Index: security/suricata/Makefile =================================================================== --- security/suricata/Makefile +++ security/suricata/Makefile @@ -1,6 +1,5 @@ PORTNAME= suricata -DISTVERSION= 6.0.3 -PORTREVISION= 5 +DISTVERSION= 6.0.4 CATEGORIES= security MASTER_SITES= https://www.openinfosecfoundation.org/download/ @@ -12,44 +11,44 @@ BUILD_DEPENDS= rustc:lang/${RUST_DEFAULT} LIB_DEPENDS= libjansson.so:devel/jansson \ - libpcre.so:devel/pcre \ - libnet.so:net/libnet \ liblz4.so:archivers/liblz4 \ + libnet.so:net/libnet \ + libpcre.so:devel/pcre \ libyaml.so:textproc/libyaml -USES= autoreconf cpe gmake iconv:translit libtool localbase \ - pathfix pkgconfig +USES= autoreconf cpe gmake iconv:translit libtool localbase pathfix \ + pkgconfig CPE_VENDOR= openinfosecfoundation USE_LDCONFIG= yes USE_RC_SUBR= ${PORTNAME} -GNU_CONFIGURE= yes -CONFIGURE_ARGS+=--enable-gccprotect \ - --enable-bundled-htp \ - --disable-gccmarch-native -MAKE_ENV= RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}" +GNU_CONFIGURE= yes +CONFIGURE_ARGS+= --disable-gccmarch-native \ + --enable-bundled-htp \ + --enable-gccprotect +MAKE_ENV= RUSTFLAGS="${RUSTFLAGS} -C linker=${CC:Q} ${LDFLAGS:C/.+/-C link-arg=&/}" -INSTALL_TARGET= install-strip -TEST_TARGET= check +INSTALL_TARGET= install-strip +TEST_TARGET= check CONFLICTS_INSTALL= libhtp SUB_FILES= pkg-message PLIST_SUB= PORTVERSION=${DISTVERSION:C/-/_/g} -OPTIONS_DEFINE= GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE \ - PYTHON REDIS TESTS +OPTIONS_DEFINE= GEOIP IPFW NETMAP NSS PORTS_PCAP PRELUDE PYTHON REDIS \ + TESTS OPTIONS_DEFINE_amd64= HYPERSCAN OPTIONS_DEFAULT= IPFW NETMAP PYTHON OPTIONS_RADIO= SCRIPTS OPTIONS_RADIO_SCRIPTS= LUA LUAJIT -OPTIONS_SUB= yes +OPTIONS_SUB= yes -PRELUDE_BROKEN= Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065 +PRELUDE_BROKEN= Compilation broken, see https://redmine.openinfosecfoundation.org/issues/4065 GEOIP_DESC= GeoIP support HYPERSCAN_DESC= Hyperscan support @@ -65,32 +64,33 @@ SCRIPTS_DESC= Scripting TESTS_DESC= Unit tests in suricata binary -GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb -GEOIP_CONFIGURE_ON= --enable-geoip +GEOIP_LIB_DEPENDS= libmaxminddb.so:net/libmaxminddb +GEOIP_CONFIGURE_ON= --enable-geoip -HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan +HYPERSCAN_LIB_DEPENDS= libhs.so:devel/hyperscan -IPFW_CONFIGURE_ON= --enable-ipfw +IPFW_CONFIGURE_ON= --enable-ipfw -LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty -LUAJIT_CONFIGURE_ON= --enable-luajit +LUAJIT_LIB_DEPENDS= libluajit-5.1.so:lang/luajit-openresty +LUAJIT_CONFIGURE_ON= --enable-luajit -LUA_USES= lua:51 -LUA_CONFIGURE_ON= --enable-lua +LUA_USES= lua:51 +LUA_CONFIGURE_ON= --enable-lua NETMAP_CONFIGURE_ENABLE= netmap -NSS_LIB_DEPENDS= libnss3.so:security/nss \ - libnspr4.so:devel/nspr -NSS_CONFIGURE_OFF= --disable-nss --disable-nspr +NSS_LIB_DEPENDS= libnspr4.so:devel/nspr \ + libnss3.so:security/nss +NSS_CONFIGURE_OFF= --disable-nspr \ + --disable-nss -PORTS_PCAP_LIB_DEPENDS= libpcap.so.1:net/libpcap +PORTS_PCAP_LIB_DEPENDS= libpcap.so.1:net/libpcap -PRELUDE_LIB_DEPENDS= libprelude.so:security/libprelude \ +PRELUDE_LIB_DEPENDS= libgcrypt.so:security/libgcrypt \ libgnutls.so:security/gnutls \ - libgcrypt.so:security/libgcrypt \ libgpg-error.so:security/libgpg-error \ - libltdl.so:devel/libltdl + libltdl.so:devel/libltdl \ + libprelude.so:security/libprelude PRELUDE_CONFIGURE_ON= --with-libprelude-prefix=${LOCALBASE} PRELUDE_CONFIGURE_ENABLE= prelude @@ -100,11 +100,10 @@ PYTHON_USE= PYTHON=py3kplist PYTHON_CONFIGURE_ENABLE= python -REDIS_LIB_DEPENDS= libhiredis.so:databases/hiredis \ - libevent_pthreads.so:devel/libevent -REDIS_CONFIGURE_ON= --enable-hiredis \ - -TESTS_CONFIGURE_ENABLE= unittests +REDIS_LIB_DEPENDS= libevent_pthreads.so:devel/libevent \ + libhiredis.so:databases/hiredis +REDIS_CONFIGURE_ON= --enable-hiredis +TESTS_CONFIGURE_ENABLE= unittests pre-patch: @${CP} ${FILESDIR}/ax_check_compile_flag.m4 ${WRKSRC}/m4 Index: security/suricata/distinfo =================================================================== --- security/suricata/distinfo +++ security/suricata/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1628041281 -SHA256 (suricata-6.0.3.tar.gz) = daf134bb2d7c980035e9ae60f7aaf313323a809340009f26e48110ccde81f602 -SIZE (suricata-6.0.3.tar.gz) = 32421197 +TIMESTAMP = 1637246038 +SHA256 (suricata-6.0.4.tar.gz) = a8f197e33d1678689ebbf7bc1abe84934c465d22c504c47c2c7e9b74aa042d0d +SIZE (suricata-6.0.4.tar.gz) = 32498036 Index: security/suricata/files/patch-3c53a1601 =================================================================== --- security/suricata/files/patch-3c53a1601 +++ /dev/null @@ -1,78 +0,0 @@ -From 3c53a1601b6f861f8b7f0cd0984b18e78291fe85 Mon Sep 17 00:00:00 2001 -From: Victor Julien -Date: Wed, 18 Aug 2021 20:14:48 +0200 -Subject: [PATCH] threading: don't pass locked flow between threads - -Previously the flow manager would share evicted flows with the workers -while keeping the flows mutex locked. This reduced the number of unlock/ -lock cycles while there was guaranteed to be no contention. - -This turns out to be undefined behavior. A lock is supposed to be locked -and unlocked from the same thread. It appears that FreeBSD is stricter on -this than Linux. - -This patch addresses the issue by unlocking before handing a flow off -to another thread, and locking again from the new thread. - -Issue was reported and largely analyzed by Bill Meeks. - -Bug: #4478 -(cherry picked from commit 9551cd05357925e8bec8e0030d5f98fd07f17839) ---- - src/flow-hash.c | 1 + - src/flow-manager.c | 2 +- - src/flow-timeout.c | 1 + - src/flow-worker.c | 1 + - 4 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/flow-hash.c b/src/flow-hash.c -index ebbd836e81a..760bc53e0a8 100644 ---- src/flow-hash.c -+++ src/flow-hash.c -@@ -669,6 +669,7 @@ static inline void MoveToWorkQueue(ThreadVars *tv, FlowLookupStruct *fls, - f->fb = NULL; - f->next = NULL; - FlowQueuePrivateAppendFlow(&fls->work_queue, f); -+ FLOWLOCK_UNLOCK(f); - } else { - /* implied: TCP but our thread does not own it. So set it - * aside for the Flow Manager to pick it up. */ -diff --git a/src/flow-manager.c b/src/flow-manager.c -index d58a49637d6..9228c88490c 100644 ---- src/flow-manager.c -+++ src/flow-manager.c -@@ -333,9 +333,9 @@ static uint32_t ProcessAsideQueue(FlowManagerTimeoutThread *td, FlowTimeoutCount - FlowForceReassemblyNeedReassembly(f) == 1) - { - FlowForceReassemblyForFlow(f); -+ FLOWLOCK_UNLOCK(f); - /* flow ownership is passed to the worker thread */ - -- /* flow remains locked */ - counters->flows_aside_needs_work++; - continue; - } -diff --git a/src/flow-timeout.c b/src/flow-timeout.c -index 972b35076bd..d6cca490087 100644 ---- src/flow-timeout.c -+++ src/flow-timeout.c -@@ -401,6 +401,7 @@ static inline void FlowForceReassemblyForHash(void) - RemoveFromHash(f, prev_f); - f->flow_end_flags |= FLOW_END_FLAG_SHUTDOWN; - FlowForceReassemblyForFlow(f); -+ FLOWLOCK_UNLOCK(f); - f = next_f; - continue; - } -diff --git a/src/flow-worker.c b/src/flow-worker.c -index 69dbb6ac575..dccf3581dd5 100644 ---- src/flow-worker.c -+++ src/flow-worker.c -@@ -168,6 +168,7 @@ static void CheckWorkQueue(ThreadVars *tv, FlowWorkerThreadData *fw, - { - Flow *f; - while ((f = FlowQueuePrivateGetFromTop(fq)) != NULL) { -+ FLOWLOCK_WRLOCK(f); - f->flow_end_flags |= FLOW_END_FLAG_TIMEOUT; //TODO emerg - - const FlowStateType state = f->flow_state; Index: security/suricata/files/patch-powerpc =================================================================== --- security/suricata/files/patch-powerpc +++ /dev/null @@ -1,62 +0,0 @@ ---- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs.orig 2020-03-17 20:35:43 UTC -+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/mod.rs -@@ -1486,6 +1486,9 @@ cfg_if! { - } else if #[cfg(target_arch = "powerpc64")] { - mod powerpc64; - pub use self::powerpc64::*; -+ } else if #[cfg(target_arch = "powerpc")] { -+ mod powerpc; -+ pub use self::powerpc::*; - } else { - // Unknown target_arch - } ---- rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs.orig 2021-06-23 22:40:24 UTC -+++ rust/vendor/libc/src/unix/bsd/freebsdlike/freebsd/powerpc.rs -@@ -0,0 +1,47 @@ -+pub type c_char = u8; -+pub type c_long = i32; -+pub type c_ulong = u32; -+pub type wchar_t = i32; -+pub type time_t = i64; -+pub type suseconds_t = i32; -+pub type register_t = i32; -+ -+s! { -+ pub struct stat { -+ pub st_dev: ::dev_t, -+ pub st_ino: ::ino_t, -+ pub st_mode: ::mode_t, -+ pub st_nlink: ::nlink_t, -+ pub st_uid: ::uid_t, -+ pub st_gid: ::gid_t, -+ pub st_rdev: ::dev_t, -+ pub st_atime: ::time_t, -+ pub st_atime_nsec: ::c_long, -+ pub st_mtime: ::time_t, -+ pub st_mtime_nsec: ::c_long, -+ pub st_ctime: ::time_t, -+ pub st_ctime_nsec: ::c_long, -+ pub st_size: ::off_t, -+ pub st_blocks: ::blkcnt_t, -+ pub st_blksize: ::blksize_t, -+ pub st_flags: ::fflags_t, -+ pub st_gen: u32, -+ pub st_lspare: i32, -+ pub st_birthtime: ::time_t, -+ pub st_birthtime_nsec: ::c_long, -+ } -+} -+ -+// should be pub(crate), but that requires Rust 1.18.0 -+cfg_if! { -+ if #[cfg(libc_const_size_of)] { -+ #[doc(hidden)] -+ pub const _ALIGNBYTES: usize = ::mem::size_of::<::c_int>() - 1; -+ } else { -+ #[doc(hidden)] -+ pub const _ALIGNBYTES: usize = 4 - 1; -+ } -+} -+ -+pub const MAP_32BIT: ::c_int = 0x00080000; -+pub const MINSIGSTKSZ: ::size_t = 2048; // 512 * 4 Index: security/suricata/pkg-plist =================================================================== --- security/suricata/pkg-plist +++ security/suricata/pkg-plist @@ -136,7 +136,7 @@ %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/util.pyc %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata/update/version.pyc -%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.2-py%%PYTHON_VER%%.egg-info +%%PYTHON%%%%PYTHON_SITELIBDIR%%/suricata_update-1.2.3-py%%PYTHON_VER%%.egg-info %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.py %%PYTHON%%%%PYTHON_SITELIBDIR%%/suricatasc/__init__.pyc %%DATADIR%%/rules/app-layer-events.rules @@ -146,9 +146,11 @@ %%DATADIR%%/rules/dns-events.rules %%DATADIR%%/rules/files.rules %%DATADIR%%/rules/http-events.rules +%%DATADIR%%/rules/http2-events.rules %%DATADIR%%/rules/ipsec-events.rules %%DATADIR%%/rules/kerberos-events.rules %%DATADIR%%/rules/modbus-events.rules +%%DATADIR%%/rules/mqtt-events.rules %%DATADIR%%/rules/nfs-events.rules %%DATADIR%%/rules/ntp-events.rules %%DATADIR%%/rules/smb-events.rules