snort: CVE-2006-6931 - "Backtracking Algorithmic Complexity" DoS against IDS engine

Debian Bug report logs - #407421
snort: CVE-2006-6931 - "Backtracking Algorithmic Complexity" DoS against IDS engine

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Javier Fernández-Sanguino Peña <jfs@computer.org>

To: submit@bugs.debian.org

Cc: team@security.debian.org

Subject: snort: CVE-2006-6931 - "Backtracking Algorithmic Complexity" DoS against IDS engine

Date: Thu, 18 Jan 2007 11:19:33 +0100

[Message part 1 (text/plain, inline)]

Package: snort
Version: 2.3.3-11
Severity: important
Tags: security sarge testing sid

A vulnerability has been recently published that affects Snort which is based
on the "Backtracking Algorithmic Complexity Attacks Against a NIDS"
written by Randy Smith, Cristian Estan, and Somesh Jha

This vulnerability is described in the above paper and at Bugtraq's 
security database (BID-21991) and affects any Snort version prior to 2.6.1
(including 2.3.2-3 in stable and 2.3.3-11 in unstable).  CVE reference
is CVE-2006-6931

Since this is a DoS I'm not putting it in a 'serious' severity or higher. I
still have to review the CVS to backport a patch for 2.3.3 and 2.3.2 (if the
Security Team believes a DSA is in order)

Regards

Javier

[1] http://www.cs.wisc.edu/~smithr/pubs/acsac2006.pdf
[2] http://www.securityfocus.com/bid/21991

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 407421@bugs.debian.org (full text, mbox, reply):

From: Touko Korpela <tkorpela@phnet.fi>

To: control@bugs.debian.org

Cc: 407421@bugs.debian.org

Subject: tagging 407421

Date: Tue, 17 Jul 2007 00:37:27 +0300

# Automatically generated email from bts, devscripts version 2.10.6
#removing tags because they bring no extra value to this issue
tags 407421 - sid sarge

Message #17 received at 407421-close@bugs.debian.org (full text, mbox, reply):

From: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>

To: 407421-close@bugs.debian.org

Subject: Bug#407421: fixed in snort 2.7.0-1

Date: Wed, 01 Aug 2007 00:47:09 +0000

Source: snort
Source-Version: 2.7.0-1

We believe that the bug you reported is fixed in the latest version of
snort, which is due to be installed in the Debian FTP archive:

snort-common_2.7.0-1_all.deb
  to pool/main/s/snort/snort-common_2.7.0-1_all.deb
snort-doc_2.7.0-1_all.deb
  to pool/main/s/snort/snort-doc_2.7.0-1_all.deb
snort-mysql_2.7.0-1_i386.deb
  to pool/main/s/snort/snort-mysql_2.7.0-1_i386.deb
snort-pgsql_2.7.0-1_i386.deb
  to pool/main/s/snort/snort-pgsql_2.7.0-1_i386.deb
snort-rules-default_2.7.0-1_all.deb
  to pool/main/s/snort/snort-rules-default_2.7.0-1_all.deb
snort_2.7.0-1.diff.gz
  to pool/main/s/snort/snort_2.7.0-1.diff.gz
snort_2.7.0-1.dsc
  to pool/main/s/snort/snort_2.7.0-1.dsc
snort_2.7.0-1_i386.deb
  to pool/main/s/snort/snort_2.7.0-1_i386.deb
snort_2.7.0.orig.tar.gz
  to pool/main/s/snort/snort_2.7.0.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 407421@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <jfs@debian.org> (supplier of updated snort package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 31 Jul 2007 23:35:06 +0200
Source: snort
Binary: snort-mysql snort-doc snort-rules-default snort-common snort-pgsql snort
Architecture: source i386 all
Version: 2.7.0-1
Distribution: experimental
Urgency: low
Maintainer: Javier Fernandez-Sanguino Pen~a <jfs@computer.org>
Changed-By: Javier Fernandez-Sanguino Pen~a <jfs@debian.org>
Description: 
 snort      - Flexible Network Intrusion Detection System
 snort-common - Flexible Network Intrusion Detection System [common files]
 snort-doc  - Documentation for the Snort IDS [documentation]
 snort-mysql - Flexible Network Intrusion Detection System [MySQL]
 snort-pgsql - Flexible Network Intrusion Detection System [PostgreSQL]
 snort-rules-default - Flexible Network Intrusion Detection System ruleset
Closes: 320920 320920 323985 404991 407421 435417
Changes: 
 snort (2.7.0-1) experimental; urgency=low
 .
   * New upstream release (Closes: #435417, #404991, #320920, #323985)
      - Fixes DOS attack: CVE-2006-6931 - "Backtracking Algorithmic Complexity"
        DoS against IDS engine (Closes: #407421)
   * Introduce all the rules available from the 2.4 release which are GPL and
     are non-VRT certified, that is, all rules which are outside of the range
     [3,465-1,000,000]. This amounts to a total of 3935 rules (820 of which are
     Community released).
   * In order to handle rulesets with mixed GPL and non-GPL rules two scripts
     have been made available in the source rules/ subdirectory:
         - remove-non-gpl.pl - Given a rules file removes all rules outside
           the above range
         - purge-non-gpl.sh - Given a directory dumps on the local directory
           only rules outside this range.
     In order to limit maintainer overhead the header for modified rulesets has
     not been changed.
   * Include the VRT license file. This file is kept for reference under the
     rules/ dir, although *no* rule in this package is under that non-free license.
   * Include a NEWS.Debian item describing the license change and the rules
     distributed within this package.
     not in the database packages (Closes: #320920)
   * As a consequence of the above Build-Depend on libprelude-dev, iptables-dev
   * Provide support for Prelude in both snort and snort-inline packages but
   * The examples are now included in the -common package instead of having
     them  in all the binary packages
 .
   This package provides support to make an experimental separate binary
   package for inline support: snort-inline, which most of the configuration is
   shared with the snort binary package but the PPP related options have been
   removed. However, snort-inline does not support libnet 1.1 so we cannot
   provide it yet. This has been changed in Snort's code but it's far from
   complete:
        - Make the configure script work with libnet 1.1.
        - Port parts of the API (some declarations) to 1.1
Files: 
 8174329574c9097277141cfc35b201ad 879 net optional snort_2.7.0-1.dsc
 f4f11f793599750614ee5c477744e648 3905896 net optional snort_2.7.0.orig.tar.gz
 a84310659ceafde1aefa0a6ec687d2f4 1635349 net optional snort_2.7.0-1.diff.gz
 58795440dd3978679343b5e5c5357fe8 283706 net optional snort-common_2.7.0-1_all.deb
 3ee9281053562cde687f37ddd59c0494 2280284 doc optional snort-doc_2.7.0-1_all.deb
 20405f6ec516331eb530fc0bee7663fb 395284 net optional snort-rules-default_2.7.0-1_all.deb
 1b8a9acfb08d9c71633599933097af9c 460880 net optional snort_2.7.0-1_i386.deb
 302c83ae4c447cfdd8fbf8d7d14176ad 471000 net extra snort-mysql_2.7.0-1_i386.deb
 d2294ebc16f02ede37f7fe938c0a0f4d 470814 net optional snort-pgsql_2.7.0-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGr9XxsandgtyBSwkRAjA+AJ95auhE7fFe60bb33d+T5LyoYpILACdGyhR
NhNJxLqMoMQQQxe0z3Cvs7E=
=Q/za
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.