports) Fix a class of false positives where input should have been rejected with error XML_ERROR_ASYNC_ENTITY; regression from CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and related backports). Please check the added unit tests for example documents. Other changes: Prove and regression-proof absence of integer overflow from function expat_realloc Remove "harmless" cast that truncated a size_t to unsigned Autotools: Remove "ln -s" discovery docs: Be consistent with use of floating point around XML_SetAllocTrackerMaximumAmplification docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0 docs: Better integrate the effect of the activation thresholds docs: Fix an in-comment typo in expat.h docs: Fix a typo in README.md docs: Improve change log of release 2.7.2 xmlwf: Resolve use of functions XML_GetErrorLineNumber and XML_GetErrorColumnNumber Windows: Normalize .bat files to CRLF line endings Version info bumped from 12:0:11 (libexpat*.so.1.11.0) to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/ for what these numbers do Infrastructure: CI: Cleanup UndefinedBehaviorSanitizer fatality CI|Linux: Stop aborting at first job failure CI|FreeBSD: Upgrade to FreeBSD 15.0 CI|FreeBSD: Do not install CMake meta-package Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9eaae72637d9c98036bc521ff137fa3662d556b4 Author: Michael Tremer Date: Fri Sep 19 16:00:06 2025 +0100 webui: Follow symlinks for static assets Fixes: #13873 - Prompt fonts generating 403 Forbidden error Signed-off-by: Michael Tremer commit 3c509e6ce899cf264e24b0e6357aac7730c71c85 Merge: 26f600100 cc67c087c Author: Michael Tremer Date: Thu Sep 18 15:49:32 2025 +0000 Merge branch 'next' commit cc67c087c843438b5402c9443fb471d3faa60d98 Author: Adolf Belka Date: Wed Sep 17 13:09:40 2025 +0200 nfs: Update to version 2.8.4 - Update from version 2.8.3 to 2.8.4 - Update of rootfile not required - Changelog is just a list of the commits. The details can be found in the changelog at https://sourceforge.net/projects/nfs/files/nfs-utils/2.8.4/ Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer