commit 922c244692d7792ad3c57f3cf3a26aecc3398899 Author: Adolf Belka Date: Wed Aug 20 18:51:47 2025 +0200 ovpnmain.cgi: Fixes bug13869 - shows values from vpnsettings in advanced server page - In the previous version the cgiparams hash was filled from the ovpn/settings file. However with the new version of this file that is no longer done. For the values of protocol, redirect_gw, mssfix, dataciphers, route_push the hash file was changed from %cgiparams to %vpnsettings. This was not done for the values of dciphers, dauth or tlsauth. These values still got their entries from the %cgiparams hash but this hash is empty as it has not been filled. - This patch replaces the use of $cgiparams with $vpnsettings. - Tested this out on my vm testbed and confirmed that the saved values are now shown on the advanced settings wui page. Fixes: bug13869 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 77f1c6dc3999d2174079bf57f1a6078c5e74f7ab Author: Stefan Schantl Date: Tue Aug 19 20:39:16 2025 +0200 ovpnmain.cgi: Apply default settings when neccessary Only apply the default settings in case nothing has been configured yet, otherwise existing settings may get overwritten. Signed-off-by: Stefan Schantl Signed-off-by: Michael Tremer commit 750377a96a2a380449d6612ddc2661cb782215ab Merge: eefffac97 8d611ffd0 Author: Michael Tremer Date: Thu Aug 14 10:06:01 2025 +0000 Merge branch 'master' into next commit 8d611ffd0424ba20aac45f63f5bdaa398b4cb557 Author: Michael Tremer Date: Thu Aug 14 11:03:04 2025 +0100 core197: Rewrite the entire OpenVPN server configuration This also updates all CCD configuration files. Signed-off-by: Michael Tremer commit 3e82d9990cbdd4b0f022e16aecec164008926717 Author: Michael Tremer Date: Thu Aug 14 11:01:23 2025 +0100 ovpnmain.cgi: Add option to rewrite all configuration files Signed-off-by: Michael Tremer commit 4c0b4194ff24e4ddeb8a1311facfec71d2101a39 Author: Michael Tremer Date: Thu Aug 14 11:01:10 2025 +0100 ovpnmain.cgi: Disable logging warnings Signed-off-by: Michael Tremer commit eefffac970c071a6626fbfb431e29387b14a1b46 Author: Michael Tremer Date: Thu Aug 14 09:57:49 2025 +0000 core198: Restart fcron Signed-off-by: Michael Tremer commit 1621454c10c1213d30ea906e2ef7230bfe01ad49 Author: Adolf Belka Date: Wed Aug 13 22:52:58 2025 +0200 core 198: Ship fcron Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 55f491b11d743837de3089869cc807fcbf393270 Author: Adolf Belka Date: Wed Aug 13 22:53:00 2025 +0200 fcron: Update to version 3.4.0 - Update from version 3.2.1 to 3.4.0 - Update of the rootfile - Changelog 3.4.0 Changed the default "From" header of emails sent by fcron, to be RFC5322-compliant. This is done (and can be reverted if needed) via the new fcron.conf option maildisplayname. Changed the default fcron reload delay from 60s to 5s. Better doc and logging on bootrun jobs. 3.3.3 Fixed infinite loop when an lavg job reaches its 'until' deadline and gets rescheduled as the next job to run. Improved signal safety. Improved log messages for: indentation, resume after suspend, child task completion. Fixed compilation warnings: SELinux, signal handling. Updated copyright years. 3.3.2 Add compilation option (configure's '--with-max-fcrontab-reload-delay-seconds') to allow faster or even instant reload for non-root users (thanks Elliot Wolk). Added fcron.conf option 'maildisplayname', to configure the displayname fcron uses when sending email. This allows fcron to be configured ot be RFC5322-compliant (thanks Marco Emilio "sphakka" Poleggi) Fixed fcrondyn output issue where two lines would be joined due to a long shell command. Improve documentation wording (thanks Michael Kopp) 3.3.1 Updated SELinux code to stop using deprecated headers (fixes build on more recent systems) Install programs with R/W perms for the owner Fixed @reboot when using systemd Various other fixes and improvements in doc, install and boot scripts (in particular under systemd) 3.3.0 fcron now handles computer suspend/resume. On Linux systems, fcron can detect resumes and measure the suspend time. On other OSes, a script must be run at suspend and resume via system hooks. Added a new option 'runatresume' (as well as a Vixie-cron-style '@resume' shortcut), to run a job when the system resumes from suspend/hibernation. Refactored the socket (for fcrondyn), suspend and select code. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 51fdbf124fdebe6fd14f6475d0a6bd3034db92b4 Author: Adolf Belka Date: Wed Aug 13 22:52:59 2025 +0200 core 198: Ship libgcrypt Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 913da0023a8c9b5cb792ccaf3f9329e747f1c365 Author: Adolf Belka Date: Wed Aug 13 22:53:01 2025 +0200 libgcrypt: Update to version 1.11.2 - Update from version 1.11.0 to 1.11.2 - Update of the rootfile - Changelog 1.11.2 Bug fixes: - Fix link errors in regression test t-thread-local on some platforms (e.g. NetBSD). [T7634] - Add missing file to allow building for RISC-V. [T7647] - Support secp256k1 by KEM API. GnuPG has recently switched to use the KEM interface and a few folks are using this curve. [T7698] - Fix a missing initialization in RSA's generate_fips. [rG448693047f] Other: - Silence GCC 15 warnings [rG7ebe90e555,T7617] - Provide a prototype for __udiv_qrnnd for PowerPC and Alpha which is required due to GCC-15 changes. [T7721] - Add missing abi versions and machine tags for PowerPC assembly with GCC-15. [T7721] - Use '.rodata' section for read-only data of poly1305-p10le. [T7721] Interface changes relative to the 1.11.1 release: GCRY_KEM_RAW_P256R1 NEW enum. 1.11.1 Bug fixes: - Fix build regression on 32 bit Windows using Clang. [T7175] - Fix build regression on macOS due to symbol naming. [T7170] - Fix Kyber secret-dependent branch introduced by recent versions of Clang. [rCf765778e82] - Fix build regression due to the use of AVX512 in Blake. [T7184] - Do not build i386 asm on amd64 and vice versa. [T7220] - Fix build regression on armhf with gcc-14. [T7226] - Return the proper error code on malloc failure in hex2buffer. [rCc51151f5b0] - Fix long standing bug for PRIME % 2 == 0. [rC639b0fca15] Performance: - Add AES Vector Permute intrinsics implementation for AArch64. [rC94a63aedbb] - Add GHASH AArch64/SIMD intrinsics implementation. [rCfec871fd18] - Add RISC-V vector permute AES. [rCb24ebd6163] - Add GHASH RISC-V Zbb+Zbc implementation. [rC0f1fec12b0] - Add ChaCha20 RISC-V vector intrinsics implementation. [rC8dbee93ac2] - Add SHA3 acceleration for RISC-V Zbb extension. [rC1a660068ba] Other: - Add CET support for i386 and amd64 assembly. [T7220] - Add PAC/BTI support for AArch64 asm. [T7220] - Apply changes to Kyber from upstream for final FIPS 203. [rCcc95c36e7f] - Introduce an internal API for a revampled FIPS service indicator. [T7340] - Several improvements for constant time operation by the introduction of Least Leak Intended (LLI) variants of internal functions. [T7519,T7490] - Remove WindowsCE support. [T7486] Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 691b81d004112de055412bf398c4d714539f8f7c Author: Adolf Belka Date: Wed Aug 13 18:30:12 2025 +0200 core 198: Ship zlib-ng Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 3099c0947086fb3b46d5ee2a133181b5ea3d8117 Author: Adolf Belka Date: Wed Aug 13 18:30:15 2025 +0200 zlib-ng: Update to version 2.2.5 - Update from version 2.2.4 to 2.2.5 - Update of rootfile - Changelog 2.2.5 Important fixes RiscV: chunkset_rvv: fix SIGSEGV in CHUNKCOPY #1889 MSVC: Disable optimizations for AVX512 GET_CHUNK_MAG causing inflate failure #1884 Fix building with runtime CPU detection disabled (native) #1931 Also check for ZMM support when detecting VPCLMULQDQ support #1932 Revert "Clean up insert_match() in deflate_medium" due to performance regression #1938 Buildsystem Pass POSIX_C_SOURCE for std::alligned_alloc try_compile checks #1896 X86_AVX512VNNI: check for _mm256_dpbusd_epi32 too #1944 CMake: Fix incorrect declaration of FORCE_SSE2 #1880 CMake: Fix CXXFLAGS when coverage enabled #1902 CMake: Remove late enable_language calls #1903 CMake: [FreeBSD] Define _XOPEN_SOURCE for gtest_zlib #1900 CMake: Add bindir into zlib.pc.in for compatibility with Cygwin and Msys2 #1920 Configure: riscv: add bash configure script support for riscv 1904 Tests/Benchmarks Test: Fix pointer type mismatch #1897 Test: Add large 1mb buffer test for crc32 hashing #1913 Changes to running benchmark during tests #1892 CI CI: Restore support macOS prior 10.15 #1878 CI: fixes for RISC-V #1890 CI: Preinstall packages needed for testing and benchmark #1894 CI: Remove deprecated ubuntu-20.04 image from CI #1898 CI: Replace deprecated windows-2019 with windows-2022 #1923 Misc Add .gitignore to allow run tests with zlib-ng/corpora and local dataset from working copy #1930 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit bfdd30e6d3d3ebc2b1fb3f7a4b69f8501c616bd1 Author: Adolf Belka Date: Wed Aug 13 18:30:11 2025 +0200 core 198: Ship sqlite Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 20a7653cbbcdbf11f46dc6a659c3c327a16b965c Author: Adolf Belka Date: Wed Aug 13 18:30:14 2025 +0200 sqlite: Update to version 3500400 - Update from version 3500200 to 3500400 - Update of rootfile - Changelog 3500400 Fix two long-standings cases of the use of uninitialized variables in obscure circumstances. 3500300 Fix a possible memory error that can occur if a query is made against against FTS5 index that has been deliberately corrupted in a very specific way. Fix the parser so that it ignored SQL comments in all places of a CREATE TRIGGER statement. This resolves a problem that was introduced by the introduction of the SQLITE_DBCONFIG_ENABLE_COMMENTS feature in version 3.49.0. Fix an incorrect answer due to over-optimization of an AND operator. Forum post f4878de3e. Fix minor makefile issues and documentation typos. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit e9a3f9090101523572c193ac39cf3356c8879b52 Author: Michael Tremer Date: Wed Aug 13 17:53:16 2025 +0000 core198: Regenerate initramdisks (for early microcode) Signed-off-by: Michael Tremer commit d2a25459554cd5511bd634b37e29472b811f2992 Author: Adolf Belka Date: Wed Aug 13 18:30:10 2025 +0200 core 198: Ship intel-microcode Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit d16f78f4cd04095d1c39f5c504662b58f459920b Author: Adolf Belka Date: Wed Aug 13 18:30:13 2025 +0200 intel-microcode: Update to version 20250812 - Update from version 20250512 to 20250812 - Update of rootfile not required - Changelog 20250812 Security updates for INTEL-SA-01249 Security updates for INTEL-SA-01308 Security updates for INTEL-SA-01310 Security updates for INTEL-SA-01311 Security updates for INTEL-SA-01313 Security updates for INTEL-SA-01367 Update for functional issues. Refer to 13th/14th Gen Intel® Core™ Processor Specification Update for details. Update for functional issues. Refer to 3rd Gen Intel® Xeon® Processor Scalable Family Specification Update for details. Update for functional issues. Refer to 4th Gen Intel® Xeon® Scalable Processors Specification Update for details. Update for functional issues. Refer to 5th Gen Intel® Xeon® Scalable Processors Specification Update for details. Update for functional issues. Refer to 6th Gen Intel® Xeon® Scalable Processors Specification Update for details. Update for functional issues. Refer to Intel® Core™ Ultra 200 V Series Processor for details. Update for functional issues. Refer to Intel® Core™ Ultra Processor for details. Update for functional issues. Refer to Intel® Core™ Ultra Processor (Series 2) for details. Update for functional issues. Refer to Intel® Xeon® 6700-Series Processor Specification Update for details. Update for functional issues. Refer to Intel® Xeon® D-2700 Processor Specification Update for details. Details about new and updated platforms can be found at https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20250812 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit c5d4b8a3a876307b5b2035889917703c261a3b03 Author: Michael Tremer Date: Wed Aug 13 17:50:31 2025 +0000 core198: Ship GRUB Signed-off-by: Michael Tremer commit a00f6cba8409f012b27e39022bb67a809ed95857 Author: Adolf Belka Date: Mon Aug 11 11:35:16 2025 +0200 grub: Fix CVE's by updating to version 2.12 with commit 0e36779 - Update from version 2.12 to 2.12 and all commits up to 0e36779 - Update of rootfiles for all architectures - Back in Feb 2025 20 CVE's were identified in Grub-2.12 and 73 security patchers were applied. However there has been no movement to doing a fresh release. Arch Linux has just used the committs up to the last of the security patches. However since then they have also continued takingnew snapshots of the grub git commits to do updates. - This patch takes the last commit in the grub master dated 11th July 2025. - Built successfully also on aarch64 & riscv64 - Tested out on my vm testbed. The grub screen worked as expected and the grub version has been made to show as 2.12.0e36779. This way any further update before version 2.13 is released will follow the same pattern of adding the number of the commit used in the snapshot. - The snapshot required the bootstrap script to be used. However this either needs internet access to download the gnulib git sources or requires a local copy of the gnulib git sources to be available. Therefore I took the snapshot and downloaded a local copy of the gnulinb sources to my desktop build system and created a bootstrapped version of the snapshot, which is the source file I have provided into the sources and used by the lfs. This means that the autoconf -vfi command in the lfs is not needed. I just commented it out in case there is a release package in the future. - I am not sure if this will be merged into CU197 or wait for CU198. - As far as I can see all the CVE-s require acces to the grub system, which means local physical access so don't believe these are critical for the IPFire user base but it might be good for someone more experienced than me to check the CVE's. - Changelog For details of all changes then the grub git repo has to be looked at. https://gitweb.git.savannah.gnu.org/gitweb/?p=grub.git;a=shortlog;h=refs/heads/master There is no changelog of all the commits, except for a list of the CVE's that were identified and fixed in this update. These CVE's are listed below. CVE-2024-45775: commands/extcmd: Missing check for failed allocation In grub_extcmd_dispatcher() function grub2 calls grub_arg_list_alloc() to allocate memory for the grub's argument list, however it misses to check in case the memory allocation failed. Once the allocation failed, a NULL point will be processed by the parse_option() function leading grub to crash or in some rare scenarios corrupt the IVT data. CVE-2024-45776: grub-core/gettext: Integer overflow leads to Heap OOB Write and Read When reading language .mo file in grub_mofile_open(), grub2 fails to verify to a integer overflow when allocating its internal buffer. A crafted .mo file may lead to the buffer size calculation to overflow leading to Out-of-bound reads and writes. An attacker may leverage this flaw to leak sensitive data or overwrite critical data possibly leading to the circumvention of secure boot protections. CVE-2024-45777: grub-core/gettext: Integer overflow leads to Heap OOB Write The calculation of the translation buffer when reading a language .mo file in grub_gettext_getstr_from_position() may overflow leading to a Out-of-bound write. This may be leveraged by an attacker to overwrite senstive grub2's heap data, eventually leading to the circumvention of secure boot protections CVE-2024-45778: fs/bfs: Integer overflow in the BFS parser There's a stack overflow when reading a BFS file system. A crafted BFS filesystem may lead to a uncontrolled loop causing grub2 to crash CVE-2024-45779: fs/bfs: Integer overflow leads to Heap OOB Read (Write?) in the BFS parser There's an integer overflow in the BFS file system driver. When reading a file with indirect extent map grub2 fails to validate the number of extent entries to be read. A crafted or corrupted BFS filesystem may cause a integer overflow during the file reading, leading to a Heap Ouf-of-Bounds read. As consequence sensitive data may be leaked or the grub2 to crash. CVE-2024-45780: fs/tar: Integer Overflow causes Heap OOB Write When reading tar files, grub2 allocates an internal buffer for the file name however it fails to properly verify the allocation against possible Integer Overflows. It's possible to cause the allocation length to overflow with a crafted tar file leading to a head Out-of-bounds write, as consequence an attacker may leverage this to eventually circumvent secure boot protections. CVE-2024-45781: fs/ufs: OOB write in the heap When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap Out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections. CVE-2024-45782: fs/hfs: strcpy() using the volume name (fs/hfs.c:382) When reading a HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user provided volume name as input without proper validating the volume name's length. This may read to a heap based Out-of-bounds write, impacting on grub's sensitive data integrity and eventually leading to secure boot protection bypass. CVE-2024-45783: fs/hfs+: refcount can be decremented twice When failing to mount a HFS+ grub hfsplus filesystem driver doesn't properly set a ERRNO value. This may lead to a NULL pointer access. CVE-2025-0622: command/gpg: Use-after-free due to hooks not being removed on module unload In some scenarios hooks created by loaded modules are not being removed when the related module is being unloaded. An attacker may leverage this by forcing the grub2 to call the hooks once the module which registered it was unloaded, leading to a Use-after-free vulnerability. If correctly exploited this vulnerability may result int Arbitrary Code Execution eventually allowing the attacker to by-pass secure boot protections. CVE-2025-0624: net: Out-of-bounds write in grub_net_search_config_file() During the network boot process when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using grub_strcpy() function. During this step it fails to consider the environment variable length when allocating the internal buffer, resulting in a out-of-bounds write. If correctly exploited this issue may result in remote code execution through the same network segment the grub is searching for the boot information, which can be used to by-pass secure boot protections. CVE-2025-0677: UFS: Integer overflow may lead to heap based out-of-bounds write when handling symlinks When performing a symlink lookup the grub's UFS module check the inode's data size to allocate the internal buffer for reading the file content however it misses to check if the symlink data size has overflown. If that happens grub_malloc() may be called with a smaller value than needed, as consequence when further reading the data from disk into the buffer grub_ufs_lookup_symlink() function will write past the end of the allocated size. An attack may leverage that by crafting a malicious filesystem and as a result it will corrupt data stored in the heap, it's possible that arbitrary code execution may be achieved through it and to be used to by-pass secure boot mechanisms. CVE-2025-0678: squash4: Integer overflow may lead to heap based out-of-bounds write when reading data When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. CVE-2025-0684: reiserfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data When performing a symlink lookup from a reiserfs filesystem, grub's reiserfs fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the grub_reiserfs_read_symlink() will call grub_reiserfs_read_real() with a overflown length parameter leading to a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. CVE-2025-0685: jfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data When reading data from a jfs filesystem, grub's jfs filesystem module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the grub_jfs_lookup_symlink() function will write past of the internal buffer length during grub_jfs_read_file(). This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. CVE-2025-0686: romfs: Integer overflow when handling symlinks may lead to heap based out-of-bounds write when reading data When performing a symlink lookup from a romfs filesystem, grub's romfs filesystem module uses user-controlled parameters from the filesystem geometry to determine the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the grub_romfs_read_symlink() may cause a out-of-bounds writes when calling grub_disk_read() function. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. CVE-2025-0689: udf: Heap based buffer overflow in grub_udf_read_block() may lead to arbitrary code execution When reading data from disk, the grub's UDF filesystem module utilizes the user controlled data length metadata to allocate its internal buffers. In certain scenarios, while iterating through disk sectors, it assumes the read size from the disk is always smaller than the allocated buffer size which is not guaranteed. A crafted filesystem image may lead to a heap-based buffer overflow resulting in critical data to be corrupted, resulting in the risk of arbitrary code execution by-passing secure boot protections. CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write The read command is used to read the keyboard input from the user, while reads it keeps the input length in a 32-bit integer value which is further used to reallocate the line buffer to accept the next character. During this process, with a line big enough it's possible to make this variable to overflow leading to a out-of-bounds write in the heap based buffer. This flaw may be leveraged to corrupt grub's internal critical data and secure boot bypass is not discarded as consequence. CVE-2025-1118: commands/dump: The dump command is not in lockdown when secure boot is enabled The grub's dump command is not blocked when grub is in lockdown mode. This allows the user to read any memory information, an attacker may leverage that in order to extract signatures, salts and other sensitive information from the memory. CVE-2025-1125: fs/hfs: Interger overflow may lead to heap based out-of-bounds write When reading data from a hfs filesystem, grub's hfs filesystem module uses user-controlled parameters from the filesystem metadata to calculate the internal buffers size, however it misses to properly check for integer overflows. A maliciouly crafted filesystem may lead some of those buffer size calculation to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result the hfsplus_open_compressed_real() function will write past of the internal buffer length. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution by-passing secure boot protections. Tested-by: Adolf Belka Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit b7583f1faa6cc59a5d5805090a10598345402d66 Author: Michael Tremer Date: Sun Aug 10 14:39:36 2025 +0000 core198: Create /var/run/suricata on update Signed-off-by: Michael Tremer commit 82269b9647e2430a0f12fcb9a0319ba499c3bdee Author: Michael Tremer Date: Sun Aug 10 14:37:59 2025 +0000 cleanfs: Create /var/run/suricata on boot Signed-off-by: Michael Tremer commit 720b55a5a485d53b042bbf9c6e7e84e2d515b0bf Author: Arne Fitzenreiter Date: Tue Aug 12 07:22:08 2025 +0200 udev: fix rootfile on riscv Signed-off-by: Arne Fitzenreiter commit 30cae58dd0be39699a95473e4abdbaace1d2f15f Author: Michael Tremer Date: Fri Aug 8 15:10:39 2025 +0000 core198: Ship graphs.pl Signed-off-by: Michael Tremer commit 9a46d0806f10011e66794fed4ba04c85beca7ed2 Author: Michael Tremer Date: Tue Aug 5 11:44:51 2025 +0100 IPS: Rename bypassed to "Offloaded" Bypassed seems to suggest to some people that the traffic was never looked at, when in fact the IPS is rather offloading anything it is no longer interested in. I think this is a better phrase. Signed-off-by: Michael Tremer commit 6de4f7200ae09c5978215f178657e9451be58439 Author: Michael Tremer Date: Tue Aug 5 11:40:27 2025 +0100 suricata: Create the SGH cache directory Signed-off-by: Michael Tremer commit 0f388dc6d28383f9a5ac230f0dcea23b68b30f7d Author: Michael Tremer Date: Tue Aug 5 11:34:13 2025 +0100 suricata: Sync configuration with upstream There are not many big changes except that any new engines have been enabled and new defaults have beep carried over from upstream. Signed-off-by: Michael Tremer commit b141bee7923d7c738189d98c716bc2e8aa827edd Author: Michael Tremer Date: Fri Aug 8 15:06:58 2025 +0000 core198: Ship binutils Signed-off-by: Michael Tremer commit 47d0118abbbdc2bfec798c6cb99e976820aec862 Author: Michael Tremer Date: Fri Aug 8 14:28:42 2025 +0000 make.sh: Bump toolchain version Signed-off-by: Michael Tremer commit 5015601b7a7128bfe1e4282c26f72c6cb5ecb031 Author: Michael Tremer Date: Fri Aug 8 14:28:41 2025 +0000 binutils: Update to 2.45 Signed-off-by: Michael Tremer commit 5d503216b9757b228bc3020a976e9cd95b33b4fc Author: Michael Tremer Date: Fri Aug 8 15:03:50 2025 +0000 core198: Ship vectorscan Signed-off-by: Michael Tremer commit 1fa9c1c12894f502f301fd1d2656cbdfe78e4090 Author: Adolf Belka Date: Tue Jul 22 23:22:08 2025 +0200 vectorscan: Update to version 5.4.12 - Update from version 5.4.11 to 5.4.12 - Update of rootfile - Removal of patch for sse4.2 as changes now part of source tarball - Changelog 5.4.12 Multiple changes since last release, this will be the last 100% ABI and API compatible with Hyperscan release. Next versions will include major refactors and API extensions, it will be mostly backwards compatible however. Without particular order, platform support is now: * Linux (x86, Arm, Power) * FreeBSD 14 (x86, Arm, Power) * MacOS 14+ (x86, Arm) In total more than 200 configurations in the CI are tested for every PR. Other features: - Fat Runtime supported for Arm as well (ASIMD/SVE/SVE2). - Initial implementations for Arm SVE/SVE2 algorithms added, thanks to Yoan Picchi from Arm. - SIMDe support added, used as an alternative backend for existing platforms, but mostly interesting for allowing Vectorscan to build in new platforms without a supported SIMD engine. - Various speedups and optimizations. - Cppcheck and clang-tidy fixes throughout the code, both have been added to CI for multiple configurations, but only cppcheck triggers a build failure for now. Various bugfixes, most important listed: - Speed up truffle with 256b TBL instructions (#290) - Fix Clang Tidy warnings (#295) - Clang 17+ is more restrictive on rebind on MacOS/Boost, remove warning (#332) - partial_load_u64 will fail if buf == NULL/c_len == 0 (#331) - Bugfix/fix avx512vbmi regressions (#335) - fix missing hs_version.h header (closes #198) - hs_valid_platform: Fix check for SSE4.2 (#310) - Fixed out of bounds read in AVX512VBMI version of fdr_exec_fat_teddy … (#333) - Fix noodle SVE2 off by one bug (#313) - Make vectorscan accept \0 starting pattern (#312) - Fix 5.4.11's config step regression (#327) - Fix double shufti's vector end false positive (#325) Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 799b385d1075042ca0d0ab9485d149a208bc7762 Author: Michael Tremer Date: Fri Aug 8 15:02:39 2025 +0000 core198: Ship suricata Signed-off-by: Michael Tremer commit fb8caf7839080c860bd5cbd62d2d667b20dac970 Author: Adolf Belka Date: Tue Jul 22 18:55:43 2025 +0200 suricata: Update to version 8.0.0 - Update from version 7.0.11 to 8.0.0 - Update of rootfile - patch file updated for disabling sid-2210059 - Changelog 8.0.0 Security #7658: http2: global tx (stream id 0) may open file and never close it(HIGH - CVE 2025-53538) Bug #7798: dpdk: auto count of threads assigns more threads than affined Bug #7791: http: BUG_ON assertion reached in packet path Bug #7790: affinity: intermittent unittest failures Bug #7789: dpdk: compilation warning of a function without prototype Bug #7783: smtp: incorrect inspection window Bug #7752: decode: no parent packet flow for ip-in-ipv6 Bug #7678: mpm/ac: error "Just ran out of space in the queue" Bug #7649: lib: suricata version in sys crate needs to be updated on build Bug #1484: src: BUG_ON(1) statements in the packet path Optimization #7643: excessive mtu messages at start up Optimization #7212: strtoul: replace with ByteExtractString variant Optimization #6264: mpm/ac-ks: reduce stack usage Optimization #4753: lua: fix inconsistency in the init "needs" key Documentation #7749: doc: update user manual seciton on RPMs Documentation #7723: doc/exceptions: review 'inspection' terminology Documentation #7648: rtd: set "latest" to last stable release starting with 8.0.0 Documentation #7078: devguide: document current ffi naming style Documentation #6955: devguide: update coding-style docs Documentation #6566: userguide: add description for missing EVE krb fields Documentation #6288: eve/schema: generate tables of data for app-layer protocols Documentation #6252: userguide/install: move Ubuntu distros to their own page Documentation #6069: userguide/install: move RPM distros to their own page Documentation #6022: devguide: explain how the engine identifies applayer protocols Documentation #5911: userguide: update & bring guide for installation on Windows to RtD Task #7758: decode: add stats counters for ipv4/ipv6 over ipv4 Task #7750: packaging: rpm for RHEL 10 Task #7632: suricata-lua-sys: tag with a non-prerelease version Task #6941: lua: review and document lua rule return types Task #6814: libsuricata: opt-in signal handling Task #6359: detect/analyzer: add more details for the ICMP icode keyword Task #6262: tracking: reduce stack usage 8.0.0-rc1 Feature #7715: rules: add option to skip flow tracking for a packet Feature #7714: detect: add pre_flow rule hook Feature #7713: detect: add tcp.wscale keyword to match on TCP wscale option values Feature #7712: detect: add pre_stream rule hook Feature #7702: commandline: add --list-app-layer-hooks option Feature #7645: pgsql: add CopyIn subprotocol/mode Feature #7635: eve: include transaction count Feature #7599: mime: add email.received keyword Feature #7597: mime: add email.url keyword Feature #7593: mime: add email.message_id keyword Feature #7507: rules: ftp.completion_code keyword Feature #7506: rules: ftp.reply_received keyword Feature #7505: rules: ftp.mode keyword Feature #7504: rules: ftp.dynamic_port keyword Feature #7372: Datajson: a dataset evolution Feature #7047: eve: add ip version field Feature #7036: DPDK NUMA setup: choose correct CPUs from worker-cpu-set Feature #6805: cpu-affinity: enhance CPU affinity logic with per-interface NUMA preferences Feature #6695: tls: log extensions Feature #6259: pgsql: add `query` detection keyword Feature #5692: http: brotli content encoding for HTTP/1.1 Feature #4099: app-layer: allow direct rule keyword registration Feature #3952: protocols: implement mDNS Feature #2290: lua: use script as transform Bug #7747: affinity: warnings in the granular thread affinity settings code Bug #7746: suricatasc does not handle reconnect Bug #7735: brotli: old crate version has integer underflow Bug #7732: http1: use cursor wrapper handling EOF for brotli Bug #7730: dcerpc: uint16 overflow (rust debug assertion) Bug #7725: decode/ipv4: missing ip-in-ip case handling Bug #7698: firewall: eve verdict field should state "accept" instead of alert Bug #7694: flow: elephant flow counts previous bytes revisiting an index Bug #7689: Dataset of type IP can't set IPv4 Bug #7687: flow: non-TCP protocol timeout handling leads to missing flows Bug #7681: flow: race condition at shutdown leads to duplicate flows Bug #7671: lua: suricata-lua-sys needs to honor MSAN oss-fuzz flags Bug #7668: http: lack of setting updated_ts leads to firewall bypass Bug #7665: transaction rules: support filesize Bug #7653: ips: deconflict pass flow and drop packet rules Bug #7647: pgsql: empty request logged if password message disabled Bug #7634: hyperscan: coverity warnings Bug #7579: detect/files: local_file_id not incremented if inspection buffer is NULL Bug #7568: pcap: continuous file reading fails on an empty directory Bug #7549: detect: using different sticky buffers for byte_extract and byte_jump leads to undefined value before doing the jump Bug #7498: rust: cleanup of extern "C" functions and no_mangle Bug #7479: segfault using dummy config output.eve-log.types.alert.payload-buffer-size = 0 Bug #7420: detect-engine: warning fgets could get negative value Bug #7390: byte_extract: issue with saved 'name' in distance keyword Bug #7374: dpdk: iface-copy should not be mandatory Bug #7344: build: build can sometimes fail copying the lua headers into place Bug #7285: Websocket compression mishandling Bug #7236: plugins: custom transaction loggers cannot be registered by a plugin Bug #7019: snmp: probing parser returns ALPROTO_FAILED instead of ALPROTO_UNKNOWN if slice.len() < 4 Bug #7004: app-layer: wrong tx may be logged for stream rules Bug #6981: dpdk: compiler warnings about lossy integer precision Bug #6400: log of DNS answer is in wrong direction Bug #6186: Integer overflows 64 to 32 bytes Bug #5739: htp: handle alloc failure for user data Bug #5177: detect/analyzer: rule analyzer warns about http buffers usage Bug #4815: unix socket: ftp memcap missing from socket commands Bug #3436: suricatasc: crashing using command 'reopen-log-files' Optimization #7733: transforms: move base64 transform pure rust Optimization #7708: http1: add tx iterator Optimization #7529: detect/dns: move wrapper code from C to rust Optimization #7353: files: remove deprecated force-md5 config option Optimization #7292: CI: clang-format rechecks every main-7.0.x commit Optimization #7083: detect/dataset: skip adding localstatedir if fullpath is provided Task #7727: lua: suricata.log library Task #7673: libsuricata: rate_filter callback Task #7656: fast.lua: update script to reflect library use Task #7609: lua: suricata.util lib Task #7608: lua: turn tls into lib Task #7607: lua: turn ssh into lib Task #7606: lua: turn smtp into lib Task #7605: lua: turn ja3 into lib Task #7603: lua: turn hassh into lib Task #7598: mime: add email.x_mailer Task #7591: mime: add email.date keyword Task #7491: lua: turn file into lua lib Task #7490: lua: turn rule into lua lib Task #7487: lua: turn flowints into lib Task #7486: lua: turn flowvars into lib Task #7461: suricata-verify: pass all tests Task #7079: rust: unify rust ffi style Task #7026: app-protos: trigger raw stream inspection Task #6573: rust: set new minimum Rust version for Suricata 8 Task #3695: research: libhwloc for better autoconfiguration Documentation #7683: mime: add email.attachment keyword Documentation #7329: doc: explain the priority ports setting Documentation #7143: doc: legacy keyword http_host used in examples Documentation #5485: userguide: explain that the http.header_names buffer is normalized 8.0.0-beta1 Feature #7644: pgsql: add CopyOut subprotocol/mode Feature #7633: dpdk: refrain from creating TX queues on zero TX descriptors Feature #7620: smb: configurable logging Feature #7596: mime: add email.to keyword Feature #7595: mime: add email.subject keyword Feature #7592: mime: add email.from keyword Feature #7588: mime: add email.cc keyword Feature #7565: dcerpc: rpc interfaces info in request event Feature #7533: detect/ldap: add ldap.request.attribute_type and ldap.request.attribute keywords, and same for responses Feature #7532: detect/ldap: add keywords for LDAPResult Feature #7517: detect: smtp.mail_from keyword Feature #7516: detect: smtp.rcpt_to keyword Feature #7515: detect: smtp.helo keyword Feature #7513: detect/integers: add support for negated strings when enum is used Feature #7508: rules: ftp.reply keyword Feature #7503: rules: ftp.command_data keyword Feature #7502: rules: ftp.command keyword Feature #7485: rules: allow specifying explicit hooks Feature #7482: eve/flow: log tcp session reuse as a timeout reason Feature #7481: rules/actions: explicit action scopes Feature #7477: ldap: add support for AbandonRequest Feature #7471: detect/ldap: add ldap.distinguished_name keywords for request and response Feature #7453: detect/ldap: add ldap.request.operation and ldap.response.operation keywords Feature #7433: eve/alert: enrich decoder event rules Feature #7403: requires: add ability to check for a rule keyword Feature #7382: dpdk: create separate packet mempools per queue Feature #7381: dpdk: when running with ice driver fully start only when link state change event is caught Feature #7380: dpdk: provide "auto" option for RX/TX descriptors Feature #7373: dpdk: provide "auto" option to mempool-size property Feature #7337: dpdk: implement configuration of RSS using rte_flow rules for major cards Feature #7330: dpdk: support HW VLAN stripping Feature #7320: flow: add user registerable flow update callbacks Feature #7319: flow: add user registerable flow initialization callback Feature #7311: http1: log invalid status as string Feature #7291: sdp: implements sticky buffer Feature #7243: lua: expose dataset functions Feature #7240: libsuricata: use provided threads and packets Feature #7204: sip: rustify sticky buffers Feature #7203: ldap: extend parser for udp Feature #7202: ldap: frame support Feature #7170: hyperscan: Cache Hyperscan databases to disk to speed up the startup Feature #7120: threshold: add backoff type Feature #7108: tls: ALPN keyword Feature #7098: eve: add payload length field Feature #7074: lua: expose base64 functions Feature #7073: lua: expose hashing functions (md5/sha1/sha256) Feature #7055: tls: log ALPN Feature #7051: websocket: data frame Feature #7045: tls-store: add support client certs Feature #7017: dns: add OPT rdata struct and parsing Feature #7012: rules: add dns.response sticky buffer Feature #7011: dns: additional section parsing and logging Feature #6967: multi-tenancy: support thresholding per tenant Feature #6943: pcap: datalink type 229 not (yet) supported in module PcapFile Feature #6939: lua: incremement stat when a lua rule exhausts its instruction count Feature #6857: iprep: support seeing if rule is part of a rep list Feature #6856: http: anomaly when request line is missing protocol Feature #6832: pcap/log: Support BPFs for filtering pcap output Feature #6827: arp: implement decoder and logger Feature #6822: threshold: support tracking by flow Feature #6788: bypass: decouple stream.bypass dependency from TLS encrypted bypass Feature #6739: dpdk: warn the user if user-settings are adjusted to the device capabilities Feature #6666: dns: add keyword for dns rrtype: dns.rrtype Feature #6648: detect: integer: support bitmasks Feature #6647: detect: integers: support for enumerations Feature #6646: detect: integer: support negated ranges Feature #6645: detect: integer parsed with hexadecimal notation Feature #6637: requires: add skipped rules to stats Feature #6627: sdp: add protocol parser and logger Feature #6621: dns: add keyword for dns rcode: dns.rcode Feature #6550: profiling/rules: allow enabling profiling for pcap file runs Feature #6546: detect/transform: strip_pseudo_headers Feature #6497: dns: new detection buffer: dns.query.name Feature #6496: dns: new detection buffer: dns.answer.name Feature #6487: detect/transform: from_base64 Feature #6480: plugins: allow plugins to specify the version of suricata they are for Feature #6455: txbits: support for new type of bits Feature #6439: rules: add to_lowercase transform Feature #6426: http2: app-layer-event and normalization when userinfo is in the :authority pseudo header for the http.host header Feature #6396: rules: add protocol string support for mqtt Feature #6379: ja4: support for TLS and QUIC Feature #6374: sip: add sticky buffers for headers Feature #6366: pop3: protocol detection Feature #6290: http: support case insensitive testing of header name existence Feature #6260: flow: flow matching excluding packet recursion level Feature #6215: flow/output: log triggered exception policy Feature #6164: rules: allow matching on flow pkts and bytes Feature #6090: eve/alert: missing dcerpc metadata Feature #6079: eve/dcerpc: eve/smb: log dcerpc uuid with request/response txs Feature #5976: eve/stats: allow hiding counters whose value is 0 Feature #5972: rules: "requires" keyword representing the minimum version of suricata to support the rule Feature #5839: dpdk: power saving mode Feature #5816: stats: exception policy counters Feature #5773: doh: support DNS over HTTPS (DoH) Feature #5743: http2: add frame support Feature #5734: ssh: add frame support Feature #5665: rules: bidirectional transaction matching Feature #5647: rules: mark flow as elephant flow Feature #5646: rules: allow matching on flow pkts and bytes in either direction Feature #5489: research: multi version rules; or version dependent rules Feature #5466: detect: allow alert-then-pass logic Feature #5446: rules: allow ranges in dns.opcode value Feature #5234: tls: subjectAltName buffer Feature #5082: smb: keyword for matching the SMB files Feature #5075: smb: keyword for the SMB version Feature #4974: eve: log rule references Feature #4905: smtp: add stream app-layer frame support Feature #4904: dcerpc: frames support Feature #4853: eve: Add information about Suricata version Feature #4777: lua: implement sandboxing Feature #4776: lua: vendor latest lua stable Feature #4321: http2: Support link between packets in the same stream Feature #4102: plugins: support creating app-layer parser, logger and detect Feature #3958: enip: convert protocol parser to rust Feature #3487: mime: multi-part parser in Rust Feature #3351: sip: parse traffic over tcp Feature #2816: vlan: support more than 2 layers Feature #2696: http: implement parser in rust Feature #2695: websocket support Feature #2486: prefilter/fast_pattern logic for flowbits Feature #2377: deprecate: ssh.softwareversion and ssh.protoversion Feature #2280: http: rules that match both request and response Feature #1971: lua: make mandatory Feature #1520: multi-tenancy: verbose output clarity Feature #1199: protocol: LDAP support Feature #1125: smtp: improve protocol detection Feature #1065: rules: introduce vlan id keyword Feature #845: stats: track memory consumption Security #7615: datasets: signature keyword setting can cause high memory usage(MODERATE - CVE 2025-29916) Security #7613: decode_base64: signature can do large memory allocation(HIGH - CVE 2025-29917) Security #7526: detect: infinite loop in DetectEngineContentInspectionInternal with negated pcre(HIGH - CVE 2025-29918) Security #7465: ldap: bound of number of transactions is not fully enforced Security #7464: doh2: buffer is not really limited to 65K as should be for DNS Security #7458: af-packet: defrag option can lead to truncated packets (HIGH - CVE 2025-29915) Security #7450: tracking: signature can allocate arbitrary amount of memory Security #7411: tcp: generic detection bypass using TCP urgent support (HIGH - CVE 2024-55629) Security #7393: tcp: segfault on StreamingBufferSlideToOffsetWithRegions (CRITICAL - CVE 2024-55627) Security #7366: bpf: oversized bpf file can lead to buffer overflow (MODERATE - CVE 2024-55626) Security #7280: dns: quadratic complexity in logging and invalid json as output(HIGH - CVE 2024-55628) Security #7267: ja4: non alphanumeric characters in alpn lead to panic (CRITICAL - CVE 2024-47522) Security #7229: detect: write to read-only memory in transforms (CRITICAL - CVE 2024-55605) Security #7209: thash: random factor not used; possible abusive hash collisions(CRITICAL - CVE 2024-47187) Security #7195: datasets: rule with unset makes suricata abort (HIGH - CVE 2024-45795) Security #7191: http: quadratic complexity in headers processing/finding (CRITICAL - CVE 2024-45797) Security #7183: smb: hashmap entries not removed for error responses Security #7104: http2: oom from duplicate headers(CRITICAL - CVE 2024-38535) Security #7085: eve: transactions can be logged an arbitrary number of times Security #7067: defrag: off by one leads to possible evasion (HIGH - CVE 2024-45796) Security #7040: defrag: id reuse can lead to invalid reassembly (CRITICAL - CVE 2024-37151) Security #7029: http/range: segv when http.memcap is reached (HIGH - CVE 2024-38536) Security #6987: modbus: txs without responses are never freed (MODERATE - CVE 2024-38534) Security #6902: base64: off-by-three overflow in DecodeBase64() (HIGH - CVE 2024-32664) Security #6900: http2: timeout logging headers(HIGH - CVE 2024-32663) Security #6892: http2: oom on copying compressed headers (CRITICAL - CVE 2024-32663) Security #6866: eve: excessive ssh long banner logging(HIGH - CVE 2024-28870) Security #6799: ssh: quadratic complexity in overlong banner (CRITICAL - CVE 2024-28870) Security #6796: output/filestore: slowdown because of running OutputTxLog on useless packets Security #6770: log: arbitrary-length value can be logged Security #6757: libhtp: quadratic complexity checking after request line missing protocol(CRITICAL - CVE 2024-28871) Security #6680: smb: pcap with many open files takes too much time Security #6675: ip-defrag: packet can be considered complete even with holes (MODERATE - CVE 2024-32867) Security #6669: ip defrag: re-assembly error in bsd policy (MODERATE - CVE 2024-32867) Security #6668: ip defrag: final overlapping packet can lead to "hole" in re-assembled data(MODERATE - CVE 2024-32867) Security #6493: ip defrag: several issues with overlap handling Security #6481: http2: quadratic complexity in find_or_create_tx not bounded by max-tx(CRITICAL - CVE 2024-23836) Security #6477: smtp: quadratic complexity from unbounded number of transaction per flow(CRITICAL - CVE 2024-23836) Security #6444: http1: quadratic complexity from infinite folded headers (CRITICAL - CVE 2024-23837) Security #6441: detect: heap use after free with http.request_header keyword (CRITICAL - CVE 2024-23839) Security #6411: pgsql: quadratic complexity leads to over consumption of memory (HIGH - CVE 2024-23835) Security #6299: mqtt: pcap with anomalies takes too long to process because of app-layer-event detection Security #5926: http2: evasion by splitting header fields over frames (HIGH - CVE 2024-24568) Security #5921: http1: configurable limit for maximum number of live transactions per flow(CRITICAL - CVE 2024-23836) Bug #7618: af-packet: setting bpf fails Bug #7577: detect/files: file.data does not use content passed when closing the file internally Bug #7567: dcerpc: assertion triggered !((res.needed + res.consumed < input_len)) Bug #7562: detect/flow: null deference in signature parsing Bug #7560: detect/krb5: undefined behavior with krb5.ticket_encryption when passing -INT32_MAX Bug #7556: quic: valid traffic blocked in IPS mode Bug #7554: tls: parser error on unACK'd data in FIN shutdown Bug #7552: app-layer: misdetection if response is seen first without request Bug #7548: dcerpc: avoid integer underflow Bug #7523: rules/prefilter: prefilter keyword ignored when in content rule Bug #7521: detect/ip-only: false positive alerts on pseudo packets ending a one direction flow Bug #7495: protocol detection: probing parsers do not finish as soon as possible Bug #7469: smtp: recognize when client initiated TLS Bug #7467: detect: checksum detection broken by stream.checksum-validation Bug #7466: lua: Flowvar memory leak Bug #7455: flow: flow timeout behavior non-deterministic Bug #7449: app-layer metadata does not get logged for stream rules and unidirectional protocols Bug #7447: NULL dereference in ThreadLogFileHashFreeFunc in bug-5198 SV test Bug #7444: dpdk: RSS key length missmatch on ice (E810) card with DPDK version 22.11.6 Bug #7440: eve/frame: incomplete frame logging Bug #7437: protocol detection : probing parsers are limited to 32 by use of bitflag Bug #7436: sip: remove UPDATE pattern as already used by HTTP/1.1 Bug #7435: fuzz: fix protocol detection target initialization sequence Bug #7422: tcp: GAP event set on unack'd data following a RST Bug #7418: requires: rules with unmet requirements are still loaded Bug #7417: rust: remove shared reference to static mutable Bug #7414: detect: decoder event rules fail to match on invalid packets Bug #7409: http: crash in strip_pseudo_headers transform Bug #7406: eve: Alerts with app_proto=tls no longer logs the tls app data Bug #7398: datasets: scan-build warning call to blocking fn inside critical section Bug #7394: ldap: support starttls with tls upgrade Bug #7365: flow-manager: multi Flow Manager memory leak problem Bug #7361: rules: unknown internal events not being detected as errors Bug #7359: eve/syslog: crashes on use Bug #7338: rust: different int types turn garbage on FFI boundary Bug #7334: asan/profiling: global-buffer-overflow error Bug #7333: tls: impossible to log alpns with 'custom' logging Bug #7332: tls: fix duplicate EVE field issuerdn Bug #7326: http: FN with prefilter if the first of multi buffer did not match Bug #7325: sdp: one or more time descriptions Bug #7323: mqtt: wrong and missing direction for keywords Bug #7318: flow: flow timeout pseudo packet triggers unexpected alert Bug #7315: template: remove usage of template-rust Bug #7314: misc/warnings: compile warnings during build Bug #7309: http: incorrect file direction handling Bug #7305: sdp: media's encryption key not logged Bug #7303: detect: memleak in case of errors during initialization Bug #7302: conf: memleak if yaml parser is initialized before checking if file exists Bug #7300: output: oversized records lead to invalid json Bug #7296: detect: transform base64 creates a 0-sized variable-length array Bug #7279: dns: protocol detection is not strict enough Bug #7270: conf: nullptr dereference if mem alloc fails for a node in yaml parser Bug #7264: detect/flow: ACK with data on 3whs fails to match 'flow:established' Bug #7256: ja3: Error: ja3: Buffer should not be NULL Bug #7253: fuzz: CIFuzz is not fuzzing PRs as it is supposed to Bug #7241: app-layer-protocol: negated matching false positive Bug #7238: app-layer: protocol flows are miscounted in case of error Bug #7235: tls: a rule stops working since 7.0.5 Bug #7230: dcerpc: invalid dcerpc header is not rejected Bug #7228: dns: no data logged, and no events with udp corrupt additional record Bug #7226: lua: use crate from crates.io instead of github to fix offline builds Bug #7218: profiling: packet profiling to log file is only active with rule profiling Bug #7213: frames: stream frame is not always the first one registered Bug #7210: docs: inconsistent spelling in documentation for RFB `security_result` key Bug #7206: cbindgen: comptability with newer version 0.27 Bug #7200: smtp: crash in ByteExtractString Bug #7199: detect: missing app-layer metadata in alerts Bug #7187: detect: dcerpc logging and matching issues Bug #7181: fuzz: File confyaml.c is missing Bug #7176: ldap: crash when encountering GAP Bug #7172: detect/integers: do not bother to free NULL pointer on setup/parse failure Bug #7169: lua/output: vendored lua search for modules in /usr/local/ rather than /usr/ Bug #7158: tcp: 'broken ack' event set on flow timeout Bug #7135: util/thash: debug assertion for memuse Bug #7126: decode/base64: Error message on packet path. Bug #7121: smb/ntlmssp: nonsense smb.ntlmssp.version values Bug #7115: dpdk: timestamping packets through TSC does not yield the same time as kernel time Bug #7113: pgsql: track 'progress' in tx per direction Bug #7111: protodetect: DNS flow direction is not correct sometimes Bug #7106: packet: app-layer-events incorrectly used on recycled packets Bug #7093: sip: wrong slice used for sip_take_line with tcp leads to quadratic oom Bug #7059: smtp: split name logged as 2 names Bug #7053: bypass: cannot bypass udp flow from first packet in second direction Bug #7049: util/radix-tree: Possible dereference of nullptr in case of unsuccess allocation of memory for node Bug #7048: af-packet: failure to start up on many threads plus high load Bug #7037: pcap/log: MacOS rotates file well before limit is reached Bug #7034: time: in offline mode, time can stay behind at pcap start Bug #7028: base64: heap buffer overflow in RFC 2045 and 4648 modes Bug #7025: websocket: wrong value for opcode ping/pong Bug #7022: unix-socket: iface-bypassed-stat crash Bug #7020: unix-socket: hostbit commands don't properly release host Bug #7013: rust: build with rust 1.78 with slice::from_raw_parts now requiring the pointer to be non-null Bug #7000: pgsql: trigger raw stream reassembly Bug #6994: sip/sdp: logget closes unopened array for empty medias Bug #6989: tls.random buffers don't work as expected Bug #6985: base64: coverity dead code warning Bug #6984: mqtt: do not log non-string messages? Bug #6983: eve/alert/metadata: no pgsql object encapsulation Bug #6973: detect: log relevant frames app-layer metdata Bug #6969: dataset: lookup function is not working with ip type Bug #6964: base64: consumed bytes are incorrectly set for different modes Bug #6959: http: improve handling of content encoding: gzip but request_body not actually compressed Bug #6957: Assert: BUG_ON(id <= 0 || id > (int)thread_store.threads_size); Bug #6954: eve: packet field packet_info.linktype is non-portable Bug #6948: detect/http.response_body: false positive because not enforcing direction to_client Bug #6942: decode/ppp: decoder.event.ppp.wrong_type on valid packet Bug #6940: lua: handle errors in lua rules Bug #6921: jsonbuilder: serializes Rust f64 NaNs to an invalid literal Bug #6918: pcre2: compile warning Bug #6913: reimplement systemd sd_notify w/o linking to libsystemd Bug #6906: smtp/mime: data command rejected by pipelining server does not reset data mode Bug #6904: mime: buffer overflow in GetFullValue() (util-decode-mime.c) Bug #6903: streaming buffer: heap overflows in StreamingBufferAppend()/StreamingBufferAppendNoTrack() Bug #6896: detect/port: upper boundary ports are not correctly handled Bug #6891: sip: usage of Vec instead of Vecdeque leads to quadratic complexity on cleanup Bug #6889: detect: slowdown in rule parsing Bug #6887: defrag: reassembled packet can have wrong datatype Bug #6883: rust: clippy 1.77 warning Bug #6881: detect/port: port grouping does not happen correctly if gap between a single and range port Bug #6877: Suricata 8 general protection fault ip:698117 sp:7fd537b08090 Bug #6875: output/alert: assertion failed p->flow != NULL Bug #6871: dpdk: fix compatibility issues for ice cards Bug #6864: detect: ipopts keyword false positive Bug #6861: profiling/rules: crash when profiling ends Bug #6846: eve/alerts: wrongly using tx id 0 when there is no tx Bug #6843: detect/port: port ranges are incorrect when a port is single as well as a part of range Bug #6839: coverity: warning in port grouping code Bug #6838: eve/filetypes: move from plugin api to eve api Bug #6837: netmap: error message Netmap pipes (with lb) Bug #6835: BUG_ON triggered from TmThreadsInjectFlowById Bug #6834: iprep: rule with '=,0' can't match Bug #6811: capture plugins: capture plugins unusable due to initialization order Bug #6790: dpdk: evaluate the correct handling of DPDK ports on shutdown Bug #6787: decode/pppoe: Suspicious pointer scaling Bug #6782: streaming/buffer: crash in HTTP body handling Bug #6778: detect/tls.certs: direction flag checked against wrong field Bug #6766: multi-tenancy: dead lock during tenant loading Bug #6762: hugepages: error for FreeBSD when kernel NUMA build option is not enabled Bug #6760: af-packet: hugepages Error for ARM64 and af-packet IPS mode Bug #6755: netmap: deadlock if netmap_open fails Bug #6753: detect/cip: missing return-value check for a 'scanf'-like function Bug #6745: util/mime: Memory leak at util-decode-mime.c:MimeDecInitParser Bug #6741: dpdk: automatic cache calculation is broken Bug #6737: dpdk: property configuration can lead to integer overflow Bug #6733: tcp: tcp flow flags changing incorrectly when ruleset contains content matching Bug #6732: eve/stats: parent interface object in stats contains VLAN-ID as keys Bug #6726: stream: stream.drop-invalid drops valid traffic Bug #6715: dpdk: NUMA warning on non-NUMA system Bug #6710: rules: failed rules after a skipped rule are recorded as skipped, not failed Bug #6678: datasets: discard datasets that hit the memcap while loading correctly Bug #6664: eve/smtp: attachment filenames not logged Bug #6661: detect/content-inspect: FN on negative distance Bug #6656: detect/requires: assertion failed !(ret == -4) Bug #6643: http: wrongly assuming http0.9 leads to missed headers Bug #6634: tls: Invalid ja3 due to double client hello Bug #6633: stats: flows with a detection-only alproto not accounted in this protocol Bug #6619: profiling: runtime much longer to run than it used to Bug #6618: endace: timestamp fixes Bug #6617: detect/filestore: flow, to_server was broken by moving files into transactions Bug #6615: detect/analyzer: misrepresenting negative distance value Bug #6592: mqtt: frames on TCP are not set properly when parsing multiple PDUs in one go Bug #6585: src: SCTIME_FROM_TIMESPEC() creates incorrect timestamps Bug #6584: src: SCTIME_ADD_SECS() macro zeros out ts.usec part Bug #6578: ssh: no alert on packet with Message Code: New Keys (21) Bug #6574: detect/filestore: memory leak on rule parsing Bug #6553: eve/alert: payload/payload_printable misrepresent data in case of overlaps Bug #6551: Invalid registration of prefiltering in stream size Bug #6547: http2: http.response_line has leading space Bug #6527: cppcheck 2.11 errors Bug #6501: eve/alert: missing TFTP metadata Bug #6500: eve/alert: missing FTP metadata Bug #6490: profiling: rule profiling doesn't support absolute paths Bug #6483: http.request_headers - odd behavior with multiple signtures Bug #6419: dpdk: Analyze hugepage allocation on startup more thoroughly Bug #6415: http: various header buffer not populated when malformed header value exists Bug #6414: detect-engine/port: recursive DetectPortInsert calls are expensive Bug #6408: Output plugins receive identifier, but not thread identifier Bug #6405: eve: ethernet src_mac should match src_ip Bug #6398: eve/stats: threads object in stats contains memcap_pressure scalars Bug #6393: detect/filestore: be more explicit about the U16_MAX limit per signature group head Bug #6390: detect/filestore: do not store if "both,flow" is triggered after the file was set to "nostore" Bug #6389: pgsql: u16 overflow found by oss-fuzz w/ quadfuzz Bug #6376: detect: huge increase on start up time with a lot of ip-only rules and bigger HOME_NET Bug #6347: log-pcap: crash with suricata.yaml setting max-file to 1 Bug #6305: drop: assertion failed !(PKT_IS_PSEUDOPKT(p)) && !PacketCheckAction(p, ACTION_DROP) Bug #6304: schema.json : if protocol such as ENIP is detection only, we do not have _tcp suffix in stats Bug #6281: dns: structure of query differs between "alert" and "dns" event types Bug #6280: base64: strict mode should only accept strings that can be reliably converted back Bug #6254: bypass: thread "FB" failed to start in time: flags 0003 Bug #6092: eve/alert: missing pgsql metadata Bug #6080: pgsql/probe: TCP on 5432 traffic incorrectly tagged as PGSQL Bug #5977: eve/alert: missing KRB5 metadata Bug #5539: landlock: coverity warnings Bug #5524: pgsql: parser should not error on parsing error, so as to keep on parsing the next PDUs Bug #5491: smtp: response 530 appears to generate an invalid response alert Bug #5486: eve: ethernet metadata is missing for some protocols or parts of a protocol Bug #5279: nom: use of count combinator can use too much memory Bug #5220: detect/base64_data: fast_pattern shouldn't be allowed Bug #5185: mime: URL extraction missing Bug #4921: detect/app-layer-protocol: unexpected results when one direction state "failed" Bug #4858: fuzz: Timeout with pcre Bug #4734: pfring: memory leak Bug #3910: datasets: for type string the memcap isn't applied to the string data Bug #3682: detect/bsize: error for impossible matching conditions Bug #2886: imap: protocol detection is incomplete Bug #2881: http.protocol parsing inaccuracy : accept spaces in URI Bug #2224: rules: negated http_* match returns false if buffer not populated Bug #1457: conf: non-standard units used for file size indication Optimization #7617: af-packet: set defrag based on passive or inline mode Optimization #7558: detect: convert rule group dumping to JsonBuilder Optimization #7358: CI: only run CodeQL python if the PR contains changed files that are python Optimization #7304: detect: improve support for multi-protocol keywords Optimization #7297: src: remove duplicate function declarations Optimization #7272: af-packet: improve startup time Optimization #7208: tcp/reassemble: GetBlock takes O(nlgn) in worst case Optimization #7185: stats: exceptions: use search-friendly log output Optimization #7178: rfb: rustify keywords and app-layer registration Optimization #7155: pcap: use larger read size buffer for a performance increase Optimization #7087: app-layer: track modified transactions Optimization #7065: base64: move the decoder to rust Optimization #7044: app-layer: clean up truncate callbacks and logic Optimization #7018: dns/tcp: allow triggering raw stream reassembly Optimization #7002: detect: move pseudo packet checks out of keyword Match funcs Optimization #6938: packet: optimize packet data storage Optimization #6937: compile: make code clean with -Wunused-macros Optimization #6878: conf: quadratic complexity in yaml loader Optimization #6873: byte_extract: convert keyword/option parsing to Rust Optimization #6855: src: var code cleanups Optimization #6852: mpm/ac: support endswith Optimization #6821: smtp: add 535 code Optimization #6795: detect/port: PortGroupWhitelist fn takes a lot of processing time Optimization #6792: detect/port: port grouping is quite slow in worst cases Optimization #6786: util-rohash.c : make code cleaner to make CodeQL happier Optimization #6775: detect: do not run tx detection on tcp non established packets Optimization #6773: app-layer/template: no limit on txs number Optimization #6728: detect: prefilter for events (decode, stream, app-layer, etc...) Optimization #6718: detect/frames: avoid rescanning in IPS mode Optimization #6702: streaming-buffer: Explore Rank Balanced trees Optimization #6575: detect/multi-buffer: use single definition of struct PrefilterMpmKrb5Name Optimization #6569: threading: fix condition signalling w/o taking lock first Optimization #6454: detect: force os to release memory on rule reload Optimization #6433: packetpool: improve return sync logic Optimization #6387: mqtt: move parser registration code to the rust side Optimization #6111: defrag: avoid passing null pointers to functions Optimization #5699: dcerpc: switch to incomplete api for tcp Optimization #5672: smb: avoid unbounded hash maps Optimization #5634: detect: unify ValidateCallback for MD5-like keywords Optimization #5566: pgsql: add events Optimization #5517: decode: big clean up (macros and functions) Optimization #5311: ftp: use unsigned integer for input_len Optimization #5047: sip: implement pattern based protocol detection Optimization #4798: af-packet: default to tpacket-v3 in IDS mode Optimization #3827: output: clean up logging initialization code Optimization #3449: eve: output calls fflush very often Optimization #3427: datasets: issue warning/info for data with type string that are not base64 Optimization #426: threshold: rule based thresholding data structure improvement Task #7604: lua: turn http into lib Task #7602: lua: turn dns into lib Task #7601: lua: turn dnp3 into lib Task #7492: lua: remove script_api_ver check from needs block Task #7489: lua: turn flow into lib Task #7488: lua: turn packet into lib Task #7456: engine/analysis: report rule state altered by flowbit rule Task #7426: flowint: add isnotset support Task #7350: firewall usecase: log app-layer metadata for for catch-all drop rules Task #7341: rust: use bindgen to generate Rust bindings to C functions Task #7287: schema: add missing tls fields certificate and chain Task #7246: libhtp 0.5.49 Task #7227: logging: document and cleanup low level logging registration Task #7219: rust/crates: update base64 Task #7167: dns: make the version field in a dns object required Task #7165: napatech: move into bundled plugin Task #7162: pfring: move into bundled plugin Task #7154: plugins: add template detection plugin Task #7152: plugins: add template logger plugin Task #7151: plugins: add template app-layer plugin Task #7130: rust: dependency "time" fails to build on Rust nightly Task #7058: fuzz/base64: check decoded strings for correctness in strict mode Task #6965: libhtp 0.5.48 Task #6962: yaml: unify 0 stats counter config option terminology Task #6961: lua: use a rust crate to vendor lua Task #6935: unittests: convert tests to new FAIL/PASS API - src/app-layer-htp.c Task #6888: contrib: remove obsolete items from contrib Task #6818: rust: snmp-parser 0.10.0 Task #6817: rust: kerberos-parser 0.8.0 Task #6769: libhtp 0.5.47 Task #6748: doc: mention X710 RX descriptor limitation Task #6712: dependencies: completely remove nss Task #6705: build-info: remove obsolete "rust support" line Task #6605: flash decompression: update/remove deprecation warnings Task #6603: pgsql: don't log password msg if password disabled Task #6586: mpm/ac-bs: remove implementation Task #6577: pgsql: add cancel request message Task #6544: logging: deprecate syslog Task #6543: logging: deprecate http-log Task #6542: logging: deprecate tls-log Task #6488: plugins: add example plugins to the suricata source tree Task #6432: tracking: autofp capture stalls due to packetpool depletion Task #6427: runmodes: remove reference to auto modes Task #6360: detect/analyzer: add more details for the icmp_id keyword Task #6355: detect/analyzer: add more details for the tcp.mss keyword Task #6354: detect/analyzer: add more details for the tcp ack keyword Task #6353: detect/analyzer: add more details for the tcp seq keyword Task #6352: detect/analyzer: add more details for the tcp window keyword Task #6318: unittests: convert tests to new FAIL/PASS API - detect-engine-address-ipv4.c Task #6312: detect/analyzer: add more details for the flow.age keyword Task #6309: detect/analyzer: add more details for the flowbits keyword Task #6287: suricatasc: rewrite in rust Task #6209: libhtp 0.5.46 Task #6107: unittests: convert tests to new FAIL/PASS API - util-memcmp.c Task #6050: base64: make a fuzz target Task #5626: doc: document file.data Task #5588: ips/tap: don't allow mixed tap and ips modes Task #5053: app-layer: dynamic alproto IDs Task #4742: build: make the auto-generated config.h not conflict with other config.h Task #4698: lib: Example program to bootstrap Suricata (an alternate main() for Suricata) Task #4683: detect: remove sigmatch_table in favor of a dynamic storage option Task #4105: plugins: Create template capture source plugin Task #4103: plugins: convert an app-layer to use the plugin API (snmp) Documentation #7540: doc/userguide: fix typo Documentation #7383: userguide: fix typo Documentation #7262: doc: remove mentions to suricata-6 Documentation #7260: userguide/config: fix consistency of dashes instead of underscores Documentation #7153: devguide: document adding a detection plugin Documentation #7150: devguide: document adding a logging plugin Documentation #7149: devguide: document adding a app-layer plugin Documentation #7031: userguide: document SignatureProperties sigtype Documentation #6911: manpages: use consistant date based on release and/or git commits Documentation #6908: userguide: document how to verify tar.gz signature Documentation #6781: http: document duplicate headers concatenation handling Documentation #6725: document pcap file variables Documentation #6708: userguide/payload: fix explanation about bsize ranges Documentation #6686: docs: port userguide build instruction changes from master-6.0.x Documentation #6685: userguide: explain noalert keyword Documentation #6629: docs: fix byte_test examples Documentation #6628: userguide: document generic aspects of integer keywords Documentation #6599: docs: update eBPF installation instructions Documentation #6589: docs: fix broken bulleted list style on rtd Documentation #6570: remove references in docs mentioning prehistoric Suricata versions Documentation #6568: devguide: document backports policies and process Documentation #6552: doc: add tcp timeout fix to upgrade guide Documentation #6548: http2: http.stat_msg - note about HTTP/2 behavior Documentation #6445: userguide: explain what flow_id is Documentation #6076: eve/schema: document quic Documentation #5651: detect/bsize: format should specify operators Documentation #5494: userguide: update tls eve-log fields 'not_before' and 'not_after' Documentation #5393: devguide: move github workflow document from redmine into devguide Documentation #5088: detect/file.name: keyword is not documented Documentation #4359: docs: elaborate documentation for rule profiling Documentation #3015: userguide: document "tag" keyword Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 2271a47bf31682be8c0bb9319277339a86cc70be Author: Michael Tremer Date: Fri Aug 8 15:01:04 2025 +0000 make.sh: Start Core Update 198 Signed-off-by: Michael Tremer commit 87e1047a08ca522f28807b3fde7a2f2faa75b733 Merge: 1f200cb1c ceb35099f Author: Michael Tremer Date: Fri Aug 8 14:55:49 2025 +0000 Merge branch 'next' commit ceb35099fa8af7c2ac85fa2487e1e5ec4e36d2ce Author: Michael Tremer Date: Fri Aug 8 14:55:27 2025 +0000 make.sh: Update langs Signed-off-by: Michael Tremer commit baee54153bd2a2f0fd126e98d9499f54169af6f3 Author: Adolf Belka Date: Thu Aug 7 17:22:46 2025 +0200 borgbackup: Fix bug13868 - add libxxhash to dependencies - forgotten in CU189 - Add libxxhash to dependenc list and increment PAK_VER. - Update of rootfile not required Fixes: bug13868 Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 0fb4546ddf85187a423ca56a7b012f5074d9c089 Author: Adolf Belka Date: Thu Aug 7 17:22:45 2025 +0200 bash: Update to patch level 3 - Update from patch level 0 to 3 - Update of rootfile not required - Changelog Patch 3 Bash leaves internal quoting in place when expanding array subscripts that appear inside array subscripts in an arithmetic context, causing expansion failures. Patch 2 There are too many differences in the various implementations of shm_open(2) to rely on it for bash's use. Patch 1 In posix mode, `wait -n' with pid arguments does not restrict the set of processes it considers to those arguments. Signed-off-by: Adolf Belka Signed-off-by: Michael Tremer commit 9983bc12ca0e1508aa4e3b69a9ce34f5caa685cd Author: Michael Tremer Date: Thu Aug 7 16:42:18 2025 +0000 arpwatch: Fix rootfile Signed-off-by: Michael Tremer commit ebfcb022fb29b17abfb6c8352e72274a72ca6dd6 Author: Michael Tremer Date: Mon Aug 4 21:06:26 2025 +0000 arpwatch: Fix download of ethercodes.dat Signed-off-by: Michael Tremer commit 306516d99a8333ca7d91adba835c206ebbaf9b9b Author: Michael Tremer Date: Mon Aug 4 16:24:29 2025 +0200 ovpnmain.cgi: Fix layout issues when editing N2N No functional changes. Signed-off-by: Michael Tremer commit 52d53e52737f05ff8cba02c3245bcb74d1b8cfbe Author: Michael Tremer Date: Tue Jul 29 14:50:17 2025 +0000 core197: Ship bonding changes Signed-off-by: Michael Tremer commit 993d5838f31ceeef8bc103b177e6a95f371f36c3 Author: Michael Tremer Date: Tue Jul 29 14:42:20 2025 +0000 network: Ensure that we only run once at a time Signed-off-by: Michael Tremer commit a5a1b2c2c16473990b9eee81cf9502af369bcdf6 Author: Michael Tremer Date: Tue Jul 29 14:42:19 2025 +0000 network: Add support for some more auxiliary zones Signed-off-by: Michael Tremer commit dd67715a493e372936d815cd9d46904fa4681073 Author: Michael Tremer Date: Tue Jul 29 14:42:18 2025 +0000 network: Fail if no master device has been configured for slave zones Signed-off-by: Michael Tremer commit 5152d450ff943eeea0be1c0aa1bcc87e1c89755a Author: Michael Tremer Date: Tue Jul 29 14:42:17 2025 +0000 network: Rename the bridge hotplug script Since it is now creating more than just bridges, this had to have a new name. Signed-off-by: Michael Tremer commit 991e99a4fbfca7f1992c4d57b2686a58bde05ef7 Author: Michael Tremer Date: Tue Jul 29 14:42:16 2025 +0000 network: Add support for bonds This is a bare-minimum implementation to realise this. It changes the bridge script because the two of them have quite a bit in common, so we should avoid further code duplication. Signed-off-by: Michael Tremer commit 5c903c529978dff6c100819dff785ffc9b507a0b Author: Michael Tremer Date: Tue Jul 29 14:42:15 2025 +0000 linux: Don't create bond0 when bonding is being loaded Signed-off-by: Michael Tremer commit f5f70cb85c1537de6f760869f20cb29abc0a95f4 Author: Michael Tremer Date: Tue Jul 29 14:38:20 2025 +0000 firewall: Completely throw away any output when restarting Tor Signed-off-by: Michael Tremer