release: 8.0.4; update changelog

ChangeLog

@@ -1,3 +1,50 @@
+8.0.4 -- 2026-03-12
+
+Security #8364: stream: quadratic complexity in stream inspection (8.0.x backport)(HIGH - CVE 2026-31933)
+Security #8306: krb5: internal request/response buffering leads to quadratic complexity (8.0.x backport)(HIGH - CVE 2026-31932)
+Security #8297: detect/ssl: null deref with tls.alpn keyword (8.0.x backport)(HIGH - CVE 2026-31931)
+Security #8295: http2: unbounded number of http2 frames per transaction (8.0.x backport)(CRITICAL - CVE 2026-31935)
+Security #8293: smtp/mime: quadratic complexity while looking for url strings (8.0.x backport)(HIGH - CVE 2026-31934)
+Security #8287: krb5: TCP parser never advances past the first record in a multi-record segment (8.0.x backport)
+Bug #8371: dpdk: "auto" in mempool size undercalculates the mempool size for Rx/Tx descriptors (8.0.x backport)
+Bug #8369: ldap: add ldap.rules file (8.0.x backport)
+Bug #8367: ndpi: crashing in StorageGetById() (8.0.x backport)
+Bug #8362: http2: detection should use a better architecture than the Vec escaped (8.0.x backport)
+Bug #8357: ldap: abandon request incorrectly handled (8.0.x backport)
+Bug #8326: hs: harden cache manipulation (8.0.x backport)
+Bug #8317: ldap: no invalid_data event in case of invalid request (8.0.x backport)
+Bug #8312: firewall: af-packet IPS mode overwrites firewall mode (8.0.x backport)
+Bug #8309: plugins/ndpi: SIGSEGV in DetectnDPIProtocolPacketMatch (8.0.x backport)
+Bug #8280: build: when documentation tools are install, make dist attempt to install files to prefix (8.0.x backport)
+Bug #8268: Double log rotation with rotation flag/interval (8.0.x backport)
+Bug #8260: lib: examples fail with debug validation as they create threads after threads are sealed (8.0.x backport)
+Bug #8252: dpdk: (x)stats are only accessible before port stop (8.0.x backport)
+Bug #8249: lua: calling metatable garbage collector with nil from a script leadsd to a null pointer dereference (8.0.x backport)
+Bug #8244: hyperscan: coverity warning on stat path check (8.0.x backport)
+Bug #8230: detect/app-layer-event: alert generated for the wrong packet (8.0.x backport)
+Bug #8219: base64: base64_data with relative match after base64_decode:relative fails (8.0.x backport)
+Bug #8207: firewall: loading rules only through yaml fails (8.0.x backport)
+Bug #8167: utils-spm-hs: missing deallocators on hs_compile failure (8.0.x backport)
+Bug #8164: decode/ipv6: set invalid event for wrong ip version (8.0.x backport)
+Bug #7982: detect/tls: zero characters in keywords such as alt name are mishandled (8.0.x backport)
+Optimization #8343: conf: stream.depth is unlimited when absent from the suricata.yaml 
+Optimization #8299: stream/tcp: flag 1st seen pkt w stream established (8.0.x backport)
+Feature #8323: hs: add pruning stats details of removal reason (8.0.x backport)
+Feature #8316: firewall: support iprep in firewall mode (8.0.x backport)
+Feature #8235: rules/transform: add gunzip transform (8.0.x backport)
+Feature #8233: nfs: log detailed response for versions other than v3 (8.0.x backport)
+Feature #7893: hyperscan: support cache invalidation and removal (8.0.x backport)
+Task #8270: rust: suppress nugatory RUSTSEC-2026-0009 for time crate (8.0.x backport)
+Task #8194: psl: crate should be updated on every release (8.0.x backport)
+Task #8159: build-scopes: add QA or SIMULATION mode (8.0.x backport)
+Task #8097: libsuricata: add live example usage of the Suricata library (8.0.x backport)
+Documentation #8331: doc: explain dcerpc.opnum doesn't support operators >,<,!,= (8.0.x backport)
+Documentation #8263: doc/userguide: fix within-distance pointer graphics in payload-keywords doc (8.0.x backport)
+Documentation #8240: isdataat: document different semantics between absolute and relative modes (8.0.x backport)
+Documentation #8217: rules/endswith: doc wrong for offset/distance/within warning (8.0.x backport)
+Documentation #8114: doc: remove mention of suricata-7 in latest docs (8.0.x backport)
+Documentation #7932: devguide: add a chapter about Suricata's exception policies (8.0.x backport)
+
 8.0.3 -- 2026-01-09
 
 Security #8202: http: quadratic complexity in headers parsing over multiple packets (8.0.x backport)(HIGH - CVE 2026-22263)

configure.ac

@@ -1,4 +1,4 @@
-    AC_INIT([suricata],[8.0.4-dev])
+    AC_INIT([suricata],[8.0.4])
     m4_ifndef([AM_SILENT_RULES], [m4_define([AM_SILENT_RULES],[])])AM_SILENT_RULES([yes])
     AC_CONFIG_HEADERS([src/autoconf.h])
     AC_CONFIG_SRCDIR([src/suricata.c])

rust/Cargo.lock.in

@@ -1512,7 +1512,7 @@ checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601"
 
 [[package]]
 name = "suricata"
-version = "8.0.4-dev"
+version = "8.0.4"
 dependencies = [
  "aes",
  "aes-gcm",
@@ -1565,7 +1565,7 @@ dependencies = [
 
 [[package]]
 name = "suricata-derive"
-version = "8.0.4-dev"
+version = "8.0.4"
 dependencies = [
  "proc-macro-crate",
  "proc-macro2",
@@ -1575,7 +1575,7 @@ dependencies = [
 
 [[package]]
 name = "suricata-htp"
-version = "8.0.4-dev"
+version = "8.0.4"
 dependencies = [
  "base64",
  "brotli",
@@ -1601,11 +1601,11 @@ dependencies = [
 
 [[package]]
 name = "suricata-sys"
-version = "8.0.4-dev"
+version = "8.0.4"
 
 [[package]]
 name = "suricatactl"
-version = "8.0.4-dev"
+version = "8.0.4"
 dependencies = [
  "clap",
  "once_cell",
@@ -1616,7 +1616,7 @@ dependencies = [
 
 [[package]]
 name = "suricatasc"
-version = "8.0.4-dev"
+version = "8.0.4"
 dependencies = [
  "clap",
  "home",

rust/sys/src/sys.rs

@@ -1,6 +1,6 @@
 // This file is automatically generated. Do not edit.
 
-pub const SC_PACKAGE_VERSION: &[u8; 10] = b"8.0.4-dev\0";
+pub const SC_PACKAGE_VERSION: &[u8; 6] = b"8.0.4\0";
 pub type __intmax_t = ::std::os::raw::c_long;
 pub type intmax_t = __intmax_t;
 #[repr(u32)]