git: 0ef6b9a178c6 - 2024Q4 - security/zeek: Update to 7.0.4
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 16 Dec 2024 21:56:39 UTC
The branch 2024Q4 has been updated by leres:
URL: https://cgit.FreeBSD.org/ports/commit/?id=0ef6b9a178c6884e20ddd25b0d6ee6cee819711b
commit 0ef6b9a178c6884e20ddd25b0d6ee6cee819711b
Author: Craig Leres <leres@FreeBSD.org>
AuthorDate: 2024-11-19 21:30:34 +0000
Commit: Craig Leres <leres@FreeBSD.org>
CommitDate: 2024-12-16 21:56:12 +0000
security/zeek: Update to 7.0.4
https://github.com/zeek/zeek/releases/tag/v7.0.4
This release fixes the following bugs:
- The community-id-logging.zeek policy script was used to set
c$conn$community_id during new_connection() rather than
connection_state_remove(), allowing other scripts to reuse its
value early.
- The input framework will no longer get stuck and use 100% of the
CPU when encountering lines not immediately terminated by a new
line.
- The Modbus analyzer added some additional protocol checks and
should no longer over-match on traffic that's not specifically
on port 502.
- ZeekJS was updated to version v0.13.2, which brings support for
newer versions of Node.js and a fix for a segfault when running
under Alpine.
- A minor bug was fixed in the detect-sqli policy script to handle
spaces being encoded as plus signs.
Reported by: Tim Wojtulewicz
(cherry picked from commit f4bc82f8124f3ca238c8fcb7960eebcd7b3dcb46)
---
security/zeek/Makefile | 3 +-
security/zeek/distinfo | 6 +-
security/zeek/files/patch-src_DFA.cc | 32 ---------
security/zeek/files/patch-src_DFA.h | 29 --------
.../files/patch-src_analyzer_protocol_ssl_SSL.cc | 83 ----------------------
5 files changed, 4 insertions(+), 149 deletions(-)
diff --git a/security/zeek/Makefile b/security/zeek/Makefile
index 7a33bf518fa0..995decc29172 100644
--- a/security/zeek/Makefile
+++ b/security/zeek/Makefile
@@ -1,6 +1,5 @@
PORTNAME= zeek
-DISTVERSION= 7.0.3
-PORTREVISION= 1
+DISTVERSION= 7.0.4
CATEGORIES= security
MASTER_SITES= https://download.zeek.org/
diff --git a/security/zeek/distinfo b/security/zeek/distinfo
index f2b29e55f71b..7d22239a347e 100644
--- a/security/zeek/distinfo
+++ b/security/zeek/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1728089705
-SHA256 (zeek-7.0.3.tar.gz) = 029e389f5405d8831657202a7be542be756a8c5811bfaab7376c1c6b10e1d9e3
-SIZE (zeek-7.0.3.tar.gz) = 95797500
+TIMESTAMP = 1732051259
+SHA256 (zeek-7.0.4.tar.gz) = 131050fee95fd76400322cc9e80db6d797e296361d43e3fb10f3ceb1bf93428e
+SIZE (zeek-7.0.4.tar.gz) = 95853546
diff --git a/security/zeek/files/patch-src_DFA.cc b/security/zeek/files/patch-src_DFA.cc
deleted file mode 100644
index e02f84c79790..000000000000
--- a/security/zeek/files/patch-src_DFA.cc
+++ /dev/null
@@ -1,32 +0,0 @@
---- src/DFA.cc.orig 2024-10-04 22:44:09 UTC
-+++ src/DFA.cc
-@@ -2,8 +2,6 @@
-
- #include "zeek/DFA.h"
-
--#include "zeek/zeek-config.h"
--
- #include "zeek/Desc.h"
- #include "zeek/EquivClass.h"
- #include "zeek/Hash.h"
-@@ -265,9 +263,9 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_lis
- DFA_State* DFA_State_Cache::Lookup(const NFA_state_list& nfas, DigestStr* digest) {
- // We assume that state ID's don't exceed 10 digits, plus
- // we allow one more character for the delimiter.
-- auto id_tag_buf = std::make_unique<u_char[]>(nfas.length() * 11 + 1);
-+ auto id_tag_buf = std::make_unique<char[]>(nfas.length() * 11 + 1);
- auto id_tag = id_tag_buf.get();
-- u_char* p = id_tag;
-+ char* p = id_tag;
-
- for ( int i = 0; i < nfas.length(); ++i ) {
- NFA_State* n = nfas[i];
-@@ -287,7 +285,7 @@ DFA_State* DFA_State_Cache::Lookup(const NFA_state_lis
- // HashKey because the data is copied into the key.
- hash128_t hash;
- KeyedHash::Hash128(id_tag, p - id_tag, &hash);
-- *digest = DigestStr(reinterpret_cast<const unsigned char*>(hash), 16);
-+ *digest = DigestStr(reinterpret_cast<const char*>(hash), 16);
-
- auto entry = states.find(*digest);
- if ( entry == states.end() ) {
diff --git a/security/zeek/files/patch-src_DFA.h b/security/zeek/files/patch-src_DFA.h
deleted file mode 100644
index 54ee7706a457..000000000000
--- a/security/zeek/files/patch-src_DFA.h
+++ /dev/null
@@ -1,29 +0,0 @@
---- src/DFA.h.orig 2024-10-04 22:44:09 UTC
-+++ src/DFA.h
-@@ -2,7 +2,7 @@
-
- #pragma once
-
--#include <sys/types.h> // for u_char
-+#include <sys/types.h>
- #include <cassert>
- #include <map>
- #include <string>
-@@ -18,7 +18,7 @@ class DFA_Machine;
-
- // Transitions to the uncomputed state indicate that we haven't yet
- // computed the state to go to.
--#define DFA_UNCOMPUTED_STATE -2
-+#define DFA_UNCOMPUTED_STATE (-2)
- #define DFA_UNCOMPUTED_STATE_PTR ((DFA_State*)DFA_UNCOMPUTED_STATE)
-
- class DFA_State : public Obj {
-@@ -67,7 +67,7 @@ class DFA_State : public Obj { (protected)
- DFA_State* mark;
- };
-
--using DigestStr = std::basic_string<u_char>;
-+using DigestStr = std::string;
-
- struct DFA_State_Cache_Stats {
- // Sum of all NFA states
diff --git a/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc b/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc
deleted file mode 100644
index c451c310b38d..000000000000
--- a/security/zeek/files/patch-src_analyzer_protocol_ssl_SSL.cc
+++ /dev/null
@@ -1,83 +0,0 @@
---- src/analyzer/protocol/ssl/SSL.cc.orig 2024-10-04 22:44:09 UTC
-+++ src/analyzer/protocol/ssl/SSL.cc
-@@ -5,7 +5,6 @@
- #include <openssl/opensslv.h>
-
- #include "zeek/Reporter.h"
--#include "zeek/analyzer/Manager.h"
- #include "zeek/analyzer/protocol/ssl/events.bif.h"
- #include "zeek/analyzer/protocol/ssl/ssl_pac.h"
- #include "zeek/analyzer/protocol/ssl/tls-handshake_pac.h"
-@@ -32,11 +31,11 @@ static inline T LSB(const T a) {
- return (a & 0xff);
- }
-
--static std::basic_string<unsigned char> fmt_seq(uint32_t num) {
-- std::basic_string<unsigned char> out(4, '\0');
-+static std::string fmt_seq(uint32_t num) {
-+ std::string out(4, '\0');
- out.reserve(13);
- uint32_t netnum = htonl(num);
-- out.append(reinterpret_cast<u_char*>(&netnum), 4);
-+ out.append(reinterpret_cast<char*>(&netnum), 4);
- out.append(5, '\0');
- return out;
- }
-@@ -266,13 +265,13 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len,
- // server write_key
- const u_char* s_wk = keys.data() + 32;
- // client IV
-- const u_char* c_iv = keys.data() + 64;
-+ const char* c_iv = reinterpret_cast<const char*>(keys.data()) + 64;
- // server IV
-- const u_char* s_iv = keys.data() + 68;
-+ const char* s_iv = reinterpret_cast<const char*>(keys.data()) + 68;
-
- // FIXME: should we change types here?
-- u_char* encrypted = (u_char*)data;
-- size_t encrypted_len = len;
-+ char* encrypted = (char*)data;
-+ int encrypted_len = len;
-
- if ( is_orig )
- c_seq++;
-@@ -280,7 +279,7 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len,
- s_seq++;
-
- // AEAD nonce, length 12
-- std::basic_string<unsigned char> s_aead_nonce;
-+ std::string s_aead_nonce;
- if ( is_orig )
- s_aead_nonce.assign(c_iv, 4);
- else
-@@ -306,14 +305,14 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len,
-
- // FIXME: aes_256_gcm should not be hardcoded here ;)
- if ( is_orig )
-- EVP_DecryptInit(ctx, EVP_aes_256_gcm(), c_wk, s_aead_nonce.data());
-+ EVP_DecryptInit(ctx, EVP_aes_256_gcm(), c_wk, reinterpret_cast<const u_char*>(s_aead_nonce.data()));
- else
-- EVP_DecryptInit(ctx, EVP_aes_256_gcm(), s_wk, s_aead_nonce.data());
-+ EVP_DecryptInit(ctx, EVP_aes_256_gcm(), s_wk, reinterpret_cast<const u_char*>(s_aead_nonce.data()));
-
- EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, encrypted + encrypted_len);
-
- // AEAD tag
-- std::basic_string<unsigned char> s_aead_tag;
-+ std::string s_aead_tag;
- if ( is_orig )
- s_aead_tag = fmt_seq(c_seq);
- else
-@@ -330,8 +329,10 @@ bool SSL_Analyzer::TryDecryptApplicationData(int len,
- 16); // see OpenSSL manpage - 16 is the block size for the supported cipher
- int decrypted_len = 0;
-
-- EVP_DecryptUpdate(ctx, NULL, &decrypted_len, s_aead_tag.data(), s_aead_tag.size());
-- EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, (const u_char*)encrypted, encrypted_len);
-+ EVP_DecryptUpdate(ctx, NULL, &decrypted_len, reinterpret_cast<const u_char*>(s_aead_tag.data()),
-+ s_aead_tag.size());
-+ EVP_DecryptUpdate(ctx, decrypted.data(), &decrypted_len, reinterpret_cast<const u_char*>(encrypted),
-+ encrypted_len);
- assert(static_cast<decltype(decrypted.size())>(decrypted_len) <= decrypted.size());
- decrypted.resize(decrypted_len);
-