We announce the release of Bro v2.5.5. The new version is now available
for download at:
https://bro.org/download/index.html
or directly at:
https://www.bro.org/downloads/bro-2.5.5.tar.gz
Binary packages for the new version are currently building and will be
available in the next hours at:
https://bro.org/download/packages.html
This release has the following security fixes:
* Fix array bounds checking in BinPAC: for arrays that are fields
within a record, the bounds check was based on a pointer to the start
of the record rather than the start of the array field, potentially
resulting in a buffer over-read.
* Fix SMTP command string comparisons: the number of bytes compared was
based on the user-supplied string length and can lead to incorrect
matches. e.g. giving a command of "X" incorrectly matched
"X-ANONYMOUSTLS" (and empty commands match anything).
The following changes address potential vectors for Denial of Service
reported by Christian Titze & Jan Grashöfer of Karlsruhe Institute of
Technology:
* "Weird" events are now generally suppressed/sampled by default
according to some tunable parameters (see the changelog for more
details). These changes help improve performance issues resulting
from excessive numbers of weird events.
* Improved handling of empty lines in several text protocol analyzers
that can cause performance issues when seen in long sequences.
* Add 'smtp_excessive_pending_cmds' weird which serves as a
notification for when the "pending command" queue has reached an
upper limit and been cleared to prevent one from attempting to slowly
exhaust memory.
Please update your Bro installations as soon as possible.