[Zeek-Announce] Bro 2.6.3 release (security update)
Jon Siwek
jsiwek at corelight.com
Thu Aug 8 18:42:37 PDT 2019
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A security patch release, Bro v2.6.3, is now available for
download:
https://www.zeek.org/downloads/bro-2.6.3.tar.gz
https://www.zeek.org/downloads/bro-2.6.3.tar.gz.asc
Bro v2.6.3 addresses the following Denial of Service
vulnerabilities:
* Null pointer dereference in the RPC analysis code. RPC
analyzers (e.g. MOUNT or NFS) are not enabled in the default
configuration.
* Signed integer overflow in BinPAC-generated parser code. The
result of this is Undefined Behavior with respect to the array
bounds checking conditions that BinPAC generates, so it's
unpredictable what an optimizing compiler may actually do
under the assumption that signed integer overlows should never
happen. The specific symptom which lead to finding this issue
was with the PE analyzer causing out-of-memory crashes due to
large allocations that were otherwise prevented when the array
bounds checking logic was changed to prevent any possible
signed integer overlow.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBAgAdFiEE6WkLK32KwaGfkhxKxotJTfVqzH4FAl1MpNQACgkQxotJTfVq
zH6psg/9FZq5HVhRNymHzB1VHXlf1ELDW/lKC26ekl17Ri25Ec0YPm2U7xP1R/D+
XzLGcF5Wh74gB8IgbePHPq4RynVYYOyeRboN2yjrCCZvUBQcVn32wDOWo2QJer/0
kro+EDDaxWNUPhhM3xD09UYscWJ7SlyHfQciMnn9FWkccYOUqciIydiIcAdQ6Ako
uoG3pGh9BDfFQVMbYpC0pQPFNU6LAzyUOMq0I7cKKKxT+GRj5GuHVOnWfSqdulUA
w05Dk7isxeea7slR+g6FgCrBX/xqdMhnoJPNuKnMZ7+aKlg1a/MOB45tmeqm/OTs
jOg6+BB0W3rOc8McZf6ksnOFj/1CK7Nhf9ccFNgqXGTjOYRfcFEw9L9QbJyPcRDW
6fDIaXWLQx4NTgf74EIR/k4uZ4iLWKSahq1V9w0qPbQQXIvZEf5a9E4bCJHbhA5K
5WngU0NGZiKQACNGf0Ja0y470/V/u6EDFDge4lgIKsef7bysuOhNpRNPHTx8bMrM
dPOSvLoWabirdGCYXD50egJujFl1bgVUfJ0f61C23fobefm/M0X9goNTtIbnDYuX
WAeaEk7snMWwZman4PyEMk1pTulW3yt8rhXCNJxpchwqZYiF69wM8o41gbBD/sly
ECL8vEHK1hiShTuZcjn9VW/pRkGq4YyXjon19bnCREgJNiGZhtY=
=jf49
-----END PGP SIGNATURE-----
More information about the Zeek-Announce
mailing list