Clayton Casciato
1dcf90fa42
suricata: update 7.0.13 -> 8.0.4
...
8.0.0 [1]:
Increased Rust use (including libhtp, suricatactl, and suricatasc)
More protocols
Lua sandboxed and available by default
8.0.4 [2]: security, performance, accuracy, and stability fixes
Resolve startup warning [3]:
W: af-packet: eth0: AF_PACKET tpacket-v3 is recommended for non-inline
operation
Add "ja4" option for fingerprinting TLS and QUIC clients [4]
CFLAGS modification for (see [5]):
do_package_qa: QA Issue: File /usr/bin/.debug/suricata in package
suricata-dbg contains reference to TMPDIR [buildpaths]
SURICATA_LUA_SYS_HEADER_DST [6]
[1] https://suricata.io/2025/07/08/suricata-8-0-0-released/
[2] https://suricata.io/2026/03/17/suricata-8-0-4-and-7-0-15-released/
[3] https://docs.suricata.io/en/suricata-8.0.4/upgrade.html#id1
[4] https://github.com/OISF/suricata/pull/10836
[5] https://git.openembedded.org/openembedded-core/commit/?id=3239961e35434592c06ec2cae2885ab464d35744
[6] https://github.com/OISF/suricata/commit/3a7eef812198118fa0b96059e70074bec5a8cdbe
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com >
(added musl libunwind fix)
Signed-off-by: Scott Murray <scott.murray@konsulko.com >
2026-04-27 21:46:41 +03:00
Clayton Casciato
c32a913012
suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute
...
Add option to prevent memory mappings that are both writable and
executable.
https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute=
Core Suricata developer:
https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23
Fedora:
https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d
Resolve SELinux AVC denial:
type=PROCTITLE proctitle=/usr/bin/suricata
-c /etc/suricata/suricata.yaml -i eth0
type=SYSCALL arch=aarch64 syscall=mprotect success=no
exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main
exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null)
type=AVC avc: denied { execmem } for pid=283 comm=Suricata-Main
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com >
Signed-off-by: Scott Murray <scott.murray@konsulko.com >
2026-01-16 23:24:59 +02:00
Clayton Casciato
fbb8343cf8
suricata: update to 7.0.12
...
Also update libhtp to required version 0.5.52.
See suricata release notes for more details about changes and
CVEs fixed:
https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/
https://suricata.io/2024/03/19/suricata-7-0-4-and-6-0-17-released/
https://suricata.io/2024/04/23/suricata-7-0-5-and-6-0-19-released/
https://suricata.io/2024/06/27/suricata-7-0-6-and-6-0-20-released/
https://suricata.io/2024/10/01/suricata-7-0-7-released/
https://suricata.io/2024/12/12/suricata-7-0-8-released/
https://suricata.io/2025/03/18/suricata-7-0-9-released/
https://suricata.io/2025/07/08/suricata-7-0-11-released/
https://suricata.io/2025/09/16/suricata-8-0-1-and-7-0-12-released/
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com >
2025-11-12 14:17:55 -05:00
Clayton Casciato
ca34a66f82
suricata: fix "interface" arg in systemd service
...
Fix service startup
https://docs.suricata.io/en/suricata-7.0.0/command-line-options.html#cmdoption-i
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com >
Signed-off-by: Scott Murray <scott.murray@konsulko.com >
2025-07-18 09:48:15 -04:00
Armin Kuster
e3a61e6e81
libhtp: update to 0.5.50
...
drop CVE-2024-45797.patch now included
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2025-04-13 14:07:57 -04:00
Hitendra Prajapati
6b50c7c29e
libhtp: fix CVE-2024-45797
...
Upstream-Status: Backport from https://github.com/OISF/libhtp/commit/0d550de551b91d5e57ba23e2b1e2c6430fad6818
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2024-11-24 20:15:36 -05:00
Siddharth Doshi
f0deac3787
Suricata: Security Fix for CVE-2024-37151, CVE-2024-38534, CVE-2024-38535, CVE-2024-38536
...
Upstream-Status: Backport from [https://github.com/OISF/suricata/commit/aab7f35c76721df19403a7c0c0025feae12f3b6b , https://github.com/OISF/suricata/commit/a753cdbe84caee3b66d0bf49b2712d29a50d67ae , https://github.com/OISF/suricata/commit/c82fa5ca0d1ce0bd8f936e0b860707a6571373b2 , https://github.com/OISF/suricata/commit/2bd3bd0e318f19008e9fe068ab17277c530ffb92 ]
CVE's Fixed:
CVE-2024-37151 suricata: suricata: packet reassembly failure, which can lead to policy bypass
CVE-2024-38534 suricata: suricata: Crafted modbus traffic can lead to unlimited resource accumulation within a flow
CVE-2024-38535 suricata: Suricata: can run out of memory when parsing crafted HTTP/2 traffic
CVE-2024-38536 suricata: NULL pointer dereference when http.memcap is reached
Signed-off-by: Siddharth Doshi <sdoshi@mvista.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2024-07-29 20:07:01 -04:00
Armin Kuster
254b6094b5
suricata: Update to 7.0.0
...
refersh patches
update libhtp
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-09-25 09:45:11 -04:00
Martin Jansa
df8a1eb479
*.patch: fix malformed Upstream-Status and SOB lines
...
* as reported by openembedded-core/scripts/contrib/patchreview.py -v .
Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/crosscompile_perl_bindings.patch)
Malformed Signed-off-by 'Signed-Off-By:' (./recipes-mac/AppArmor/files/disable_perl_h_check.patch)
Missing Upstream-Status tag (./recipes-compliance/scap-security-guide/files/0001-standard.profile-expand-checks.patch)
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-not-run-ptest-on-host.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/samhain/files/samhain-pid-path.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-ids/suricata/files/fixup.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-scanners/clamav/files/fix2_libcurl_check.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/ecryptfs-utils/files/ecryptfs-utils-CVE-2016-6224.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/isic/files/configure_fix.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/krill/files/panic_workaround.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libdns_conf_fix.patch
Malformed Upstream-Status 'Malformed Upstream-Status in patch ./recipes-security/opendnssec/files/libxml2_conf.patch
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-06-25 15:05:28 -04:00
Armin Kuster
818a8646a6
suricata: rust is in core
...
drop dynamic-layer
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-08-26 21:45:14 -07:00
Armin Kuster
7a1691c037
suricata: Drop 4.1.x its EOL
...
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2021-07-28 18:21:25 -07:00
Christopher Larson
36d656fe72
suricata: add tmpfiles.d config
...
This is needed to ensure our /var/log directory is created when using
systemd.
Signed-off-by: Christopher Larson <chris_larson@mentor.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2019-11-27 13:38:58 -08:00
Armin Kuster
18de9e5bf9
suricata/libhtp: update to 4.1.5/0.5.31
...
same sources
refresh patch
drop rules tar ball
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2019-10-08 15:54:52 -07:00
Armin Kuster
d75dc96fa3
suricata: update to 4.1.4
...
Backport patch to fix build against newer kernels.
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2019-09-07 08:34:22 -07:00
Armin Kuster
1460d9b86d
reorg ids: move ids recipes to recipes-ids
...
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2019-03-31 10:37:09 -07:00