We announce the release of Bro v2.5.2. The new version is now available for
download at:
https://bro.org/download/index.html
or directly at:
https://www.bro.org/downloads/bro-2.5.2.tar.gz
Binary packages for the new version are currently building and will be available
in the next hours at:
https://bro.org/download/packages.html
This is a security release that fixes an out-of-bound write in the ContentLine
analyzer. This issue can be used by remote attackers to crash Bro (i.e. a DoS
attack). There also is a possibility this can be exploited in other ways.
This bug was found by Frank Meier. A CVE has been requested for this bug.
Bro 2.5.2 does not contain any other changes. We urge everyone to update their
installation as quickly as possible.
Due to the potential severity of this bug we also provide a patched version of
Bro v2.4.2. The only difference to version v2.4.1 is this bugfix. Please note
that we encourage users to use version 2.5.2 instead; we do generally not
provide security updates for old releases; version 2.4.2 is missing a number of
other bugfixes that were applied to v2.5.2.
Version 2.4.2 is available for download at:
https://www.bro.org/downloads/bro-2.4.2.tar.gz
Johanna