[Buildroot] [PATCH v2, 1/1] package/suricata: security bump to version 6.0.14
Peter Korsgaard
peter at korsgaard.com
Sun Oct 1 18:28:30 UTC 2023
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice at gmail.com> writes:
> - Fix CVE-2023-35852: In Suricata before 6.0.13 (when there is an
> adversary who controls an external source of rules), a dataset
> filename, that comes from a rule, may trigger absolute or relative
> directory traversal, and lead to write access to a local filesystem.
> This is addressed in 6.0.13 by requiring allow-absolute-filenames and
> allow-write (in the datasets rules configuration section) if an
> installation requires traversal/writing in this situation.
> - Fix CVE-2023-35853: In Suricata before 6.0.13, an adversary who
> controls an external source of Lua rules may be able to execute Lua
> code. This is addressed in 6.0.13 by disabling Lua unless allow-rules
> is true in the security lua configuration section.
> - Drop first patch (not needed since
> https://github.com/OISF/suricata/commit/c8a3aa608eaae1acbaf33dba8a7c1a3cbfeb4285)
> https://github.com/OISF/suricata/blob/suricata-6.0.14/ChangeLog
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
> ---
> Changes v1 -> v2 (after review of Peter Korsgaard):
> - Do not wrongly delete second patch
Committed to 2023.02.x and 2023.08.x, thanks.
--
Bye, Peter Korsgaard
More information about the buildroot
mailing list