Bro 2.5.4 release (security update)

We announce the release of Bro v2.5.4. The new version is now available
for download at:

or directly at:

Binary packages for the new version are currently building and will be
available in the next hours at:

This release has the following security fixes:

* Incorrect array parsing behavior in BinPAC-generated code with
  potential for remotely-triggerable buffer over-reads, invalid memory
  accesses, or assertions in Bro analyzers.

* The NCP analyzer could, depending on packet input, overflow signed
  integer storage and use the result in a subsequent memory allocation
  leading to crashes. Note that the NCP analyzer was not enabled by
  default and that it also was not properly updated to use newer Bro
  analyzer APIs, so the impact of this issue is limited to only those
  who may have done their own patching to get the NCP analyzer working
  in the first place.

There's also the following bug fixes:

* Fix a memory leak in the SMBv1 analyzer.

* General fixes for the MySQL analyzer. This update is included to
  avoid the appearance of a regression in the analyzer's
  output/functionality due to having relied on the previous, incorrect
  behavior of BinPAC.

Please update your Bro installations as soon as possible.