Jon Siwek of Corelight reports:
This release addresses the following security issues:
-
Potential Denial of Service due to memory leak in DNS
TSIG message parsing.
-
Potential Denial of Service due to memory leak (or assertion
when compiling with assertions enabled) when receiving a
second SSH KEX message after a first.
-
Potential Denial of Service due to buffer read overflow
and/or memory leaks in Kerberos analyzer. The buffer
read overflow could occur when the Kerberos message
indicates it contains an IPv6 address, but does not send
enough data to parse out a full IPv6 address. A memory
leak could occur when processing KRB_KDC_REQ KRB_KDC_REP
messages for message types that do not match a known/expected
type.
-
Potential Denial of Service when sending many zero-length
SSL/TLS certificate data. Such messages underwent the
full Zeek file analysis treatment which is expensive (and
meaninguless here) compared to how cheaply one can "create"
or otherwise indicate many zero-length contained in an
SSL message.
-
Potential Denial of Service due to buffer read overflow
in SMB transaction data string handling. The length of
strings being parsed from SMB messages was trusted to be
whatever the message claimed instead of the actual length
of data found in the message.
-
Potential Denial of Service due to null pointer dereference
in FTP ADAT Base64 decoding.
-
Potential Denial of Service due buffer read overflow in
FTP analyzer word/whitespace handling. This typically
won't be a problem in most default deployments of Zeek
since the FTP analyzer receives data from a ContentLine
(NVT) support analyzer which first null-terminates the
buffer used for further FTP parsing.