security/zeek: Update to 4.0.4
https://github.com/zeek/zeek/releases/tag/v4.0.4
This release fixes two vulnerabilities:
- Paths from log stream make it into system() unchecked, potentially leading to commands being run on the system unintentionally. This requires either bad scripting or a malicious package to be installed, and is considered low severity.
- Fix potential unbounded state growth in the PIA analyzer when receiving a connection with either a large number of zero-length packets, or one which continues ack-ing unseen segments. It is possible to run Zeek out of memory in these instances and cause it to crash. Due to the possibility of this happening with packets received from the network, this is a potential DoS vulnerability.
Other fixes:
- The highwayhash submodule was updated to fix a build failure on FreeBSD 14.
- Packet sources that don't have a selectable file descriptor could potentially prevent the network time from ever updating, which would have adverse effects on the primary run loop such as preventing timers from executing.
- Specific conditions in the run loop could lead RotationTimers to get into an infinite loop.
- Specially crafted HTTP packets could avoid the HTTP analyzer.
- Zeekctl crashes using the zeekctl status command if the StatusCmdShowAll option is set to 1 in zeekctl.cfg.
- The ignore_checksum_nets option does not work correctly if configured with multiple subnets.
Reported by: Tim Wojtulewicz
Security: d4d21998-bdc4-4a09-9849-2898d9b41459