zeek/zeek v3.0.2

on GitHub

This long-term supported release addresses the following security issues:

• Potential Denial of Service due to memory leak in DNS TSIG message
  parsing. Thanks to Max Kellermann for the report and patch.
  See #799

• Potential Denial of Service due to memory leak (or assertion when
  compiling with assertions enabled) when receiving a second SSH KEX
  message after a first. Thanks to Max Kellermann for the report and patch.
  See #792

• Potential Denial of Service due to buffer read overflow and/or
  memory leaks in Kerberos analyzer. The buffer read overflow could occur when
  the Kerberos message indicates it contains an IPv6 address, but does not send
  enough data to parse out a full IPv6 address. A memory leak could occur when
  processing KRB_KDC_REQ KRB_KDC_REP messages for message types that do not
  match a known/expected type. See #753

• Potential Denial of Service when sending many zero-length SSL/TLS certificate
  data. Such messages underwent the full Zeek file analysis treatment which
  is expensive (and meaninguless here) compared to how cheaply one can "create"
  or otherwise indicate many zero-length contained in an SSL message.
  See #748

• Potential Denial of Service due to buffer read overflow in SMB transaction
  data string handling. The length of strings being parsed from SMB messages
  was trusted to be whatever the message claimed instead of the actual length
  of data found in the message. See #747

• Potential Denial of Service due to null pointer dereference in FTP ADAT
  Base64 decoding. See #739

• Potential Denial of Service due buffer read overflow in FTP analyzer
  word/whitespace handling. This typically won't be a problem in most default
  deployments of Zeek since the FTP analyzer receives data from a ContentLine
  (NVT) support analyzer which first null-terminates the buffer used for
  further FTP parsing. See #749

Also addressed are the following bug fixes:

• Use-after-free in paraglob
  zeek/paraglob@d65dd0a

• Invalid memory read in paraglob
  zeek/paraglob@ac86ce7

• Improve Broker python binding Event validity checks
  zeek/broker@2d9f474

• Misleading Broker debug/error output
  zeek/broker@0d136d1

• malloc/delete mismatch in JSON formatting
  c0d6eb9

• Plugin API returning reference to temporary
  ae9e799

• Memory leak in OCSP parsing when using OpenSSL 1.1
  2fbcf23

• Memory leak in Kerberos ticket decryption
  53fadb2

• Memory leak when table-based input stream overwrites old entry
  3742e56

• Memory leak in packet filter functions
  a961f0b

• Memory leak in system_env() BIF
  273eb19

• Memory leak of Log::Filter "config" field
  bf05add

• Memory leak in Reporter::get_weird_sampling_whitelist() BIF
  3b6a2a5

• Memory leaks in input framework error-handling cases
  6f5f7df

• Memory leak when a plugin prevents a log write operation
  09578c6

• Memory leaks due to reference-counting issues in lambdas/closures
  44d922c

• Memory leak when creating input streams which use &type_column
  51970c2

• NTLM field access scripting error: accessing uninitialized
  80469a1

• File analysis scripting error: accessing of an uninitialized field
  d9ed76c

• Inconsistent &priority for Log::create_stream() calls
  7a74852

• Fix potential for indefinite buffering of logs (e.g. when they are sparse/bursty)
  43e54c7

• Dictionary::Clear() didn't reset number of entries
  1e499b0

• Paraglob compile failure due to non-standard VLA usage
  zeek/paraglob@903b5cf

• Binpac cross-compilation configuration fix
  d33613c