21:11 Craig Leres (leres) 

security/zeek: Update to 4.0.1 to fix null-pointer dereference and potential DOS

    https://github.com/zeek/zeek/releases/tag/v4.0.1

This release fixes the following vulnerability:

 - Fix null-pointer dereference when encountering an invalid enum
   name in a config/input file that tries to read it into a set[enum].
   For those that have such an input feed whose contents may come
   from external/remote sources, this is a potential DoS vulnerability.

Other fixes:

 - Fix mime type detection bug in IRC/FTP file_transferred event
   for file data containing null-bytes

 - Fix potential for missing timestamps in SMB logs

 - Remove use of LeakSanitizer API on FreeBSD where it's unsupported

 - Fix incorrect parsing of ERSPAN Type I

 - Fix incorrect/overflowed n value for SSL_Heartbeat_Many_Requests
   notices where number of server heartbeats is greater than number
   of client heartbeats.

 - Fix missing user_agent existence check in smtp/software.zeek
   (causes reporter.log error noise, but no functional difference)

 - Fix include order of bundled headers to avoid conflicts with
   pre-existing/system-wide installs

 - Fix musl build (e.g. Void, Alpine, etc.)

 - Fix build with -DENABLE_MOBILE_IPV6 / ./configure --enable-mobile-ipv6

 - Add check for null packet data in pcap IOSource, which is an
   observed state in Myricom libpcap that crashes Zeek via null-pointer
   dereference

 - Allow CRLF line-endings in Zeek scripts and signature files

 - Fix armv7 build

 - Fix unserialization of set[function], generally now used by
   connection record removal hooks, and specifically breaking
   intel.log of Zeek clusters

 - Fix indexing of set/table types with a vector

 - Fix precision loss in ASCII logging/printing of large double,
   time, or interval values

 - Improve handling of invalid SIP data before requests

 - Fix copy()/cloning vectors that have holes (indices w/ null
   values)

Reported by:	Jon Siwek

    274b20e

05:13 Craig Leres (leres) 

security/zeek: Unbreak armv7 build and fix testport issue

Add a patch from upstream to fix building on armv7 (used by pfsense):

    https://github.com/zeek/zeek/issues/1496

Thanks to @garga for the pointer.

Fix a testport "left over" file @adridg reported. When zeek is run
as part of package installation, it copies some config files to
spool/installed-scripts-do-not-touch/site and local.zeek.sample
hitches a ride and needs to be removed on uninstall. But it is not
really a @sample candidate.

While we're here fix some minor portlint (env -> ${SETENV}) and
clean up some commented out directives.

Reported by:	garga adridg

    9c36d02