This release fixes the following security issues:
-
Paths from log stream make it into system() unchecked, potentially leading
to commands being run on the system unintentionally. This requires either
bad scripting or a malicious package to be installed, and is considered
low severity. -
Fix potential unbounded state growth in the PIA analyzer when receiving a
connection with either a large number of zero-length packets, or one which
continues ack-ing unseen segments. It is possible to run Zeek out of memory
in these instances and cause it to crash. Due to the possibility of this
happening with packets received from the network, this is a potential DoS
vulnerability.
This release fixes the following bugs:
-
Looping over vectors with missing elements in script-land could fail to
process all elements. -
The
ignore_checksum_netsoption does not work correctly if configured
to with multiple subnets. -
Packet sources that don't have a selectable file descriptor could
potentially prevent the network time from ever updating, which would have
adverse effects on the primary run loop such as preventing timers from
executing. -
Zeekctl crashes using the
zeekctl statuscommand if theStatusCmdShowAll
option is set to1in zeekctl.cfg.