Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pfSense-pkg-suricata-5.0.4-RELENG_2_4_5 - GUI update for 5.0.4 binary support and bug fixes. #989

Merged
merged 4 commits into from
Nov 9, 2020
Merged

pfSense-pkg-suricata-5.0.4-RELENG_2_4_5 - GUI update for 5.0.4 binary support and bug fixes. #989

merged 4 commits into from
Nov 9, 2020

Conversation

bmeeks8
Copy link
Contributor

@bmeeks8 bmeeks8 commented Nov 9, 2020

pfSense-pkg-suricata-5.0.4_RELENG_2_4_5

This package update provides support for the latest 5.0.4 Suricata binary from the upstream 5.x branch and fixes four bugs. One new feature is also added.

New Features:

  1. Added a rule Action column with appropriate icons to the ALERTS tab to show the action set for the triggered rule. Note that for Reject actions, the DROP icon will be shown unless the user forced the rule action to reject by clicking a "change action" icon on the ALERTS or RULES tab. Due to logging limitations in the Suricata binary, a rule whose action is changed to Reject via SID MGMT functions will not show the Reject icon under this column.

Bug Fixes:

  1. Check that LRO, TSO and all Hardware Checksumming is disabled in pfSense config.xml when user enables and saves "IPS Inline" mode configuration.

  2. Potential YAML key indentation issue with libhtp policy settings in suricata.yaml conf file.

  3. Add input validation to prevent users from choosing Netmap Inline IPS Mode with incompatible physical NICs. See Redmine Issue #10950 from Snort for details. Suricata needs the same input validation.

  4. Complete implementation of fix for Redmine Issue 9789 (from Snort) since Suricata is susceptible to the same issues.

@netgate-git-updates netgate-git-updates merged commit bbb5413 into pfsense:RELENG_2_4_5 Nov 9, 2020
netgate-git-updates pushed a commit that referenced this pull request Sep 14, 2021
@cschuber
securty/sudo: Update to 1.9.8
c403b78 
Major changes between sudo 1.9.8 and 1.9.7p2:

 * It is now possible to transparently intercepting sub-commands
   executed by the original command run via sudo.  Intercept support
   is implemented using LD_PRELOAD (or the equivalent supported by
   the system) and so has some limitations.  The two main limitations
   are that only dynamic executables are supported and only the
   execl, execle, execlp, execv, execve, execvp, and execvpe library
   functions are currently intercepted. Its main use case is to
   support restricting privileged shells run via sudo.

   To support this, there is a new "intercept" Defaults setting and
   an INTERCEPT command tag that can be used in sudoers.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    Defaults!SHELLS intercept

   would cause sudo to run the listed shells in intercept mode.
   This can also be set on a per-rule basis.  For example:

    Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
    chuck ALL = INTERCEPT: SHELLS

   would only apply intercept mode to user "chuck" when running one
   of the listed shells.

   In intercept mode, sudo will not prompt for a password before
   running a sub-command and will not allow a set-user-ID or
   set-group-ID program to be run by default.  The new
   intercept_authenticate and intercept_allow_setid sudoers settings
   can be used to change this behavior.

 * The new "log_subcmds" sudoers setting can be used to log additional
   commands run in a privileged shell.  It uses the same mechanism as
   the intercept support described above and has the same limitations.

 * Support for logging sudo_logsrvd errors via syslog or to a file.
   Previously, most sudo_logsrvd errors were only visible in the
   debug log.

 * Better diagnostics when there is a TLS certificate validation error.

 * Using the "+=" or "-=" operators in a Defaults setting that takes
   a string, not a list, now produces a warning from sudo and a
   syntax error from inside visudo.

 * Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
   had no effect when creating I/O log parent directories if the I/O log
   file name ended with the string "XXXXXX".

 * Fixed a bug in the sudoers custom prompt code where the size
   parameter that was passed to the strlcpy() function was incorrect.
   No overflow was possible since the correct amount of memory was
   already pre-allocated.

 * The mksigname and mksiglist helper programs are now built with
   the host compiler, not the target compiler, when cross-compiling.
   Bug #989.

 * Fixed compilation error when the --enable-static-sudoers configure
   option was specified.  This was due to a typo introduced in sudo
   1.9.7.  GitHub PR #113.

Submitted by:	cy
PR:		258479
Approved by:	garga (maintainer)
MFH:		2021Q3
@bmeeks8 bmeeks8 deleted the pfSense-pkg-suricata-5.0.4_RELENG_2_4_5 branch May 5, 2024 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bmeeks8 @netgate-git-updates