From nobody Tue Nov 19 21:30:54 2024
X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XtHjW0L5jz5fSmD;
	Tue, 19 Nov 2024 21:30:55 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R10" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4XtHjV71Ynz4rYj;
	Tue, 19 Nov 2024 21:30:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1732051855;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kt2vU6qlGsF4wd2iwx1gwVxal6vmEJwj12u45NqOdtc=;
	b=kr7MnZ7CJHiHQsRr2f657Z7MoQZNOE/FOJOmzM9xqWDHGmRykQt0/q3ARK591iMI+nb8Uo
	JTD0Z+QwP8/z9mYV7haDWOZsRrT9liuJc5nz/TnvZm33/q9Bo2x3RauUa9J2TMQHwlLRsF
	oLmHsOW7dYOdw4RH2CWrMS8lKTa3hpp6STqWOIpKw4lQqaF6U1ut2lNIgb1uDdaNPFPcXz
	hQIzQ7v4k8E8G8a953XSA3MyDXsZHMh174agD9Q7DMohyaE6CT0nMYt5O5nUC4npIr8wDV
	4gZDW5vtbU8a8wtBnWhkFG4UZJmbCdsa9iDDJfEolTwu3qIy7twvAU6ZiGgzng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1732051855;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=kt2vU6qlGsF4wd2iwx1gwVxal6vmEJwj12u45NqOdtc=;
	b=VRI4cgD8ufhXlzBa/wqenFZIafQL+zLk+NKZOUu44doL3GdpICkx0p3xbjCehDNPF2JOFk
	AvyjFVmjN7GSHN+4WSgu21fhdkZdtYQkyJuyPrOXZKagVYQ7Zc1952G50kjACn62X6+c89
	I1v/UNAqovGiKYklavz9fqfkkfSgwC++AybhveTuaQqZ6FE2ab2BhJ1l7xy/tmEeh+Nu91
	EvawwD7ntuq6trCwhy5QlVa6aPE6u+2aL6Xej0bE1PPffshswzv3YAtpAT2loldU+DOJrr
	yY5yH1W8iWKDh4TaTaSk2W95qKZ5mVveF+Cw4JmaG1zHBGrEsmmtaPcVD2CTfA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1732051855; a=rsa-sha256; cv=none;
	b=COqHO9mEMhCLuAkH45Sw/fLH4v2PHYLXVvwbHni5DbVMo1hzLer6l3hfhaG/lZzmfDYZJ8
	Xjwnvt1/gy5Sw1FYtw8T/3MI+K+FXj31fWP6oeYJLF6H87zZ+hC/UjYTCmMTMAR3hYB8TK
	qFto4ppCkFyx+iCO7Wx0+st+zyu8/A1iUeT13M4dOluSdJAed7/A1kFgbZ/CqPyGIlU/5c
	JvEMj4xezGvZCKaYeuK+pRzZfhc+loB5eudNt0Zt/kAAtjKAokCSr/IdbykZtN0XHlKeOY
	gKLwQYZid/5JFhBBEVAk6dm/5b/EimSrnrZojKpQTPGPmBQiOBOO6fxSTdDiTA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4XtHjV6chYzRBv;
	Tue, 19 Nov 2024 21:30:54 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 4AJLUsjv022167;
	Tue, 19 Nov 2024 21:30:54 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 4AJLUskX022164;
	Tue, 19 Nov 2024 21:30:54 GMT
	(envelope-from git)
Date: Tue, 19 Nov 2024 21:30:54 GMT
Message-Id: <202411192130.4AJLUskX022164@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: Craig Leres <leres@FreeBSD.org>
Subject: git: f4bc82f8124f - main - security/zeek: Update to 7.0.4
List-Id: Commits to the main branch of the FreeBSD ports repository <dev-commits-ports-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main
List-Help: <mailto:dev-commits-ports-main+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-ports-main@freebsd.org
Sender: owner-dev-commits-ports-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: leres
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: f4bc82f8124f3ca238c8fcb7960eebcd7b3dcb46
Auto-Submitted: auto-generated

The branch main has been updated by leres:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f4bc82f8124f3ca238c8fcb7960eebcd7b3dcb46

commit f4bc82f8124f3ca238c8fcb7960eebcd7b3dcb46
Author:     Craig Leres <leres@FreeBSD.org>
AuthorDate: 2024-11-19 21:30:34 +0000
Commit:     Craig Leres <leres@FreeBSD.org>
CommitDate: 2024-11-19 21:30:34 +0000

    security/zeek: Update to 7.0.4
    
        https://github.com/zeek/zeek/releases/tag/v7.0.4
    
    This release fixes the following bugs:
    
     - The community-id-logging.zeek policy script was used to set
       c$conn$community_id during new_connection() rather than
       connection_state_remove(), allowing other scripts to reuse its
       value early.
    
     - The input framework will no longer get stuck and use 100% of the
       CPU when encountering lines not immediately terminated by a new
       line.
    
     - The Modbus analyzer added some additional protocol checks and
       should no longer over-match on traffic that's not specifically
       on port 502.
    
     - ZeekJS was updated to version v0.13.2, which brings support for
       newer versions of Node.js and a fix for a segfault when running
       under Alpine.
    
     - A minor bug was fixed in the detect-sqli policy script to handle
       spaces being encoded as plus signs.
    
    Reported by:    Tim Wojtulewicz
---
 security/zeek/Makefile                             |  3 +-
 security/zeek/distinfo                             |  6 +-
 security/zeek/files/patch-src_DFA.cc               | 32 ---------
 security/zeek/files/patch-src_DFA.h                | 29 --------
 .../files/patch-src_analyzer_protocol_ssl_SSL.cc   | 83 ----------------------
 5 files changed, 4 insertions(+), 149 deletions(-)

diff --git a/security/zeek/Makefile b/security/zeek/Makefile
index 7a33bf518fa0..995decc29172 100644
--- a/security/zeek/Makefile
+++ b/security/zeek/Makefile
@@ -1,6 +1,5 @@
 PORTNAME=	zeek
-DISTVERSION=	7.0.3
-PORTREVISION=	1
+DISTVERSION=	7.0.4
 CATEGORIES=	security
 MASTER_SITES=	https://download.zeek.org/
 
diff --git a/security/zeek/distinfo b/security/zeek/distinfo
index f2b29e55f71b..7d22239a347e 100644
--- a/security/zeek/distinfo
+++ b/security/zeek/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1728089705
-SHA256 (zeek-7.0.3.tar.gz) = 029e389f5405d8831657202a7be542be756a8c5811bfaab7376c1c6b10e1d9e3
-SIZE (zeek-7.0.3.tar.gz) = 95797500
+TIMESTAMP = 1732051259
+SHA256 (zeek-7.0.4.tar.gz) = 131050fee95fd76400322cc9e80db6d797e296361d43e3fb10f3ceb1bf93428e
+SIZE (zeek-7.0.4.tar.gz) = 95853546
diff --git a/security/zeek/files/patch-src_DFA.cc b/security/zeek/files/patch-src_DFA.cc
deleted file mode 100644
index e02f84c79790..000000000000
--- a/security/zeek/files/patch-src_DFA.cc
+++ /dev/null
@@ -1,32 +0,0 @@
---- src/DFA.cc.orig	2024-10-04 22:44:09 UTC
-+++ src/DFA.cc
-@@ -2,8 +2,6 @@
- 
- #include "zeek/DFA.h"
- 
--#include "zeek/zeek-config.h"
--
- #include "zeek/Desc.h"
- #include "zeek/EquivClass.h"
- #include "zeek/Hash.h"
-@@ -265,9 +263,9 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_lis
- DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas, DigestStr* digest) {
-     // We assume that state ID's don't exceed 10 digits, plus
-     // we allow one more character for the delimiter.
--    auto id_tag_buf = std::make_unique<u_char[]>(nfas.length() * 11 + 1);
-+    auto id_tag_buf = std::make_unique<char[]>(nfas.length() * 11 + 1);
-     auto id_tag = id_tag_buf.get();
--    u_char* p = id_tag;
-+    char* p = id_tag;
- 
-     for ( int i = 0; i < nfas.length(); ++i ) {
-         NFA_State* n = nfas[i];
-@@ -287,7 +285,7 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_lis
-     // HashKey because the data is copied into the key.
-     hash128_t hash;
-     KeyedHash::Hash128(id_tag, p - id_tag, &hash);
--    *digest = DigestStr(reinterpret_cast<const unsigned char*>(hash), 16);
-+    *digest = DigestStr(reinterpret_cast<const char*>(hash), 16);
- 
-     auto entry = states.find(*digest);
-     if ( entry == states.end() ) {
diff --git a/security/zeek/files/patch-src_DFA.h b/security/zeek/files/patch-src_DFA.h
deleted file mode 100644
index 54ee7706a457..000000000000
--- a/security/zeek/files/patch-src_DFA.h
+++ /dev/null
@@ -1,29 +0,0 @@
---- src/DFA.h.orig	2024-10-04 22:44:09 UTC
-+++ src/DFA.h
-@@ -2,7 +2,7 @@
- 
- #pragma once
- 
--#include <sys/types.h> // for u_char
-+#include <sys/types.h>
- #include <cassert>
- #include <map>
- #include <string>
-@@ -18,7 +18,7 @@ class DFA_Machine;
- 
- // Transitions to the uncomputed state indicate that we haven't yet
- // computed the state to go to.
--#define DFA_UNCOMPUTED_STATE -2
-+#define DFA_UNCOMPUTED_STATE (-2)
- #define DFA_UNCOMPUTED_STATE_PTR ((DFA_State*)DFA_UNCOMPUTED_STATE)
- 
- class DFA_State : public Obj {
-@@ -67,7 +67,7 @@ class DFA_State : public Obj { (protected)
-     DFA_State* mark;
- };
- 
--using DigestStr = std::basic_string<u_char>;
-+using DigestStr = std::string;
- 
- struct DFA_State_Cache_Stats {
-     // Sum of all NFA states
diff --git a/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc b/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc
deleted file mode 100644
index c451c310b38d..000000000000
--- a/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc
+++ /dev/null
@@ -1,83 +0,0 @@
---- src/analyzer/protocol/ssl/SSL.cc.orig	2024-10-04 22:44:09 UTC
-+++ src/analyzer/protocol/ssl/SSL.cc
-@@ -5,7 +5,6 @@
- #include <openssl/opensslv.h>
- 
- #include "zeek/Reporter.h"
--#include "zeek/analyzer/Manager.h"
- #include "zeek/analyzer/protocol/ssl/events.bif.h"
- #include "zeek/analyzer/protocol/ssl/ssl_pac.h"
- #include "zeek/analyzer/protocol/ssl/tls-handshake_pac.h"
-@@ -32,11 +31,11 @@ static inline T LSB(const T a) {
-     return (a & 0xff);
- }
- 
--static std::basic_string<unsigned char> fmt_seq(uint32_t num) {
--    std::basic_string<unsigned char> out(4, '\0');
-+static std::string fmt_seq(uint32_t num) {
-+    std::string out(4, '\0');
-     out.reserve(13);
-     uint32_t netnum = htonl(num);
--    out.append(reinterpret_cast<u_char*>(&netnum), 4);
-+    out.append(reinterpret_cast<char*>(&netnum), 4);
-     out.append(5, '\0');
-     return out;
- }
-@@ -266,13 +265,13 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, 
-         // server write_key
-         const u_char* s_wk = keys.data() + 32;
-         // client IV
--        const u_char* c_iv = keys.data() + 64;
-+        const char* c_iv = reinterpret_cast<const char*>(keys.data()) + 64;
-         // server IV
--        const u_char* s_iv = keys.data() + 68;
-+        const char* s_iv = reinterpret_cast<const char*>(keys.data()) + 68;
- 
-         // FIXME: should we change types here?
--        u_char* encrypted = (u_char*)data;
--        size_t encrypted_len = len;
-+        char* encrypted = (char*)data;
-+        int encrypted_len = len;
- 
-         if ( is_orig )
-             c_seq++;
-@@ -280,7 +279,7 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, 
-             s_seq++;
- 
-         // AEAD nonce, length 12
--        std::basic_string<unsigned char> s_aead_nonce;
-+        std::string s_aead_nonce;
-         if ( is_orig )
-             s_aead_nonce.assign(c_iv, 4);
-         else
-@@ -306,14 +305,14 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, 
- 
-         // FIXME: aes_256_gcm should not be hardcoded here ;)
-         if ( is_orig )
--            EVP_DecryptInit(ctx, EVP_aes_256_gcm(), c_wk, s_aead_nonce.data());
-+            EVP_DecryptInit(ctx, EVP_aes_256_gcm(), c_wk, reinterpret_cast<const u_char*>(s_aead_nonce.data()));
-         else
--            EVP_DecryptInit(ctx, EVP_aes_256_gcm(), s_wk, s_aead_nonce.data());
-+            EVP_DecryptInit(ctx, EVP_aes_256_gcm(), s_wk, reinterpret_cast<const u_char*>(s_aead_nonce.data()));
- 
-         EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, encrypted + encrypted_len);
- 
-         // AEAD tag
--        std::basic_string<unsigned char> s_aead_tag;
-+        std::string s_aead_tag;
-         if ( is_orig )
-             s_aead_tag = fmt_seq(c_seq);
-         else
-@@ -330,8 +329,10 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len, 
-                                              16); // see OpenSSL manpage - 16 is the block size for the supported cipher
-         int decrypted_len = 0;
- 
--        EVP_DecryptUpdate(ctx, NULL, &decrypted_len, s_aead_tag.data(), s_aead_tag.size());
--        EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, (const u_char*)encrypted, encrypted_len);
-+        EVP_DecryptUpdate(ctx, NULL, &decrypted_len, reinterpret_cast<const u_char*>(s_aead_tag.data()),
-+                          s_aead_tag.size());
-+        EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, reinterpret_cast<const u_char*>(encrypted),
-+                          encrypted_len);
-         assert(static_cast<decltype(decrypted.size())>(decrypted_len) <= decrypted.size());
-         decrypted.resize(decrypted_len);
-