Control: tags -1 moreinfo
Hi Pierre,
On Wed, 1 May 2019 14:24:06 +0200 Pierre Chifflier
wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
>
> Although it is an upstream release, please unblock suricata 4.1.4-1 for
> buster.
> Suricata is an Intrusion Detection System (IDS), which makes it
> exposed to malicious traffic by design. The upstream release 4.1.4 fixes
> several bugs and security issues (no CVE numbers).
>
> The debdiff since 4.1.3 is too big to be included here (it contains
> updates to many auto-generated files like configure), so I'm adding the
> upstream changelog here:
>
> Changes
>
> Bug #2870: pcap logging with lz4 coverity warning
> Bug #2883: ssh: heap buffer overflow
> Bug #2884: mpls: heapbuffer overflow in file decode-mpls.c
> Bug #2887: decode-ethernet: heapbuffer overflow in file decode-ethernet.c
> Bug #2888: 4.1.3 core in HCBDCreateSpace
> Bug #2894: smb 1 create andx request does not parse the filename correctly
> Bug #2902: rust/dhcp: panic in dhcp parser
> Bug #2903: mpls: cast of misaligned data leads to undefined behavior
> Bug #2904: rust/ftp: panic in ftp parser
> Bug #2943: rust/nfs: integer underflow
> This release includes Suricata-Update 1.0.5
You even forgot to include half the changes since buster, as you missed
the changes in 4.1.3 (buster has 4.1.2).
> I hope the new version can be included.
Can you please investigate how severe these issues are that are being
fixed. The current delta with buster is big and not in line with the
freeze policy as I can't say that this is a targeted fix. Are all these
issues important or serious?
Can you also please give us a risk assessment for the unblock? If buster
were already released, would you have requested the same update?
Paul
signature.asc
Description: OpenPGP digital signature
