From 5611b60c6172fe4204cd69a9c9d466b6632dd0c7 Mon Sep 17 00:00:00 2001 From: Shivani Bhardwaj Date: Tue, 19 May 2026 12:29:09 +0530 Subject: [PATCH] release: 8.0.5; update changelog --- ChangeLog | 48 +++++++++++++++++++++++++++++++++++++++++++++ configure.ac | 2 +- rust/Cargo.lock.in | 12 ++++++------ rust/sys/src/sys.rs | 2 +- 4 files changed, 56 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index 10fa79462a..f3a86b963b 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,51 @@ +8.0.5 -- 2026-05-19 + +Security #8561: defrag: fragmented encapsulated traffic with fragments can lead to deadlock (8.0.x backport)(HIGH - CVE 2026-46352) +Security #8557: detect/lua: buffer overflow leads to sandbox escape (8.0.x backport)(HIGH - CVE 2026-45770) +Security #8554: http2: excessive memory alloc with decompression bomb (8.0.x backport)(HIGH - CVE 2026-46387) +Security #8547: datasets: save with load cmd can save to absolute filename (8.0.x backport)(HIGH - CVE 2026-45767) +Security #8541: detect: use-after-free in decompress transform pipeline (8.0.x backport)(MODERATE - CVE 2026-45752) +Security #8540: detect: heap-use-after-free in inspection-buffer transform chaining (8.0.x backport)(MODERATE - CVE 2026-45751) +Security #8530: http1: quadratic complexity with usage of HTTPParseContentDispositionHeader (8.0.x backport)(HIGH - CVE 2026-45759) +Security #8527: detect: case insensitivity in frames lead to buffer overflow (8.0.x backport)(LOW - CVE 2026-45761) +Security #8511: defrag: incorrect ip fragment reuse causes remote crash (8.0.x backport)(HIGH - CVE 2026-45762) +Security #8508: lua: sandbox alloc_limit not enforced on new allocations (8.0.x backport)(HIGH - CVE 2026-45763) +Security #8493: http2: type confusion from protocol change (8.0.x backport)(CRITICAL - CVE 2026-45764) +Security #8461: dnp3: unbounded reassembly (8.0.x backport)(HIGH - CVE 2026-45765) +Security #8419: nfs: OOM on stateful structures (8.0.x backport)(CRITICAL - CVE 2026-45766) +Security #8416: ikev2: OOM due to unbounded client_transforms (8.0.x backport)(CRITICAL - CVE 2026-45769) +Security #8406: ldap: OOM on unbounded responses per tx (8.0.x backport)(CRITICAL - CVE 2026-45768) +Bug #8553: reputation: useless code leads to buffer underflow (8.0.x backport) +Bug #8522: dcerpc.iface keyword matches any interface if PFC_FIRST_FRAG is missing in the BIND request (8.0.x backport) +Bug #8502: detect/dns: dns.*.rrname keywords do not work with "alert udp" prefix (8.0.x backport) +Bug #8490: ftp: the "too many transactions" event isn't raised (8.0.x backport) +Bug #8455: doh2: FN with rulesets combining dns rules and http2 rules (8.0.x backport) +Bug #8452: http2: http.host does not match as soon as possible (8.0.x backport) +Bug #8449: dnp3: off by one heap write in object parser (8.0.x backport) +Bug #8439: examples/lib/live can not work +Bug #8422: snmp: snmp-event.rules file is missing (8.0.x backport) +Bug #8414: websocket: reassembly should restrict opcodes (8.0.x backport) +Bug #8411: http2: response_frame_size is never set (8.0.x backport) +Bug #8404: detect: false alerts with drop rule using geoip (8.0.x backport) +Bug #8399: tls: encryption-handling bypass breaks dependent JA3/JA3S rules in IDS mode (8.0.x backport) +Bug #8380: dcerpc: bind interfaces get overwritten with new requests/responses (8.0.x backport) +Bug #8376: smb/dcerpc: use bind context_id to log the right interfaces (8.0.x backport) +Bug #8374: dcerpc: parser does not support multiple PDUs (8.0.x backport) +Bug #8373: dcerpc: logs not created after unhandled packet such as auth3 (8.0.x backport) +Bug #8170: dpdk: DPDK tag inadvertently changes compile architecture (8.0.x backport) +Bug #8162: schema: allow `http_request_body` fields (8.0.x backport) +Feature #8562: firewall: support NTP hook states for firewall rule evaluation (8.0.x backport) +Feature #8544: firewall: source field in alert/drop events to distinguish firewall from IDS/IPS (8.0.x backport) +Feature #8432: firewall: support SNMP hook states for firewall rule evaluation (8.0.x backport) +Feature #8400: output: improve flushing coverage (8.0.x backport) +Feature #8398: firewall: mark icode as supported +Feature #8321: dpdk: add Github CI live run tests for DPDK virtual devices (8.0.x backport) +Task #8483: snmp: add snmp.trap_type keyword (8.0.x backport) +Task #8476: rust: suppress rust audit notice for RUSTSEC-2026-0097 (rand) (8.0.x backport) +Task #8437: firewall: enable content inspect keywords for firewall mode (8.0.x backport) +Task #8409: firewall: add tests for hot reload of firewall mode rules (8.0.x backport) +Task #8360: rust: update psl crate (8.0.x backport) + 8.0.4 -- 2026-03-12 Security #8364: stream: quadratic complexity in stream inspection (8.0.x backport)(HIGH - CVE 2026-31933) diff --git a/configure.ac b/configure.ac index 50f126f6d3..29fbfaa9ff 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ - AC_INIT([suricata],[8.0.5-dev]) + AC_INIT([suricata],[8.0.5]) m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])])AM_SILENT_RULES([yes]) AC_CONFIG_HEADERS([src/autoconf.h]) AC_CONFIG_SRCDIR([src/suricata.c]) diff --git a/rust/Cargo.lock.in b/rust/Cargo.lock.in index 1ed0c1febe..a44b8d75f3 100644 --- a/rust/Cargo.lock.in +++ b/rust/Cargo.lock.in @@ -1512,7 +1512,7 @@ checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" [[package]] name = "suricata" -version = "8.0.5-dev" +version = "8.0.5" dependencies = [ "aes", "aes-gcm", @@ -1565,7 +1565,7 @@ dependencies = [ [[package]] name = "suricata-derive" -version = "8.0.5-dev" +version = "8.0.5" dependencies = [ "proc-macro-crate", "proc-macro2", @@ -1575,7 +1575,7 @@ dependencies = [ [[package]] name = "suricata-htp" -version = "8.0.5-dev" +version = "8.0.5" dependencies = [ "base64", "brotli", @@ -1601,11 +1601,11 @@ dependencies = [ [[package]] name = "suricata-sys" -version = "8.0.5-dev" +version = "8.0.5" [[package]] name = "suricatactl" -version = "8.0.5-dev" +version = "8.0.5" dependencies = [ "clap", "once_cell", @@ -1616,7 +1616,7 @@ dependencies = [ [[package]] name = "suricatasc" -version = "8.0.5-dev" +version = "8.0.5" dependencies = [ "clap", "home", diff --git a/rust/sys/src/sys.rs b/rust/sys/src/sys.rs index 75cbf35b3c..ac26b7a045 100644 --- a/rust/sys/src/sys.rs +++ b/rust/sys/src/sys.rs @@ -1,6 +1,6 @@ // This file is automatically generated. Do not edit. -pub const SC_PACKAGE_VERSION: &[u8; 10] = b"8.0.5-dev\0"; +pub const SC_PACKAGE_VERSION: &[u8; 6] = b"8.0.5\0"; pub type __intmax_t = ::std::os::raw::c_long; pub type intmax_t = __intmax_t; #[repr(u32)]