aboutsummaryrefslogtreecommitdiff
path: root/security/bro
Commit message (Collapse)AuthorAgeFilesLines
* security/bro: Remove expired portCraig Leres2020-06-026-2069/+0
| | | | | | | 2020-06-01 security/bro: Please migrate to security/zeek Notes: svn path=/head/; revision=537563
* security/bro: Deprecate giving users until June 1st, 2020 to migrateCraig Leres2019-11-171-0/+4
| | | | | | | | | to the new security/zeek port. Add CONFLICTS=zeek due to overlap. Approved by: matthew (mentor, implicit) Notes: svn path=/head/; revision=517789
* security/bro: Deprecate BROCCOLICraig Leres2019-10-161-4/+5
| | | | | | | | | | | | Broccoli is deprecated in favor of broker; flag this in the BROCCOLI option description and change the BROCTL option to imply BROKER. PR: 240909 Submitted by: Jeremy Baggs Approved by: ler (mentor, implicit) Notes: svn path=/head/; revision=514568
* security/bro: Update to 2.6.4 and address a potential Denial ofCraig Leres2019-09-172-4/+4
| | | | | | | | | | | | | | | | | | | Service vulnerability: https://raw.githubusercontent.com/zeek/zeek/3b5a9f88ece1d274edee897837e280ef751bde94/NEWS - The NTLM analyzer did not properly handle AV Pair sequences that were either empty or unterminated, resulting in invalid memory access or heap buffer over-read. The NTLM analyzer is enabled by default and used in the analysis of SMB, DCE/RPC, and GSSAPI protocols. Approved by: ler (mentor, implicit) MFH: 2019Q3 Security: 55571619-454e-4769-b1e5-28354659e152 Notes: svn path=/head/; revision=512245
* Convert to UCL & cleanup pkg-message (categories s)Mathieu Arnold2019-08-141-4/+6
| | | | Notes: svn path=/head/; revision=508909
* security/bro: Update to 2.6.3 and address potential denial of serviceCraig Leres2019-08-092-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | vulnerabilities: https://raw.githubusercontent.com/zeek/zeek/1d874e5548a58b3b8fd2a342fe4aa0944e779809/NEWS - Null pointer dereference in the RPC analysis code. RPC analyzers (e.g. MOUNT or NFS) are not enabled in the default configuration. - Signed integer overflow in BinPAC-generated parser code. The result of this is Undefined Behavior with respect to the array bounds checking conditions that BinPAC generates, so it's unpredictable what an optimizing compiler may actually do under the assumption that signed integer overlows should never happen. The specific symptom which lead to finding this issue was with the PE analyzer causing out-of-memory crashes due to large allocations that were otherwise prevented when the array bounds checking logic was changed to prevent any possible signed integer overlow. Approved by: matthew (mentor, implicit) MFH: 2019Q3 Security: f56669f5-d799-4ff5-9174-64a6d571c451 Notes: svn path=/head/; revision=508458
* Bump PORTREVISION for ports depending on the canonical version of GCCGerald Pfeifer2019-07-261-0/+1
| | | | | | | | | | | | | | | | | | as defined in Mk/bsd.default-versions.mk which has moved from GCC 8.3 to GCC 9.1 under most circumstances now after revision 507371. This includes ports - with USE_GCC=yes or USE_GCC=any, - with USES=fortran, - using Mk/bsd.octave.mk which in turn features USES=fortran, and - with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang, c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib plus, everything INDEX-11 shows with a dependency on lang/gcc9 now. PR: 238330 Notes: svn path=/head/; revision=507372
* security/bro: Update to 2.6.2 and address several denial of serviceCraig Leres2019-05-312-5/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | vulnerabilities: https://raw.githubusercontent.com/zeek/zeek/bb979702cf9a2fa67b8d1a1c7f88d0b56c6af104/NEWS - Integer type mismatches in BinPAC-generated parser code and Bro analyzer code may allow for crafted packet data to cause unintentional code paths in the analysis logic to be taken due to unsafe integer conversions causing the parser and analysis logic to each expect different fields to have been parsed. One such example, reported by Maksim Shudrak, causes the Kerberos analyzer to dereference a null pointer. CVE-2019-12175 was assigned for this issue. - The Kerberos parser allows for several fields to be left uninitialized, but they were not marked with an &optional attribute and several usages lacked existence checks. Crafted packet data could potentially cause an attempt to access such uninitialized fields, generate a runtime error/exception, and leak memory. Existence checks and &optional attributes have been added to the relevent Kerberos fields. - BinPAC-generated protocol parsers commonly contain fields whose length is derived from other packet input, and for those that allow for incremental parsing, BinPAC did not impose a limit on how large such a field could grow, allowing for remotely-controlled packet data to cause growth of BinPAC's flowbuffer bounded only by the numeric limit of an unsigned 64-bit integer, leading to memory exhaustion. There is now a generalized limit for how large flowbuffers are allowed to grow, tunable by setting "BinPAC::flowbuffer_capacity_max". Approved by: ler (mentor, implicit) MFH: 2019Q2 Security: 177fa455-48fc-4ded-ba1b-9975caa7f62a Notes: svn path=/head/; revision=503191
* Restore GeoIP support via net/libmaxminddb and a new GEOIP2 optionCraig Leres2019-02-021-5/+7
| | | | | | | | | | | which defaults to enabled, mimicking pre-geoip-deprecation. PR: 235138 Submitted by: bofh Approved by: ler (mentor, implicit) Notes: svn path=/head/; revision=491993
* net/GeoIP has been deprecated but security/bro builds without it;Craig Leres2019-01-141-5/+1
| | | | | | | | | remove GeoIP dependency and undeprecate. Approved by: ler (mentor, implicit) Notes: svn path=/head/; revision=490306
* Deprecate everything that depends on net/GeoIP and everything that dependsAdam Weinberger2019-01-131-0/+3
| | | | | | | on those ports. Notes: svn path=/head/; revision=490213
* Change cmake default behaviour to outsource.Tobias C. Berner2018-12-251-1/+1
| | | | | | | | | | | | | | Ports that build out of source now simply can use "USES=cmake" instead of "USES=cmake:outsource". Ports that fail to build out of source now need to specify "USES=cmake:insource". I tried to only set insource where explictely needed. PR: 232038 Exp-run by: antoine Notes: svn path=/head/; revision=488341
* Update to 2.6.1:Craig Leres2018-12-205-255/+1109
| | | | | | | | | | | | | | | | | - Update the embedded SQLite library from 3.18.0 to 3.26.0 to address a remote code execution vulnerability ("Magellan"). - Uses a bundled version of the actor-framework (caf) library so we can remove the port-local build for caf. Replace broctl-config.sh absolute symlink with a relative one. Approved by: ler (mentor, implicit) MFH: 2018Q4 Security: b80f039d-579e-4b82-95ad-b534a709f220 Notes: svn path=/head/; revision=487823
* Bump PORTREVISION for ports depending on the canonical version of GCCGerald Pfeifer2018-12-121-0/+1
| | | | | | | | | | | | | | | | | | defined via Mk/bsd.default-versions.mk which has moved from GCC 7.4 t GCC 8.2 under most circumstances. This includes ports - with USE_GCC=yes or USE_GCC=any, - with USES=fortran, - using Mk/bsd.octave.mk which in turn features USES=fortran, and - with USES=compiler specifying openmp, nestedfct, c11, c++0x, c++11-lang, c++11-lib, c++14-lang, c++17-lang, or gcc-c++11-lib plus, as a double check, everything INDEX-11 showed depending on lang/gcc7. PR: 231590 Notes: svn path=/head/; revision=487272
* Bro 2.5.5 does not build under 12.0-ALPHA10 due to openssl 1.1.1Craig Leres2018-10-171-0/+15
| | | | | | | | | | | | | | | | in the base. Unbreak build by statically linking against security/openssl. This is a stopgap until Bro 2.6 which supports openssl 1.1 is released. It is currently in beta and due in a few weeks. Add missing NETMAP_DESC while we're here. Reviewed by: ler (mentor) Approved by: ler (mentor) Differential Revision: https://reviews.freebsd.org/D17602 Notes: svn path=/head/; revision=482313
* Update to 2.5.5 which addresses security issues:Craig Leres2018-08-303-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Fix array bounds checking in BinPAC: for arrays that are fields within a record, the bounds check was based on a pointer to the start of the record rather than the start of the array field, potentially resulting in a buffer over-read. - Fix SMTP command string comparisons: the number of bytes compared was based on the user-supplied string length and can lead to incorrect matches. e.g. giving a command of "X" incorrectly matched "X-ANONYMOUSTLS" (and an empty commands match anything). - Weird" events are now generally suppressed/sampled by default according to some tunable parameters. - Improved handling of empty lines in several text protocol analyzers that can cause performance issues when seen in long sequences. - Add `smtp_excessive_pending_cmds' weird which serves as a notification for when the "pending command" queue has reached an upper limit and been cleared to prevent one from attempting to slowly exhaust memory. Approved by: ler (mentor, implicit) MFH: 2018Q3 Security: d0be41fe-2a20-4633-b057-4e8b25c41780 Notes: svn path=/head/; revision=478427
* Bump PORTREVISION for ports depending on the canonical version of GCCGerald Pfeifer2018-07-291-0/+1
| | | | | | | | | | | | | | | | | in the ports tree (via Mk/bsd.default-versions.mk and lang/gcc) which has now moved from GCC 6 to GCC 7 by default. This includes ports - featuring USE_GCC=yes or USE_GCC=any, - featuring USES=fortran, - using Mk/bsd.octave.mk which in turn features USES=fortran, and those - with USES=compiler specifying one of openmp, nestedfct, c11, c++0x, c++11-lib, c++11-lang, c++14-lang, c++17-lang, or gcc-c++11-lib. PR: 222542 Notes: svn path=/head/; revision=475857
* Update to 2.5.4 which fixes multiple memory allocation issues:Craig Leres2018-06-083-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - Multiple fixes and improvements to BinPAC generated code related to array parsing, with potential impact to all Bro's BinPAC-generated analyzers in the form of buffer over-reads or other invalid memory accesses depending on whether a particular analyzer incorrectly assumed that the evaulated-array-length expression is actually the number of elements that were parsed out from the input. - The NCP analyzer (not enabled by default and also updated to actually work with newer Bro APIs in the release) performed a memory allocation based directly on a field in the input packet and using signed integer storage. This could result in a signed integer overflow and memory allocations of negative or very large size, leading to a crash or memory exhaustion. The new NCP::max_frame_size tuning option now limits the maximum amount of memory that can be allocated. Other fixes: - A memory leak in the SMBv1 analyzer. - The MySQL analyzer was generally not working as intended, for example, it now is able to parse responses that contain multiple results/rows. Add gettext-runtime to USES to address a poudriere testport warning. Reviewed by: matthew (mentor) Approved by: matthew (mentor) MFH: 2018Q2 Security: 2f4fd3aa-32f8-4116-92f2-68f05398348e Differential Revision: https://reviews.freebsd.org/D15678 Notes: svn path=/head/; revision=472014
* Add PY_FLAVOR to Python module dependencies.Mathieu Arnold2018-05-221-2/+2
| | | | | | | Sponsored by: Absolight Notes: svn path=/head/; revision=470610
* Fix CCACHE_BUILD support.Bryan Drewery2018-03-211-0/+2
| | | | Notes: svn path=/head/; revision=465145
* r412841 of devel/google-perftools changed the path for bin/pprofCraig Leres2018-03-161-1/+1
| | | | | | | | | | | | | to bin/perftools-pprof; update RUN_DEPENDS for security/bro accordingly. Reported by: James Welcher Reviewed by: ler (mentor) Approved by: ler (mentor) Differential Revision: https://reviews.freebsd.org/D14708 Notes: svn path=/head/; revision=464711
* Update to 2.5.3 which fixes an integer overflow:Craig Leres2018-02-202-5/+4
| | | | | | | | | | | | | | http://blog.bro.org/2018/02/bro-253-released-security-update.html Note that a CVE has not been assigned yet. Reviewed by: matthew (mentor) Approved by: matthew (mentor) MFH: 2018Q1 Differential Revision: https://reviews.freebsd.org/D14444 Notes: svn path=/head/; revision=462460
* Add a NETMAP option to build and install the bro netmap plugin.Craig Leres2018-02-193-9/+32
| | | | | | | | | | | PR: 224918 Reported by: Shane Peters Reviewed by: matthew (mentor) Approved by: matthew (mentor) Differential Revision: https://reviews.freebsd.org/D14378 Notes: svn path=/head/; revision=462351
* Use USE_GITHUB instead of hand crafting urls.Mathieu Arnold2018-02-151-11/+5
| | | | | | | Sponsored by: Absolight Notes: svn path=/head/; revision=461924
* Update to 2.5.2. Changes since 2.5.1:Craig Leres2017-10-222-5/+4
| | | | | | | | | | | | | | | | - Patch OOB write in content-line analyzer: https://bro-tracker.atlassian.net/browse/BIT-1856 A combination of packets can trigger an out of bound write of '0' byte in the content-line analyzer. Reviewed by: ler (mentor) Approved by: ler (mentor) Differential Revision: https://reviews.freebsd.org/D12754 Notes: svn path=/head/; revision=452618
* - Update WWWDmitry Marakasov2017-09-201-1/+1
| | | | | | | Approved by: portmgr blanket Notes: svn path=/head/; revision=450189
* Update MAINTAINER on my ports and "Created by" on the ones I createdCraig Leres2017-09-151-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | to use my @FreeBSD.org email address. - devel/arduino - devel/arduino-glcd - devel/arduino-irremote - devel/arduino-mk - devel/arduino-sevseg - net/hostapd - net/py-pcap - security/bro - security/broccoli - security/create-cert - sysutils/lbl-cf - sysutils/lbl-hf - www/mini_httpd Reviewed by: ler (mentor) Approved by: ler (mentor) Differential Revision: https://reviews.freebsd.org/D12374 Notes: svn path=/head/; revision=449916
* Bump PORTREVISION for ports depending on the canonical version of GCCGerald Pfeifer2017-09-101-0/+1
| | | | | | | | | | | | | | | | | (via Mk/bsd.default-versions.mk and lang/gcc) which has moved from GCC 5.4 to GCC 6.4 under most circumstances. This includes ports - with USE_GCC=yes or USE_GCC=any, - with USES=fortran, - using Mk/bsd.octave.mk which in turn features USES=fortran, and - with USES=compiler specifying openmp, nestedfct, c++11-lib, c++11-lang, c++14-lang, c++0x, c11, or gcc-c++11-lib. PR: 219275 Notes: svn path=/head/; revision=449591
* security/bro: Update to 2.5.1Steve Wills2017-08-2125-629/+470
| | | | | | | | | | Also, unbreak build with BROKER, add rc.d script PR: 217656 Submitted by: leres@ee.lbl.gov (maintainer) Notes: svn path=/head/; revision=448446
* Fix shebangs.Tobias C. Berner2017-05-161-2/+4
| | | | | | | Approved by: rakuco (mentor, implicit) Notes: svn path=/head/; revision=441056
* Provide more descriptive error messages for ports failing on powerpc64.Mark Linimon2017-04-301-2/+2
| | | | | | | | | While here, pet portlint. Approved by: portmgr (tier-2 blanket) Notes: svn path=/head/; revision=439789
* Bump PORTREVISIONs for ports depending on the canonical version of GCC andGerald Pfeifer2017-04-011-1/+1
| | | | | | | | | | | | | | | | | lang/gcc which have moved from GCC 4.9.4 to GCC 5.4 (at least under some circumstances such as versions of FreeBSD or platforms). This includes ports - with USE_GCC=yes or USE_GCC=any, - with USES=fortran, - using using Mk/bsd.octave.mk which in turn has USES=fortran, and - with USES=compiler specifying openmp, nestedfct, c++11-lib, c++14-lang, c++11-lang, c++0x, c11, or gcc-c++11-lib. PR: 216707 Notes: svn path=/head/; revision=437439
* - Remove always-true/false conditions after FreeBSD 9, 10.1, 10.2 EOLDmitry Marakasov2017-01-111-12/+0
| | | | | | | Approved by: portmgr blanket Notes: svn path=/head/; revision=431169
* Do not redefine DEBUG_DESC when its meaning more or less matches the defaultAlexey Dokuchaev2016-10-281-1/+0
| | | | | | | | option description. Those ports where it meant something more specific were left untouched. Notes: svn path=/head/; revision=424875
* securty/bro: Modernize options, remove Ports SSL option, support LibreSSLJohn Marino2016-09-133-81/+59
| | | | | | | | | | | The "build with Ports SSL" option is no longer valid. The SSL library is selected through the SSL_DEFAULT value. While removing the PORTS_SSL option, modernize the entire set of options under the general infrastructure blanket. The SSL work, including the support for LibreSSL was done under the SSL blanket. Notes: svn path=/head/; revision=421972
* Fix ports depending on security/(open|libre)ssl directly.Mathieu Arnold2016-07-041-2/+2
| | | | | | | Sponsored by: Absolight Notes: svn path=/head/; revision=418011
* Fix usage of WITH_OPENSSL_BASE, WITH_OPENSSL_PORT and OPENSSL_PORT.Mathieu Arnold2016-06-161-2/+2
| | | | | | | | | | | | | | WITH_OPENSSL_* can't be set after bsd.port.pre.mk. Fold all other usage into using SSL_DEFAULT == foo PR: 210149 Submitted by: mat Exp-run by: antoine Sponsored by: The FreeBSD Foundation, Absolight Differential Revision: https://reviews.freebsd.org/D6577 Notes: svn path=/head/; revision=416966
* many ports: mark broken on powerpc64Steve Wills2016-04-211-0/+2
| | | | Notes: svn path=/head/; revision=413746
* Remove ${PORTSDIR}/ from dependencies, categories r, s, t, and u.Mathieu Arnold2016-04-011-18/+18
| | | | | | | | With hat: portmgr Sponsored by: Absolight Notes: svn path=/head/; revision=412349
* - Switch to options helpersDmitry Marakasov2015-12-201-14/+1
| | | | | | | | | - Remove always false condition Approved by: portmgr blanket Notes: svn path=/head/; revision=404057
* Update to upstream version 2.4.1, add BROKER OPTIONThomas Zander2015-10-2320-28/+665
| | | | | | | | PR: 203849 Submitted by: leres@ee.lbl.gov (maintainer) Notes: svn path=/head/; revision=400050
* security/bro: add ELASTICSEARCH optionBartek Rutkowski2015-03-041-2/+11
| | | | | | | | PR: 198018 Submitted by: Craig Leres <leres@ee.lbl.gov> Notes: svn path=/head/; revision=380437
* security/bro, security/broccoli: 2.3 -> 2.3.2Kurt Jaeger2015-02-023-115/+118
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This updates bro and broccoli from 2.3 and 2.3.2, which is a security update. Changes to the bro port: - Rework openssl option logic - Remove obsolete - pkgng related changes Changes to the broccoli port: - Remove unused DOCS option - Enable PYTHON by default - pkgng related changes - Minor portlint changes Changes in 2.3.2: - DNP3: fix reachable assertion and buffer over-read/overflow. CVE number pending. (Travis Emmert, Jon Siwek) - Update binpac: Fix potential out-of-bounds memory reads in generated code. CVE-2014-9586. (John Villamil and Chris Rohlf - Yahoo Paranoids, Jon Siwek) - BIT-1234: Fix build on systems that already have ntohll/htonll. (Jon Siwek) - BIT-1291: Delete prebuilt python bytecode files from git. (Jon Siwek) - Adding call to new binpac::init() function. (Robin Sommer) Changes in 2.3.1: - Fix a reference counting bug in ListVal ctor. (Jon Siwek) - Fix possible buffer over-read in DNS TSIG parsing. (Jon Siwek) - Change EDNS parsing code to use rdlength more cautiously. (Jon Siwek) - Fix null pointer dereference in OCSP verification code in case no certificate is sent as part as the ocsp reply. Addresses BIT-1212. (Johanna Amann) - Fix OCSP reply validation. Addresses BIT-1212 (Johanna Amann) - Make links in documentation templates protocol relative. (Johanna Amann) PR: 197107 Submitted by: Craig Leres <leres@ee.lbl.gov> (maintainer) Reviewed by: koobs Notes: svn path=/head/; revision=378333
* Remove pkg_install only bitsBaptiste Daroussin2014-09-021-4/+0
| | | | | | | Submitted by: maintainer (private mail) Notes: svn path=/head/; revision=367093
* Remove support for pkg_installBaptiste Daroussin2014-09-011-3/+0
| | | | | | | | | | | Merge back bsd.pkgng.mk into bsd.port.mk Add a note about @stopdaemon not being supported anymore With hat: portmgr Differential Revision: https://reviews.freebsd.org/D693 Notes: svn path=/head/; revision=366875
* security/bro: Add su flags so pkg initialization worksJohn Marino2014-08-152-12/+6
| | | | | | | | PR: 192646 Submitted by: maintainer (Craig Leres) Notes: svn path=/head/; revision=364876
* Bump PORTREVISION on all ports that depend on net/GeoIP forAdam Weinberger2014-08-111-0/+1
| | | | | | | | | r364627. Approved by: portmgr (not really, but touches unstaged ports) Notes: svn path=/head/; revision=364628
* Update to 2.3Carlo Strub2014-08-108-114/+70
| | | | | | | | PR: 192105 Submitted by: leres@ee.lbl.gov (maintainer) Notes: svn path=/head/; revision=364576
* - Fix the build with libc++.Raphael Kubo da Costa2014-01-064-21/+59
| | | | | | | | | | | | - Convert to new-new OPTIONS framework. - Use new *_DEPENDS formats. - Fix LICENSE. PR: ports/185455 Submitted by: Craig Leres <leres@ee.lbl.gov> (maintainer) Notes: svn path=/head/; revision=338927
* Fix build on FreeBSD 8 when misc/compat5x is installedAntoine Brodin2013-12-021-1/+3
| | | | | | | Submitted by: Craig Leres (maintainer) Notes: svn path=/head/; revision=335521
generated by cgit v1.2.3 (git 2.25.1) at 2025-02-11 21:17:41 +0000