[
https://issues.apache.org/jira/browse/METRON-1658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16538876#comment-16538876
]
ASF GitHub Bot commented on METRON-1658:
----------------------------------------
GitHub user JonZeolla opened a pull request:
https://github.com/apache/metron/pull/1101
METRON-1658: Upgrade bro to 2.5.4
## Contributor Comments
This upgrades bro to 2.5.4. The changes are all security or bugfix related
and shouldn't impact anything in the way of Metron configs.
### Testing
```
cd metron-deployment/development/centos6
vagrant --ansible-skip-tags='' up
vagrant ssh
sudo su -
export PATH=$PATH:/usr/local/bro/bin
if [[ "$(bro -v)" == "bro version 2.5.4" ]]; then echo 'Success!'; else
echo 'ERROR: Not running bro 2.5.4'; fi
```
You could also take a look at the testing steps in apache/metron#844 if you
want to do some more thorough validation.
### Release Notes
**Bro 2.5.3**
- Security fixes
- Bro 2.5.3 fixes a security issue in Binpac generated code. In some
cases the code generated by binpac could lead to an integer overflow which can
lead to out of bound reads and allow a remote attacker to crash Bro; there is
also a possibility that this can be exploited in other ways.
**Bro 2.5.4**
- Security fixes
- Multiple fixes and improvements to BinPAC generated code related to
array parsing, with potential impact to all Bro’s BinPAC-generated analyzers in
the form of buffer over-reads or other invalid memory accesses depending on
whether a particular analyzer incorrectly assumed that the
evaulated-array-length expression is actually the number of elements that were
parsed out from the input.
- The NCP analyzer (not enabled by default and also updated to actually
work with newer Bro APIs in the release) performed a memory allocation based
directly on a field in the input packet and using signed integer storage. This
could result in a signed integer overflow and memory allocations of negative or
very large size, leading to a crash or memory exhaustion. The new
NCP::max_frame_size tuning option now limits the maximum amount of memory that
can be allocated.
- Bug fixes
- A memory leak in the SMBv1 analyzer.
- The MySQL analyzer was generally not working as intended, for example,
it now is able to parse responses that contain multiple results/rows.
## Pull Request Checklist
Thank you for submitting a contribution to Apache Metron.
Please refer to our [Development
Guidelines](https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=61332235)
for the complete guide to follow for contributions.
Please refer also to our [Build Verification
Guidelines](https://cwiki.apache.org/confluence/display/METRON/Verifying+Builds?show-miniview)
for complete smoke testing guides.
In order to streamline the review of the contribution we ask you follow
these guidelines and ask you to double check the following:
### For all changes:
- [X] Is there a JIRA ticket associated with this PR? If not one needs to
be created at [Metron
Jira](https://issues.apache.org/jira/browse/METRON/?selectedTab=com.atlassian.jira.jira-projects-plugin:summary-panel).
- [X] Does your PR title start with METRON-XXXX where XXXX is the JIRA
number you are trying to resolve? Pay particular attention to the hyphen "-"
character.
- [X] Has your PR been rebased against the latest commit within the target
branch (typically master)?
### For code changes:
- [ ] Have you included steps to reproduce the behavior or problem that is
being changed or addressed?
- [X] Have you included steps or a guide to how the change may be verified
and tested manually?
- [ ] Have you ensured that the full suite of tests and checks have been
executed in the root metron folder via:
```
mvn -q clean integration-test install &&
dev-utilities/build-utils/verify_licenses.sh
```
- [ ] Have you written or updated unit tests and or integration tests to
verify your changes?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [X] Have you verified the basic functionality of the build by building
and running locally with Vagrant full-dev environment or the equivalent?
### For documentation related changes:
- [ ] Have you ensured that format looks appropriate for the output in
which it is rendered by building and verifying the site-book? If not then run
the following commands and the verify changes via
`site-book/target/site/index.html`:
```
cd site-book
mvn site
```
#### Note:
Please ensure that once the PR is submitted, you check travis-ci for build
issues and submit an update to your PR as soon as possible.
It is also recommended that [travis-ci](https://travis-ci.org) is set up
for your personal repository such that your branches are built there before
submitting a pull request.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/JonZeolla/metron METRON-1658
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/metron/pull/1101.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #1101
----
commit f85946e73ae95fee5b556468586e3b0fc3d3206d
Author: Jon Zeolla <zeolla@...>
Date: 2018-07-10T14:55:32Z
METRON-1658: Upgrade bro to 2.5.4
----
> Upgrade bro to 2.5.4
> --------------------
>
> Key: METRON-1658
> URL: https://issues.apache.org/jira/browse/METRON-1658
> Project: Metron
> Issue Type: Improvement
> Reporter: Jon Zeolla
> Assignee: Jon Zeolla
> Priority: Minor
>
> We're currently running Bro 2.5.2, and two releases have come out, both
> fixing some security issues, and 2.5.4 also contains a couple of bugfixes.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
