This includes the fix for:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0839
> +2006-02-20 Steven Sturges <ssturges@sourcefire.com>
> + * src/preprocessors/spp_frag3.c:
> + * configure.in:
> + Fix ip options handling. Thanks to Vyacheslav Burdjanadze for
> + finding the issue.
> +
> +2006-01-09 Steven Sturges <ssturges@sourcefire.com>
> + * src/sfutil/mwm.c:
> + Fixed bug with multiple recurring patterns in Wu-Manbher implementation.
> + Thanks to Evan Stawnyczy for pointing it out an Marc Norton for the
> + fix.
> + * src/parser/IpAddrSet.c:
> + Fixed problem with parsing conf file and rules when DNS is not working.
> + Thanks Martin Olsson for mentioning this and testing the fix.
> + * src/preprocessors/spp_perfmonitor.c:
> + * src/preprocessors/perf-base.c:
> + Handle wrapping on 64-bit platforms
> +
> +2005-11-17 Andrew Mullican <amullican@sourcefire.com>
> + * src/sfutil/sfxhash.c:
> + * src/preprocessors/portscan.c:
> + Add tracker without using bogus data, to avoid internal buffer overrun.
> + Thanks Sandro Poppi for the find.
> +
> +2005-11-11 Steven Sturges <ssturges@sourcefire.com>
> + * src/snort.c:
> + Allow value of 0 to be used with -G flag
> + * src/preprocessors/spp_bo.c:
> + Code Cleanup
> + * src/preprocessors/spp_frag3.c:
> + Fix memory leak and mishandling of IP Options. Thanks Yin
> + Zhaohui for the find.
- Grab maintainership of the package (with ok of previous owner)
- Use SUBST_* code
Ok'ed wiz@, snj@, salo@
From the changelog:
2004-05-06 Daniel Roelker <droelker@sourcefire.com>
* src/detection-plugins/sp_pattern_match.c:
Fixed rule read up error when parsing hexmode content options.
Thanks for pointing it out Toni Maatta. (Roelker)
* src/preprocessors/spp_stream4.c:
Fixed null pointer dereference when detect_scans were enabled and
creating a new session that had funky flags. Thanks to Chad
Kreimendahl for reporting the bug and testing the fix. (Roelker)
2004-04-20 Daniel Roelker <droelker@sourcefire.com>
* src/event_queue.c:
* src/event_queue.h:
* src/sfutil/sfeventq.c:
* src/sfutil/sfeventq.h:
Added multi-event queueing in Snort. Snort now supports logging
multiple events per packet, and prioritizing those events using
different methods. Thanks to H.D. Moore for illustrating event
obfuscations when snort only logged one event per packet. (Roelker)
* src/snort.c:
* src/decode.c:
* src/detect.c:
* src/fpcreate.c:
* src/fpdetect.c:
* src/preprocessors/spp_arpspoof.c:
* src/preprocessors/spp_bo.c:
* src/preprocessors/spp_frag2.c:
* src/preprocessors/snort_httpinspect.c:
* src/preprocessors/spp_rpc_decode.c:
* src/preprocessors/spp_stream4.c:
Updated event generators to use new event queueing sytem. (Roelker)
* src/output-plugins/spo_alert_fast.c:
Added newline to 'cmg' alert output, so IP decode is easier to
read. (Roelker)
* src/output-plugins/spo_database.c:
Updated how current/utc times are calculated, as well as how they are
formatted, thanks Marcus Janoski. (Reid)
* src/parser.c:
Error on unterminated IP lists. Added 'config event_queue' parameter.
Configuration changes to 'config checksum_mode' for specifying
which checksums to do. (Norton)
* src/plugbase.h:
Fixes from Chris Reid for timestamp routines. (Reid)
* src/tag.c:
Revert to old tag functionality. Will add proposed tagging
configurations in the future. (Roelker)
Changes:
2.1.0:
======
- A new connection tracking module, Flow (replaces conversation)
- A new portscan detector based off of Flow, Flow-Portscan (replaces
portscan2)
- A new http preprocessor, HttpInspect (replaces http_decode)
- Alert Thresholding and Suppression
- PCRE rule keyword (Perl Compat Regular Expressions)
- isdataat rule keyword (buffer length detection)
- A ton of new and updated rules.
2.0.6:
======
- 64-bit update for detection engine. (Thanks, Silio d'Angelo)
- Added better PPP decoding. (Thanks Jesper Peterson)
- Updated ip_proto optimization for high-speed detection engine.
- Fixed infinite loop problem that was introduced by the recursive pattern
matching patch. Reported by Lawrence Reed, thanks for testing out the
changes for us!
- Various changes to help respond (version 1) work a little better.
- spp_http_decode 64-bit patch from Dirk Mueller.
- Out-of-order ACK problem from Andrew Rucker. Also, updated stream4 to the
most recent version from HEAD.
- Minor fixes to tagging related to 'src' and 'dst' directives
- When counting one byte patterns in 'ningroup' added a check for
psLen==1 (wu-manber pattern matcher). Thanks Josh Sakofsky and Dennis
McGuire for helping us test this.
2.0.5:
======
- Stream4 fixes from Andrew Rucker Jones.
- Allow memcap to be configured for threshold features.
2.0.4:
======
- Fixed a core dump introduced with 2.0.3 when dealing with negated patterns
2.0.3:
======
- doe_ptr handling in byte_test/byte_jump slightly modified to work
better with the pcre patch
- content processing is now recursive to make distance/within processing
better ( thanks to Shai Rubin for patch! )
- fixed a bug in the mwm.c pattern matcher that resulted in some alerts
not firing in a particular configuration of rules
2.0.2:
======
- Added Thresholding and Suppression features (Marc Norton/Sourcefire)
- Fixed TCP RST processing bug found (Shai Rubin)
- Cleanup of spp_arpspoof (Jeff Nathan)
- Cleanup of win32 version including proper Event Log support (Chris Reid)
- Munged data fixes for stream4 (Chris Green)
This version fixes the buffer overflow issue noted in:
http://www.kb.cert.org/vuls/id/916785
Changes:
- follow PKG_SYSCONFDIR
- added rc.d script
- create own user and group
- added MESSAGE with post-install instructions
- removed DEINSTALL
- minor cleanups (this package was really half-baked..)
1.9.1:
======
- src/preprocessors/spp_rpc_decode.c (PreprocRpcDecode):
- alignment errors on non-x86 platforms
- added new space delimited options
alert_fragments
no_alert_multiple_requests
no_alert_large_fragments
no_alert_incomplete
- corrected buffer overflow in fragment normalization
- src/snort.c
- Win32 '-s' parameter wasn't configured to accept an optarg,
but code expected one, causing null-pointer violation.
- Backport of 2.0 fixes for stream4 ( off by one errors on reassembly )
