UNCLASSIFIED - NO CUI

Skip to content

Update dependency zeek/zeek to v6.0.1

renovate requested to merge renovate/zeek-zeek-6.0.x into development

This MR contains the following updates:

Package Update Change
zeek/zeek patch v6.0.0 -> v6.0.1

Dependency Lookup Warnings

Warnings were logged while processing this repo. Please check the logs for more information.

Release Notes

zeek/zeek

v6.0.1

Compare Source

This release fixes the following security issues:

  • File extraction limits were not correctly enforced for files containing large amounts of missing bytes. Crafting files with large amounts of missing bytes in them could cause Zeek to spend a long time processing data, allocate a lot of main memory, and write a lot of data to disk. Due to the possibility of receiving these packets from remote hosts, this is a DoS risk. The fix included makes Zeek correctly enforce file size limits. We also added a new option (default_limit_includes_missing) which allows to customize the behavior when encountering large amounts of missed bytes in file. This issue was discovered by Luca Cigarini.

  • Sessions are sometimes not cleaned up completely within Zeek during shutdown, potentially causing a crash when using the -B dpd flag for debug logging. This is low priority because it only happens at shutdown and only when using that flag. The fix included is to reorder shutdown to cleanup all the sessions prior to tearing down the analyzers.

  • A specially-crafted HTTP packet can cause Zeek’s filename extraction code to take a long time to process the data. Due to the possibility of receiving these packets from remote hosts, this is a DoS risk. The fix included adjusts the regular expression used in the extract_filename_from_content_disposition() script function to more-correctly match the data.

  • A specially-crafted series of FTP packets made up of a CWD request followed by a large amount of ERPT requests may cause Zeek to spend a long time logging the commands. Due to the possibility of receiving these packets from remote hosts, this is a DoS risk. The fix included is to prevent logging of pending commands for FTP packets.

  • A specially-crafted VLAN packet can cause Zeek to overflow memory and potentially crash. Due to the possibility of receiving these packets from remote hosts, this is a DoS risk. The fix included is to add some additional length checking to the VLAN analyzer.

This release fixes the following bugs:

  • Fixed a base64 decoding issue with the authorization field of HTTP request headers that was sometimes causing Zeek to output error messages. Thank you to GitHub user @​progmboy for reporting and providing a fix for this issue.

  • Ensure that Zeek builds use the internal version of Spicy instead of external installations, unless specifically configured for that mode.

  • Support was added for switch fields when exporting Spicy types to Zeek.

  • A number of fixes were added to protect against potential unbounded state growth with the SMB and DCE-RPC analyzers. SMB close requests will properly tear down an related DCE-RPC analyzers. A new SMB::max_dce_rpc_analyzers script variable was added that allows finer control of how many DCE-RPC analyzers are allowed to be created per SMB connection. Thanks to Zeek Slack user Takomi Sugawara for reporting this issue.

  • Fixed a regression in the UDP and TCP analyzers that was causing more data than necessary to be forwarded to the next analyzer in the chain. Thanks to Zeek Slack user Hiep Long Tan for reporting this issue.

  • A connection's value is now updated in-place when its directionality is flipped due to Zeek's heuristics (for example, SYN/SYN-ACK reversal or protocol specific approaches). Previously, a connection's value was discarded when flipped, including any values set in a new_connection() handler. A new connection_flipped() event is added to allow updating custom state in script-land.

  • Fixed undefined symbols being reported from Spicy when building some of the binary packages for Zeek.

  • Loading policy/frameworks/notice/community-id.zeek now also automatically community ID logging. In the past, loading the script had no effect unless policy/protocols/conn/community-id-logging.zeek was loaded before. This was fairly unusual and hard to debug behavior.

  • Spicy no longer registers an extra port for every port registered in a plugin's .evt file.

  • Timeouts in DNS resolution no longer cause uncontrolled memory growth.

  • Fix check to skip DNS hostname lookups for notices that are not delivered via email in policy/frameworks/notice/extend-email/hostnames. Due to that policy script being loaded in the Zeek's default local.zeek, this previously caused unneeded DNS lookups for every generated notice instead of just those delivered via email.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports

UNCLASSIFIED - NO CUI