This release fixes the following security issues:
-
The AYIYA and GTPv1 parsing/decapsulation logic may leak memory if the inner
packet uses the same connection tuple as the outer packet while also having
another level of encapsulation within the inner packet using the same
tunneling protocol, respectively (AYIYA or GTPv1). These leaks have
potential for remote exploitation to cause Denial of Service via resource
exhaustion.Credit to OSS-Fuzz for discovery
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25256
(OSS-Fuzz opens full issue details up to the public 30 days from patch releases)
This release fixes the following bugs:
-
Fix Input Framework 'change' events for 'set' destinations
#1083
#1087 -
Fix reported body-length of HTTP messages w/ sub-entities
#1107
Note: the above changes were also part of v3.0.9, but a compilation failure related to the use of C++17 nested namespaces was discovered and fixed for the v3.0.10 official release announcement with v3.0.9 never receiving an official announcement.
Reminder: Zeek 3.0.x is a Long-Term Support release, receiving bug fixes until at least November 2020.