zeek/zeek v3.1.4

on GitHub

This release fixes the following security issues:

• Fix potential stack overflow in NVT analyzer
  3b51d72

  The NVT_Analyzer (e.g. as instantiated to support the FTP analyzer)
  uses a recursive parsing function that may only advance one byte at a
  time and can easily cause a stack overflow as a result.

  Credit to OSS-Fuzz for discovery
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22898

• Fix NVT analyzer memory leak from multiple telnet authn name options
  e532335

  Credit to OSS-Fuzz for discovery
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23069

• Fix multiple content-transfer-encoding headers causing a memory leak
  0195880

  The MIME analyzer leaks memory if it sees many content-transfer-encoding
  headers or also if it see many multipart boundary parameters.

  Credit to OSS-Fuzz for discovery
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22871

• Fix potential leak of Analyzers added to tree during Analyzer::Done
  d2eb701

  It may be possible for remote sources of analyzed packets to specifically
  craft traffic to trigger this behavior.

  Credit to OSS-Fuzz for discovery
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22630

• Prevent IP fragment reassembly on packets without minimal IP header
  a2f2f7a

  The IP fragment reassembly process assumes a packet contains at least
  the minimum IP header, but such a check did not previously occur,
  resulting in a heap buffer over-read. For example, a self-reported
  IPv4 IHL field with a value less than minimum IPv4 header length of
  20 bytes. Such packets likely aren't routable on their own, but one
  can create an artifical pcap like that or possibly encapsulate it
  within another protocol to trigger this bug.

Also fixed are the following bugs:

• Fix compilation on Fedora 32 (GCC 10.0.1)
  695457f

• Fix crash when using some deprecated environment variables
  1c08be1

• Fix use on CentOS 6 (Linux kernel < 3.8)
  mheily/libkqueue@8707307

• Limit rate of logging MaxMind DB diagnostic messages
  #963

• Fix wrong return value type for topk_get_top() BIF
  #996

• Fix opaque Broker types lacking a Type after (de)serialization
  #984

• Fix lack of descriptive printing for intervals converted from double_to_interval()
  e17487e

• Fix some cases of known-services not being logged
  #965
  2f918ed

Reminder: Zeek 3.0.x is the Long-Term Support release, receiving bug fixes until at least October 2020 while Zeek 3.1.x is the current feature release, receiving bug fixes until approximately July 2020 when the 3.2.x release series begins.