| non port: security/bro/distinfo |
|
SVNWeb
|
Number of commits found: 25 |
|
Tue, 17 Sep 2019
|
[ 23:13 leres  ]  
security/bro: Update to 2.6.4 and address a potential Denial of
Service vulnerability:
https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS
- The NTLM analyzer did not properly handle AV Pair sequences that
were either empty or unterminated, resulting in invalid memory
access or heap buffer over-read. The NTLM analyzer is enabled
by default and used in the analysis of SMB, DCE/RPC, and GSSAPI
protocols.
Approved by: ler (mentor, implicit)
MFH: 2019Q3
Security: 55571619-454e-4769-b1e5-28354659e152
|
|
Fri, 9 Aug 2019
|
[ 16:59 leres ]
security/bro: Update to 2.6.3 and address potential denial of service
vulnerabilities:
https://raw.githubusercontent.com/zeek/zeek/1d874e5548a58b3b8fd2a342fe4aa0944e779809/NEWS
- Null pointer dereference in the RPC analysis code. RPC analyzers
(e.g. MOUNT or NFS) are not enabled in the default configuration.
- Signed integer overflow in BinPAC-generated parser code. The
result of this is Undefined Behavior with respect to the array
bounds checking conditions that BinPAC generates, so it's
unpredictable what an optimizing compiler may actually do under
the assumption that signed integer overlows should never happen.
The specific symptom which lead to finding this issue was with
the PE analyzer causing out-of-memory crashes due to large
allocations that were otherwise prevented when the array bounds
checking logic was changed to prevent any possible signed integer
overlow.
Approved by: matthew (mentor, implicit)
MFH: 2019Q3
Security: f56669f5-d799-4ff5-9174-64a6d571c451
|
|
Fri, 31 May 2019
|
[ 19:23 leres ]
security/bro: Update to 2.6.2 and address several denial of service
vulnerabilities:
https://raw.githubusercontent.com/zeek/zeek/bb979702cf9a2fa67b8d1a1c7f88d0b56c6af104/NEWS
- Integer type mismatches in BinPAC-generated parser code and Bro
analyzer code may allow for crafted packet data to cause
unintentional code paths in the analysis logic to be taken due
to unsafe integer conversions causing the parser and analysis
logic to each expect different fields to have been parsed. One
such example, reported by Maksim Shudrak, causes the Kerberos
analyzer to dereference a null pointer. CVE-2019-12175 was
assigned for this issue.
- The Kerberos parser allows for several fields to be left (Only the first 15 lines of the commit message are shown above  )
|
|
Thu, 20 Dec 2018
|
[ 01:25 leres ]
Update to 2.6.1:
- Update the embedded SQLite library from 3.18.0 to 3.26.0 to
address a remote code execution vulnerability ("Magellan").
- Uses a bundled version of the actor-framework (caf) library so
we can remove the port-local build for caf.
Replace broctl-config.sh absolute symlink with a relative one.
Approved by: ler (mentor, implicit)
MFH: 2018Q4
Security: b80f039d-579e-4b82-95ad-b534a709f220
|
|
Thu, 30 Aug 2018
|
[ 00:13 leres ]
Update to 2.5.5 which addresses security issues:
- Fix array bounds checking in BinPAC: for arrays that are
fields within a record, the bounds check was based on a pointer
to the start of the record rather than the start of the array
field, potentially resulting in a buffer over-read.
- Fix SMTP command string comparisons: the number of bytes
compared was based on the user-supplied string length and can
lead to incorrect matches. e.g. giving a command of "X"
incorrectly matched "X-ANONYMOUSTLS" (and an empty commands
match anything).
- Weird" events are now generally suppressed/sampled by default
according to some tunable parameters.(Only the first 15 lines of the commit message are shown above )
|
|
Fri, 8 Jun 2018
|
[ 16:40 leres ]
Update to 2.5.4 which fixes multiple memory allocation issues:
- Multiple fixes and improvements to BinPAC generated code
related to array parsing, with potential impact to all Bro's
BinPAC-generated analyzers in the form of buffer over-reads
or other invalid memory accesses depending on whether a
particular analyzer incorrectly assumed that the
evaulated-array-length expression is actually the number of
elements that were parsed out from the input.
- The NCP analyzer (not enabled by default and also updated
to actually work with newer Bro APIs in the release) performed
a memory allocation based directly on a field in the input
packet and using signed integer storage. This could result
in a signed integer overflow and memory allocations of (Only the first 15 lines of the commit message are shown above )
|
|
Tue, 20 Feb 2018
|
[ 22:29 leres ]
Update to 2.5.3 which fixes an integer overflow:
http://blog.bro.org/2018/02/bro-253-released-security-update.html
Note that a CVE has not been assigned yet.
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
MFH: 2018Q1
Differential Revision: https://reviews.freebsd.org/D14444
|
|
Mon, 19 Feb 2018
|
[ 22:04 leres ]
Add a NETMAP option to build and install the bro netmap plugin.
PR: 224918
Reported by: Shane Peters
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
Differential Revision: https://reviews.freebsd.org/D14378
|
|
Sun, 22 Oct 2017
|
[ 00:00 leres ]
Update to 2.5.2. Changes since 2.5.1:
- Patch OOB write in content-line analyzer:
https://bro-tracker.atlassian.net/browse/BIT-1856
A combination of packets can trigger an out of bound write of
'0' byte in the content-line analyzer.
Reviewed by: ler (mentor)
Approved by: ler (mentor)
Differential Revision: https://reviews.freebsd.org/D12754
|
|
Mon, 21 Aug 2017
|
[ 02:12 swills ] (Only the first 10 of 25 ports in this commit are shown above. )
security/bro: Update to 2.5.1
Also, unbreak build with BROKER, add rc.d script
PR: 217656
Submitted by: leres@ee.lbl.gov (maintainer)
|
|
Fri, 23 Oct 2015
|
[ 19:04 riggs ] (Only the first 10 of 20 ports in this commit are shown above. )
Update to upstream version 2.4.1, add BROKER OPTION
PR: 203849
Submitted by: leres@ee.lbl.gov (maintainer)
|
|
Mon, 2 Feb 2015
|
[ 22:25 pi ]
security/bro, security/broccoli: 2.3 -> 2.3.2
This updates bro and broccoli from 2.3 and 2.3.2, which is a security
update.
Changes to the bro port:
- Rework openssl option logic
- Remove obsolete
- pkgng related changes
Changes to the broccoli port:
- Remove unused DOCS option
- Enable PYTHON by default
- pkgng related changes
- Minor portlint changes (Only the first 15 lines of the commit message are shown above )
|
|
Sun, 10 Aug 2014
|
[ 21:51 cs ] (Only the first 10 of 13 ports in this commit are shown above. )
Update to 2.3
PR: 192105
Submitted by: leres@ee.lbl.gov (maintainer)
|
|
Fri, 22 Nov 2013
|
[ 15:02 jadawin ]
- Update to 2.2
- Support STAGE
- Update MASTER_SITES
- Add LICENSE
PR: ports/183940
Submitted by: maintainer
|
|
Mon, 3 Dec 2012
|
[ 05:20 kevlo ]
Update to 2.1.
Feature safe: yes
PR: ports/174016
Submitted by: Paul Schmehl <pauls at utdallas dot edu>
|
|
Wed, 12 Sep 2012
|
[ 08:09 kevlo ]
Update to 2.0; with some help from rm@
PR: ports/169690
Submitted by: Paul Dokas <paul at dokas dot name>
|
|
Sat, 11 Feb 2012
|
[ 22:27 pgollucci ]
- Update to 1.5.3
- Mark MAKE_JOBS_UNSAFE
- Remove < 7.0
PR: ports/160897
Submitted by: Dikshie <dikshie@sfc.wide.ad.jp>
Approved by: maintainer timeout (kevlo ; 141 days)
|
|
Sun, 3 Jul 2011
|
[ 14:03 ohauer ] (Only the first 10 of 576 ports in this commit are shown above. )
-remove MD5
|
|
Fri, 15 Oct 2010
|
[ 06:42 kevlo ]
Update to 1.5.1
PR: ports/150987
Submitted by: dikshie <dikshie at sfc dot wide dot ad dot jp>
|
|
Thu, 18 Dec 2008
|
[ 06:43 kevlo ] (Only the first 10 of 20 ports in this commit are shown above. )
- Update to 1.4
- Take maintainership
PR: ports/129715
Submitted by: kevlo
|
|
Mon, 10 Sep 2007
|
[ 13:28 edwin ] (Only the first 10 of 27 ports in this commit are shown above. )
security/bro, port upgrade to version 1.2.1, take over maintainership
This is an upgrade of the security/bro port to the current
stable version. The port is very complex, so it needs to
be tested carefully to make sure that I'm not screwing
anything up or using wrong conventions. Also, I'm willing
to take over maintainership of the port if it's accepted
into the tree.
Please note, there are several files that need to be removed
from the port and quite a few that need to be added. All
these files are in FILESDIR. I have provided blank patches
for the files that need to be removed, so the patches will
create blank files.
Added IS_INTERACTIVE to the port
Left original freebsd header comments in it.
Next time please use one big patch-file instead of lots of little ones :-)
PR: ports/114999
Submitted by: Paul Schmehl <pauls@utdallas.edu>
|
|
Fri, 25 Nov 2005
|
[ 18:01 pav ] (Only the first 10 of 121 ports in this commit are shown above. )
- Add SHA256
|
|
Thu, 29 Jan 2004
|
[ 16:13 trevor ] (Only the first 10 of 967 ports in this commit are shown above. )
SIZEify.
|
|
Tue, 4 Nov 2003
|
[ 16:00 osa ]
Fix broken (checksum mismatch) by change suffix of distro
from "-current" to "a37".
No changes for MD5.
|
|
Tue, 14 Oct 2003
|
[ 14:50 osa ]
Update to 0.8, fix RESTRICTED.
|
Number of commits found: 25 |
As an Amazon Associate I earn from qualifying purchases.