From nobody Tue Feb 21 22:38:05 2023 X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PLvM16Sh2z3tKTT; Tue, 21 Feb 2023 22:38:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4PLvM15ym4z4MlT; Tue, 21 Feb 2023 22:38:05 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677019085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IYJqUFMP+JksTNXkmw7P+kncCjr8RTRwAqjWu2CU6Pw=; b=yECpvIrIwUwwOMS9WrxhFAc4I65os2dv5HjAqxHFD7a1V9kHNenpVvFOKhrfnMy1U2q1y4 aktzaIB1cy7G5m7txEGU8jmdKlKl9BP8PZ1dF1b4YhfhsKao734LIZTL1CjDW/S7sSPvGN 5qCRk3TTKiewcgu2CePCgyCud14QgNkA106AsO7a1h2cyCh010aFor3x+DgGVPpgZKZGFg bejL06v6FEFxcP7jKUfRL+7r7NqE31E6vd+Pya4uQdP4VwD9QDXpa+kCl6GopbCxAQ3dgP 7SzASqOeCCxsAlBVDs8x6T10PNJ+PFTuxaWGJq4BxLZETkAItBCGvNpFwkEx4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1677019085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=IYJqUFMP+JksTNXkmw7P+kncCjr8RTRwAqjWu2CU6Pw=; b=irivAhPSS/ML7D9I4tzfFlkLclzMC7i12YoWJXNeuw6L9Q7lZ2uKepniQpWt0C0SfNAzBU z2r8cLPG6wrLPM0bEt5isvLelUDrySUDGk5TM31FIJWvS9dgTArU/REokywiX8OLk9XJHE UqREcxoGPdz0QblFEyiyf7fTWXF6gTFwCf3BV9Qju90LOwQjgTxCvdk3klss95mRKCQCh7 hNPLS4gJDTqHE5dUAoW/TBwu37Qv8GeVvmcoxi7DR6TCAEHPx/hnUf7wK9djBjfirsOCGz z/0kMkX8Rg6WyuCwLeExxUtyWXm/N0UzGUPUG/608UVfkVjb9INEX8eHfoABPg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1677019085; a=rsa-sha256; cv=none; b=tO1psPapICZQIsjMw20yhXs1Hum6x251+P3WTvvI5Cb6u28G24LgfjyIlRlzX5ed9nml3I rDF64QGmStGeKbv22ISAdZ1DJyRTsJfbNL1d1ErINrz3CcmyyrB5YKhalMOOC6qazTjqKG ks9WM5gw7ADDuckX15DQsCjlUi8iT+cklG9Z+Q54laYCUQy026wz9il/f1mCkqDyFJx5tS TeNDUZ2xz0f94Lyf3BgzfPYpYmgpoU5sA1pX1jkWXRcrYr5JX0bHjNXEt6ohnTqEi/YliD r2kW5VyIju3D6L4GqB9a21/DJ+jQwImNNDWLmSPAO5W9RXnw5fDzz8y/btSDqQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4PLvM152ZYzd4C; Tue, 21 Feb 2023 22:38:05 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 31LMc5wu053386; Tue, 21 Feb 2023 22:38:05 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 31LMc5LT053385; Tue, 21 Feb 2023 22:38:05 GMT (envelope-from git) Date: Tue, 21 Feb 2023 22:38:05 GMT Message-Id: <202302212238.31LMc5LT053385@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Craig Leres Subject: git: 2986f76a6403 - main - security/vuxml: Mark zeek < 5.0.7 as vulnerable as per: List-Id: Commit messages for all branches of the ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-all@freebsd.org X-BeenThere: dev-commits-ports-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: leres X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 2986f76a640307b7b182d06950ae9ac15be172c6 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by leres: URL: https://cgit.FreeBSD.org/ports/commit/?id=2986f76a640307b7b182d06950ae9ac15be172c6 commit 2986f76a640307b7b182d06950ae9ac15be172c6 Author: Craig Leres AuthorDate: 2023-02-21 22:37:24 +0000 Commit: Craig Leres CommitDate: 2023-02-21 22:37:24 +0000 security/vuxml: Mark zeek < 5.0.7 as vulnerable as per: https://github.com/zeek/zeek/releases/tag/v5.0.7 This release fixes the following potential DoS vulnerabilities: - Receiving DNS responses from async DNS requests (via the lookup_addr, etc BIF methods) with the TTL set to zero could cause the DNS manager to eventually stop being able to make new requests. - Specially-crafted FTP packets with excessively long usernames, passwords, or other fields could cause log writes to use large amounts of disk space. - The find_all and find_all_ordered BIF methods could take extremely large amounts of time to process incoming data depending on the size of the input. Reported by: Tim Wojtulewicz --- security/vuxml/vuln/2023.xml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index a85e7e41451c..84b6afb7bb69 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,37 @@ + + zeek -- potential DoS vulnerabilities + + + zeek + 5.0.7 + + + + +

Tim Wojtulewicz of Corelight reports:

+
+

Receiving DNS responses from async DNS requests (via + the lookup_addr, etc BIF methods) with the TTL set to + zero could cause the DNS manager to eventually stop being + able to make new requests.

+

Specially-crafted FTP packets with excessively long + usernames, passwords, or other fields could cause log + writes to use large amounts of disk space.

+

The find_all and find_all_ordered BIF methods could + take extremely large amounts of time to process incoming + data depending on the size of the input.

+
+ +
+ + https://github.com/zeek/zeek/releases/tag/v5.0.7 + + + 2023-02-21 + 2023-02-21 + +
+ libde256 -- multiple vulnabilities