Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 22 Sep 2021 22:10:55 GMT
From:      Craig Leres <leres@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: 1d63728bf1f6 - main - security/vuxml: Mark zeek < 4.0.4 as vulnerable as per:
Message-ID:  <202109222210.18MMAt1j041355@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch main has been updated by leres:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1d63728bf1f6d2710841f5d6bee89a7905fbc7a8

commit 1d63728bf1f6d2710841f5d6bee89a7905fbc7a8
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2021-09-22 22:09:30 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2021-09-22 22:09:30 +0000

    security/vuxml: Mark zeek < 4.0.4 as vulnerable as per:
    
        https://github.com/zeek/zeek/releases/tag/v4.0.4
    
     - Paths from log stream make it into system() unchecked, potentially
       leading to commands being run on the system unintentionally.
       This requires either bad scripting or a malicious package to be
       installed, and is considered low severity.
    
     - Fix potential unbounded state growth in the PIA analyzer when
       receiving a connection with either a large number of zero-length
       packets, or one which continues ack-ing unseen segments. It is
       possible to run Zeek out of memory in these instances and cause
       it to crash. Due to the possibility of this happening with packets
       received from the network, this is a potential DoS vulnerability.
---
 security/vuxml/vuln-2021.xml | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/security/vuxml/vuln-2021.xml b/security/vuxml/vuln-2021.xml
index f36c9d6900f2..b79e50b7a119 100644
--- a/security/vuxml/vuln-2021.xml
+++ b/security/vuxml/vuln-2021.xml
@@ -1,3 +1,40 @@
+  <vuln vid="d4d21998-bdc4-4a09-9849-2898d9b41459">
+    <topic>zeek -- several vulnerabilities</topic>
+    <affects>
+      <package>
+	<name></name>
+	<range><lt>4.0.4</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Tim Wojtulewicz of Corelight reports:</p>
+	<blockquote cite="https://github.com/zeek/zeek/releases/tag/v4.0.4">;
+	  <p> Paths from log stream make it into system() unchecked,
+	  potentially leading to commands being run on the system
+	  unintentionally. This requires either bad scripting or a
+	  malicious package to be installed, and is considered low
+	  severity. </p>
+	  <p> Fix potential unbounded state growth in the PIA
+	  analyzer when receiving a connection with either a large
+	  number of zero-length packets, or one which continues
+	  ack-ing unseen segments. It is possible to run Zeek out
+	  of memory in these instances and cause it to crash. Due
+	  to the possibility of this happening with packets received
+	  from the network, this is a potential DoS vulnerability.
+	  </p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>https://github.com/zeek/zeek/releases/tag/v4.0.4</url>;
+    </references>
+    <dates>
+      <discovery>2021-08-26</discovery>
+      <entry>2021-09-22</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="7bba5b3b-1b7f-11ec-b335-d4c9ef517024">
     <topic>mod_auth_mellon -- Redirect URL validation bypass</topic>
     <affects>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202109222210.18MMAt1j041355>