01:25 leres 

Update to 2.6.1:

 - Update the embedded SQLite library from 3.18.0 to 3.26.0 to
   address a remote code execution vulnerability ("Magellan").

 - Uses a bundled version of the actor-framework (caf) library so
   we can remove the port-local build for caf.

Replace broctl-config.sh absolute symlink with a relative one.

Approved by:	ler (mentor, implicit)
MFH:		2018Q4
Security:	b80f039d-579e-4b82-95ad-b534a709f220

 

00:13 leres 

Update to 2.5.5 which addresses security issues:

    - Fix array bounds checking in BinPAC: for arrays that are
      fields within a record, the bounds check was based on a pointer
      to the start of the record rather than the start of the array
      field, potentially resulting in a buffer over-read.

    - Fix SMTP command string comparisons: the number of bytes
      compared was based on the user-supplied string length and can
      lead to incorrect matches. e.g. giving a command of "X"
      incorrectly matched "X-ANONYMOUSTLS" (and an empty commands
      match anything).

    - Weird" events are now generally suppressed/sampled by default
      according to some tunable parameters.

    - Improved handling of empty lines in several text protocol
      analyzers that can cause performance issues when seen in long
      sequences.

    - Add `smtp_excessive_pending_cmds' weird which serves as a
      notification for when the "pending command" queue has reached
      an upper limit and been cleared to prevent one from attempting
      to slowly exhaust memory.

Approved by: ler (mentor, implicit)
MFH: 2018Q3
Security: d0be41fe-2a20-4633-b057-4e8b25c41780

 

16:40 leres 

Update to 2.5.4 which fixes multiple memory allocation issues:

 - Multiple fixes and improvements to BinPAC generated code
   related to array parsing, with potential impact to all Bro's
   BinPAC-generated analyzers in the form of buffer over-reads
   or other invalid memory accesses depending on whether a
   particular analyzer incorrectly assumed that the
   evaulated-array-length expression is actually the number of
   elements that were parsed out from the input.

 - The NCP analyzer (not enabled by default and also updated
   to actually work with newer Bro APIs in the release) performed
   a memory allocation based directly on a field in the input
   packet and using signed integer storage. This could result
   in a signed integer overflow and memory allocations of
   negative or very large size, leading to a crash or memory
   exhaustion. The new NCP::max_frame_size tuning option now
   limits the maximum amount of memory that can be allocated.

Other fixes:

 - A memory leak in the SMBv1 analyzer.

 - The MySQL analyzer was generally not working as intended,
   for example, it now is able to parse responses that contain
   multiple results/rows.

Add gettext-runtime to USES to address a poudriere testport
warning.

Reviewed by:	matthew (mentor)
Approved by:	matthew (mentor)
MFH:		2018Q2
Security:	2f4fd3aa-32f8-4116-92f2-68f05398348e
Differential Revision:	https://reviews.freebsd.org/D15678

 

22:04 leres 

Add a NETMAP option to build and install the bro netmap plugin.

PR: 224918
Reported by: Shane Peters
Reviewed by: matthew (mentor)
Approved by: matthew (mentor)
Differential Revision: https://reviews.freebsd.org/D14378

 

02:12 swills 

security/bro: Update to 2.5.1

Also, unbreak build with BROKER, add rc.d script

PR:		217656
Submitted by:	leres@ee.lbl.gov (maintainer)

 

19:04 riggs 

Update to upstream version 2.4.1, add BROKER OPTION

PR:		203849
Submitted by:	leres@ee.lbl.gov (maintainer)

 

22:25 pi 

security/bro, security/broccoli: 2.3 -> 2.3.2

This updates bro and broccoli from 2.3 and 2.3.2, which is a security
update.

Changes to the bro port:
- Rework openssl option logic
- Remove obsolete
- pkgng related changes

Changes to the broccoli port:
- Remove unused DOCS option
- Enable PYTHON by default
- pkgng related changes
- Minor portlint changes

Changes in 2.3.2:
- DNP3: fix reachable assertion and buffer over-read/overflow.
  CVE number pending. (Travis Emmert, Jon Siwek)
- Update binpac: Fix potential out-of-bounds memory reads in
  generated code. CVE-2014-9586. (John Villamil and Chris Rohlf
  - Yahoo Paranoids, Jon Siwek)
- BIT-1234: Fix build on systems that already have ntohll/htonll.
  (Jon Siwek)
- BIT-1291: Delete prebuilt python bytecode files from git.  (Jon Siwek)
- Adding call to new binpac::init() function. (Robin Sommer)

Changes in 2.3.1:
- Fix a reference counting bug in ListVal ctor. (Jon Siwek)
- Fix possible buffer over-read in DNS TSIG parsing. (Jon Siwek)
- Change EDNS parsing code to use rdlength more cautiously.  (Jon Siwek)
- Fix null pointer dereference in OCSP verification code in
  case no certificate is sent as part as the ocsp reply. Addresses
  BIT-1212.  (Johanna Amann)
- Fix OCSP reply validation. Addresses BIT-1212 (Johanna Amann)
- Make links in documentation templates protocol relative. (Johanna Amann)

PR:		197107
Submitted by:	Craig Leres <leres@ee.lbl.gov> (maintainer)
Reviewed by:	koobs

 

00:05 marino 

security/bro: Add su flags so pkg initialization works

PR:		192646
Submitted by:	maintainer (Craig Leres)

 

21:51 cs 

Update to 2.3

PR:		192105
Submitted by:	leres@ee.lbl.gov (maintainer)

 

15:02 jadawin 

- Update to 2.2
- Support STAGE
- Update MASTER_SITES
- Add LICENSE

PR:		ports/183940
Submitted by:	maintainer

 

22:56 tabthorpe 

- Split broccoli library into separate port
- Use new infrastructure
- Bump PORTREVISION

PR:		ports/182475
Submitted by:	Craig Leres <leres@ee.lbl.gov> (maintainer)

 

13:47 miwi 

- Unbreak build

Reported by:	pointyhat
Approved by:	portmgr

 

05:20 kevlo 

Update to 2.1.

Feature safe:	yes

PR:	ports/174016
Submitted by:	Paul Schmehl <pauls at utdallas dot edu>

 

08:09 kevlo 

Update to 2.0; with some help from rm@

PR:	ports/169690
Submitted by:	Paul Dokas <paul at dokas dot name>

 

06:42 kevlo 

Update to 1.5.1

PR:     ports/150987
Submitted by:   dikshie <dikshie at sfc dot wide dot ad dot jp>

05:35 kevlo 

- Fix pkg-plist
- Bump PORTREVISION

06:43 kevlo 

- Update to 1.4
- Take maintainership

PR: ports/129715
Submitted by: kevlo

13:28 edwin 

security/bro, port upgrade to version 1.2.1, take over maintainership

        This is an upgrade of the security/bro port to the current
        stable version.  The port is very complex, so it needs to
        be tested carefully to make sure that I'm not screwing
        anything up or using wrong conventions. Also, I'm willing
        to take over maintainership of the port if it's accepted
        into the tree.

        Please note, there are several files that need to be removed
        from the port and quite a few that need to be added. All
        these files are in FILESDIR.  I have provided blank patches
        for the files that need to be removed, so the patches will
        create blank files.

Added IS_INTERACTIVE to the port
Left original freebsd header comments in it.
Next time please use one big patch-file instead of lots of little ones :-)

PR:             ports/114999
Submitted by:   Paul Schmehl <pauls@utdallas.edu>

14:50 osa 

Update to 0.8, fix RESTRICTED.

00:17 obrien 

Add $FreeBSD$'s which help me in problem reports.