git: 3571a07d68b7 - main - security/suricata: Update to 6.0.4
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 13 Dec 2021 17:17:36 UTC
The branch main has been updated by driesm:
URL: https://cgit.FreeBSD.org/ports/commit/?id=3571a07d68b7dbce0e19619e135fb76766c7af12
commit 3571a07d68b7dbce0e19619e135fb76766c7af12
Author: Franco Fichtner <franco@opnsense.org>
AuthorDate: 2021-12-08 14:56:50 +0000
Commit: Dries Michiels <driesm@FreeBSD.org>
CommitDate: 2021-12-13 17:08:01 +0000
security/suricata: Update to 6.0.4
While here pet portfmt.
Changes: https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
PR: 260250
Approved by: 0mp (mentor)
MFH: 2021Q4
Differential Revision: https://reviews.freebsd.org/D33335
---
security/suricata/Makefile | 73 +++++++++++++++---------------
security/suricata/distinfo | 6 +--
security/suricata/files/patch-3c53a1601 | 78 ---------------------------------
security/suricata/files/patch-powerpc | 62 --------------------------
security/suricata/pkg-plist | 4 +-
5 files changed, 42 insertions(+), 181 deletions(-)
diff --git a/security/suricata/Makefile b/security/suricata/Makefile
index 891a015e8e5c..a241d396c41d 100644
--- a/security/suricata/Makefile
+++ b/security/suricata/Makefile
@@ -1,6 +1,5 @@
PORTNAME= suricata
-DISTVERSION= 6.0.3
-PORTREVISION= 5
+DISTVERSION= 6.0.4
CATEGORIES= security
MASTER_SITES= https://www.openinfosecfoundation.org/download/
@@ -12,44 +11,44 @@ LICENSE_FILE= ${WRKSRC}/LICENSE
BUILD_DEPENDS= rustc:lang/${RUST_DEFAULT}
LIB_DEPENDS= libjansson.so:devel/jansson \
- libpcre.so:devel/pcre \
- libnet.so:net/libnet \
liblz4.so:archivers/liblz4 \
+ libnet.so:net/libnet \
+ libpcre.so:devel/pcre \
libyaml.so:textproc/libyaml
-USES= autoreconf cpe gmake iconv:translit libtool localbase \
- pathfix pkgconfig
+USES= autoreconf cpe gmake iconv:translit libtool localbase pathfix \
+ pkgconfig
CPE_VENDOR= openinfosecfoundation
USE_LDCONFIG= yes
USE_RC_SUBR= ${PORTNAME}
-GNU_CONFIGURE= yes
-CONFIGURE_ARGS+=--enable-gccprotect \
- --enable-bundled-htp \
- --disable-gccmarch-native
-MAKE_ENV= RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}"
+GNU_CONFIGURE= yes
+CONFIGURE_ARGS+= --disable-gccmarch-native \
+ --enable-bundled-htp \
+ --enable-gccprotect
+MAKE_ENV= RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}"
-INSTALL_TARGET= install-strip
-TEST_TARGET= check
+INSTALL_TARGET= install-strip
+TEST_TARGET= check
CONFLICTS_INSTALL= libhtp
SUB_FILES= pkg-message
PLIST_SUB= PORTVERSION=${DISTVERSION:C/-/_/g}
-OPTIONS_DEFINE= GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE \
- PYTHON REDIS TESTS
+OPTIONS_DEFINE= GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE PYTHON REDIS \
+ TESTS
OPTIONS_DEFINE_amd64= HYPERSCAN
OPTIONS_DEFAULT= IPFW NETMAP PYTHON
OPTIONS_RADIO= SCRIPTS
OPTIONS_RADIO_SCRIPTS= LUA LUAJIT
-OPTIONS_SUB= yes
+OPTIONS_SUB= yes
-PRELUDE_BROKEN= Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065
+PRELUDE_BROKEN= Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065
GEOIP_DESC= GeoIP support
HYPERSCAN_DESC= Hyperscan support
@@ -65,32 +64,33 @@ REDIS_DESC= Redis output support
SCRIPTS_DESC= Scripting
TESTS_DESC= Unit tests in suricata binary
-GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
-GEOIP_CONFIGURE_ON= --enable-geoip
+GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb
+GEOIP_CONFIGURE_ON= --enable-geoip
-HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan
+HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan
-IPFW_CONFIGURE_ON= --enable-ipfw
+IPFW_CONFIGURE_ON= --enable-ipfw
-LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty
-LUAJIT_CONFIGURE_ON= --enable-luajit
+LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty
+LUAJIT_CONFIGURE_ON= --enable-luajit
-LUA_USES= lua:51
-LUA_CONFIGURE_ON= --enable-lua
+LUA_USES= lua:51
+LUA_CONFIGURE_ON= --enable-lua
NETMAP_CONFIGURE_ENABLE= netmap
-NSS_LIB_DEPENDS= libnss3.so:security/nss \
- libnspr4.so:devel/nspr
-NSS_CONFIGURE_OFF= --disable-nss --disable-nspr
+NSS_LIB_DEPENDS= libnspr4.so:devel/nspr \
+ libnss3.so:security/nss
+NSS_CONFIGURE_OFF= --disable-nspr \
+ --disable-nss
-PORTS_PCAP_LIB_DEPENDS= libpcap.so.1:net/libpcap
+PORTS_PCAP_LIB_DEPENDS= libpcap.so.1:net/libpcap
-PRELUDE_LIB_DEPENDS= libprelude.so:security/libprelude \
+PRELUDE_LIB_DEPENDS= libgcrypt.so:security/libgcrypt \
libgnutls.so:security/gnutls \
- libgcrypt.so:security/libgcrypt \
libgpg-error.so:security/libgpg-error \
- libltdl.so:devel/libltdl
+ libltdl.so:devel/libltdl \
+ libprelude.so:security/libprelude
PRELUDE_CONFIGURE_ON= --with-libprelude-prefix=${LOCALBASE}
PRELUDE_CONFIGURE_ENABLE= prelude
@@ -100,11 +100,10 @@ PYTHON_USES= python
PYTHON_USE= PYTHON=py3kplist
PYTHON_CONFIGURE_ENABLE= python
-REDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis \
- libevent_pthreads.so:devel/libevent
-REDIS_CONFIGURE_ON= --enable-hiredis \
-
-TESTS_CONFIGURE_ENABLE= unittests
+REDIS_LIB_DEPENDS= libevent_pthreads.so:devel/libevent \
+ libhiredis.so:databases/hiredis
+REDIS_CONFIGURE_ON= --enable-hiredis
+TESTS_CONFIGURE_ENABLE= unittests
pre-patch:
@${CP} ${FILESDIR}/ax_check_compile_flag.m4 ${WRKSRC}/m4
diff --git a/security/suricata/distinfo b/security/suricata/distinfo
index 47cdde42ff52..d754df161699 100644
--- a/security/suricata/distinfo
+++ b/security/suricata/distinfo
@@ -1,3 +1,3 @@
-TIMESTAMP = 1628041281
-SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602
-SIZE (suricata-6.0.3.tar.gz) = 32421197
+TIMESTAMP = 1637246038
+SHA256 (suricata-6.0.4.tar.gz) = a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d
+SIZE (suricata-6.0.4.tar.gz) = 32498036
diff --git a/security/suricata/files/patch-3c53a1601 b/security/suricata/files/patch-3c53a1601
deleted file mode 100644
index d70b3c563e5a..000000000000
--- a/security/suricata/files/patch-3c53a1601
+++ /dev/null
@@ -1,78 +0,0 @@
-From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001
-From: Victor Julien <victor@inliniac.net>
-Date: Wed, 18 Aug 2021 20:14:48 +0200
-Subject: [PATCH] threading: don't pass locked flow between threads
-
-Previously the flow manager would share evicted flows with the workers
-while keeping the flows mutex locked. This reduced the number of unlock/
-lock cycles while there was guaranteed to be no contention.
-
-This turns out to be undefined behavior. A lock is supposed to be locked
-and unlocked from the same thread. It appears that FreeBSD is stricter on
-this than Linux.
-
-This patch addresses the issue by unlocking before handing a flow off
-to another thread, and locking again from the new thread.
-
-Issue was reported and largely analyzed by Bill Meeks.
-
-Bug: #4478
-(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839)
----
- src/flow-hash.c | 1 +
- src/flow-manager.c | 2 +-
- src/flow-timeout.c | 1 +
- src/flow-worker.c | 1 +
- 4 files changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/flow-hash.c b/src/flow-hash.c
-index ebbd836e81a..760bc53e0a8 100644
---- src/flow-hash.c
-+++ src/flow-hash.c
-@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls,
- f->fb = NULL;
- f->next = NULL;
- FlowQueuePrivateAppendFlow(&fls->work_queue, f);
-+ FLOWLOCK_UNLOCK(f);
- } else {
- /* implied: TCP but our thread does not own it. So set it
- * aside for the Flow Manager to pick it up. */
-diff --git a/src/flow-manager.c b/src/flow-manager.c
-index d58a49637d6..9228c88490c 100644
---- src/flow-manager.c
-+++ src/flow-manager.c
-@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount
- FlowForceReassemblyNeedReassembly(f) == 1)
- {
- FlowForceReassemblyForFlow(f);
-+ FLOWLOCK_UNLOCK(f);
- /* flow ownership is passed to the worker thread */
-
-- /* flow remains locked */
- counters->flows_aside_needs_work++;
- continue;
- }
-diff --git a/src/flow-timeout.c b/src/flow-timeout.c
-index 972b35076bd..d6cca490087 100644
---- src/flow-timeout.c
-+++ src/flow-timeout.c
-@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void)
- RemoveFromHash(f, prev_f);
- f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN;
- FlowForceReassemblyForFlow(f);
-+ FLOWLOCK_UNLOCK(f);
- f = next_f;
- continue;
- }
-diff --git a/src/flow-worker.c b/src/flow-worker.c
-index 69dbb6ac575..dccf3581dd5 100644
---- src/flow-worker.c
-+++ src/flow-worker.c
-@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw,
- {
- Flow *f;
- while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) {
-+ FLOWLOCK_WRLOCK(f);
- f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg
-
- const FlowStateType state = f->flow_state;
diff --git a/security/suricata/files/patch-powerpc b/security/suricata/files/patch-powerpc
deleted file mode 100644
index e8b444747129..000000000000
--- a/security/suricata/files/patch-powerpc
+++ /dev/null
@@ -1,62 +0,0 @@
---- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs.orig 2020-03-17 20:35:43 UTC
-+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs
-@@ -1486,6 +1486,9 @@ cfg_if! {
- } else if #[cfg(target_arch = "powerpc64")] {
- mod powerpc64;
- pub use self::powerpc64::*;
-+ } else if #[cfg(target_arch = "powerpc")] {
-+ mod powerpc;
-+ pub use self::powerpc::*;
- } else {
- // Unknown target_arch
- }
---- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs.orig 2021-06-23 22:40:24 UTC
-+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs
-@@ -0,0 +1,47 @@
-+pub type c_char = u8;
-+pub type c_long = i32;
-+pub type c_ulong = u32;
-+pub type wchar_t = i32;
-+pub type time_t = i64;
-+pub type suseconds_t = i32;
-+pub type register_t = i32;
-+
-+s! {
-+ pub struct stat {
-+ pub st_dev: ::dev_t,
-+ pub st_ino: ::ino_t,
-+ pub st_mode: ::mode_t,
-+ pub st_nlink: ::nlink_t,
-+ pub st_uid: ::uid_t,
-+ pub st_gid: ::gid_t,
-+ pub st_rdev: ::dev_t,
-+ pub st_atime: ::time_t,
-+ pub st_atime_nsec: ::c_long,
-+ pub st_mtime: ::time_t,
-+ pub st_mtime_nsec: ::c_long,
-+ pub st_ctime: ::time_t,
-+ pub st_ctime_nsec: ::c_long,
-+ pub st_size: ::off_t,
-+ pub st_blocks: ::blkcnt_t,
-+ pub st_blksize: ::blksize_t,
-+ pub st_flags: ::fflags_t,
-+ pub st_gen: u32,
-+ pub st_lspare: i32,
-+ pub st_birthtime: ::time_t,
-+ pub st_birthtime_nsec: ::c_long,
-+ }
-+}
-+
-+// should be pub(crate), but that requires Rust 1.18.0
-+cfg_if! {
-+ if #[cfg(libc_const_size_of)] {
-+ #[doc(hidden)]
-+ pub const _ALIGNBYTES: usize = ::mem::size_of::<::c_int>() - 1;
-+ } else {
-+ #[doc(hidden)]
-+ pub const _ALIGNBYTES: usize = 4 - 1;
-+ }
-+}
-+
-+pub const MAP_32BIT: ::c_int = 0x00080000;
-+pub const MINSIGSTKSZ: ::size_t = 2048; // 512 * 4
diff --git a/security/suricata/pkg-plist b/security/suricata/pkg-plist
index 5fcb57aa716a..f50fe60042d1 100644
--- a/security/suricata/pkg-plist
+++ b/security/suricata/pkg-plist
@@ -136,7 +136,7 @@ man/man1/suricata.1.gz
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc
-%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info
+%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.3-py%%PYTHON_VER%%.egg-info
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py
%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc
%%DATADIR%%/rules/app-layer-events.rules
@@ -146,9 +146,11 @@ man/man1/suricata.1.gz
%%DATADIR%%/rules/dns-events.rules
%%DATADIR%%/rules/files.rules
%%DATADIR%%/rules/http-events.rules
+%%DATADIR%%/rules/http2-events.rules
%%DATADIR%%/rules/ipsec-events.rules
%%DATADIR%%/rules/kerberos-events.rules
%%DATADIR%%/rules/modbus-events.rules
+%%DATADIR%%/rules/mqtt-events.rules
%%DATADIR%%/rules/nfs-events.rules
%%DATADIR%%/rules/ntp-events.rules
%%DATADIR%%/rules/smb-events.rules