Skip to content

v6.0.2
Compare
Choose a tag to compare
@timwoj timwoj released this 27 Oct 19:51
· 1298 commits to master since this release
v6.0.2
dbaa9bf

This release fixes the following security issues:

  • A specially-crafted SSL packet could cause Zeek to leak memory and potentially
    crash. Due to the possibility of receiving these packets from remote hosts,
    this is a DoS risk. The fix included adds additional memory cleanup to the
    x509 file analyzer.

  • A specially-crafted series of FTP packets could cause Zeek to log entries for
    requests that have already been completed, using resources unnecessarily and
    potentially causing Zeek to lose other traffic. Due to the possibility of
    receiving these packets from remote hosts, this is a DoS risk. The fix
    included changes the way that we track the pending FTP commands, avoiding
    possibly reusing the same value for subsequent commands.

  • A specially-crafted series of SSL packets could cause Zeek to output a very
    large number of unnecessary alerts for the same record. Due to the possibility
    of receiving these packets from remote hosts, this is a DoS risk. The fix
    included adds a new option SSL::max_alerts_per_record that caps the number of
    alerts that can be generated for an SSL record. For TLS 1.3 this is capped at
    1 as defined in RFC 8446. For non-TLS 1.3 it is a configurable value. A
    SSL_excessive_alerts_in_record weird will be raised if the cap is exceeded.

  • A specially-crafted series of SSL packets could cause Zeek to generate very
    long ssl_history fields in the ssl.log, potentially using a large amount of
    memory due to unbounded state growth. Due to the possibility of receiving
    these packets from remote hosts, this is a DoS risk. The fix included adds a
    new option SSL::max_ssl_history_length that caps this to 100 characters by
    default. A SSL_max_ssl_history_length_reached weird will be raised if the cap
    is exceeded.

  • A specially-crafted IEEE802.11 packet could cause Zeek to overflow memory and
    potentially crash. Due to the possibility of receiving these packets from
    remote hosts, this is a DoS risk. The fix included adds additional bounds
    checking to the IEEE802.11 packet analyzer.

This release fixes the following bugs:

  • Fixed Spicy type names from causing collisions with existing Zeek types.

  • On some systems with low values for the maximum number of file descriptors, it
    was possible to run into crashes when doing DNS lookups if all of the file
    descriptors were used. This is now avoided with better checking for the number
    of available file descriptors before trying a lookup. Thank you to Zeek Slack
    user h-mikami for reporting this issue.

  • Tables backed by a Broker backend now correctly support deletion if they have
    complex index types. Zeek previously reported an error when trying to delete
    elements from these tables.

  • A significant performance issue with Zeek's supervisor code was fixed,
    revolving around the re-initialization of the Event Manager object used to
    track events. Thank you to Jan Grashoefer for reporting this issue.

  • The MaxMind DB code now cleans up after itself, resolving a memory leak with
    the loaded database files.

  • The ZeekJS submodule was updated to version 0.9.6, bringing fixes for
    zeek.invoke and zeek.event crashes, garbage collection, and an issue where
    Zeek may stop executing events from ZeekJS.

Assets 5