Bug 27475

Summary: suricata new security issue(s) fixed upstream in 4.1.9
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, guillomovitch, herman.viaene, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: suricata-4.1.8-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-10-27 22:35:33 CET 
Fedora has issued an advisory on October 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GGDJFB3FKIJFFZ2CMWKMK7R6HWL3IDBB/

Issues were found via fuzz testing and fixed in 5.0.4 and 4.1.9:
https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/
David Walser 2020-10-27 22:35:48 CET

Whiteboard: (none) => MGA7TOO

Comment 2 Guillaume Rousse 2020-10-30 19:44:53 CET 
cauldron now has version 6.0.0, and I just pushed version 4.1.9 in mageia 7 update_testing section.
Comment 3 David Walser 2020-10-30 20:09:31 CET 
Advisory:
========================

Updated suricata packages fix security vulnerabilities:

The suricata package has been updated to version 4.1.9, which fixes security
issues and other bugs.  See the upstream announcements for details.

References:
https://suricata-ids.org/2020/10/08/suricata-4-1-9-and-5-0-4-released/
========================

Updated packages in core/updates_testing:
========================
suricata-4.1.9-1.mga7
libhtp2-4.1.9-1.mga7
libhtp-devel-4.1.9-1.mga7

from suricata-4.1.9-1.mga7.src.rpm

Version: Cauldron => 7
Source RPM: suricata-5.0.3-1.mga8.src.rpm => suricata-4.1.8-1.mga7.src.rpm
Assignee: guillomovitch => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => guillomovitch

Comment 4 Herman Viaene 2020-11-03 11:42:24 CET 
MGA7-64 MATE on Peaq C1011
No installation issues
Ref bugs 26602 and 25956 f6r testing
First updated /etc/suricata/suricata.yaml and changed all interface statements from eth0 to wlan0 (wifi interface of this laptop).
Command suricata-update produced a success settiing up
Then
# systemctl start suricata

# systemctl -l status suricata
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Tue 2020-11-03 11:11:09 CET; 6s ago
  Process: 14688 ExecStart=/sbin/suricata -c /etc/suricata/suricata.yaml $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 14688 (code=exited, status=1/FAILURE)

Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config file
Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface "eth0": No such device
Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
Nov 03 11:11:09 mach6.hviaene.thuis suricata[14688]: 3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed
Nov 03 11:11:09 mach6.hviaene.thuis systemd[1]: suricata.service: Main process exited, code=exited, status=1/FAILURE
Nov 03 11:11:09 mach6.hviaene.thuis systemd[1]: suricata.service: Failed with result 'exit-code'.

# tail /var/log/suricata/suricata.log
3/11/2020 -- 11:11:09 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'eth0': No such device (19)
3/11/2020 -- 11:11:09 - <Warning> - [ERRCODE: SC_ERR_SYSCALL(50)] - Failure when trying to get MTU via ioctl for 'eth0': No such device (19)
3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_INVALID_VALUE(130)] - Problem with config file
3/11/2020 -- 11:11:09 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
3/11/2020 -- 11:11:09 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find type for iface "eth0": No such device
3/11/2020 -- 11:11:09 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.
3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Unable to find iface eth0: No such device
3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_AFP_CREATE(190)] - Couldn't init AF_PACKET socket, fatal error
3/11/2020 -- 11:11:09 - <Error> - [ERRCODE: SC_ERR_FATAL(171)] - thread W#01-eth0 failed

Searched /etc/suricata/  in vain where it could still pickup that eth0.
Finally used the content searching of dolphin in /etc, and found the /etc/sysconfig/suricata file which had the eth0 interface. Changed that one to wlan0 and then
# systemctl start suricata

# systemctl -l status suricata
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2020-11-03 11:21:23 CET; 5s ago
 Main PID: 15321 (Suricata-Main)
    Tasks: 10 (limit: 2288)
   Memory: 46.1M
   CGroup: /system.slice/suricata.service
           └─15321 /sbin/suricata -c /etc/suricata/suricata.yaml -i wlan0 --user suricata

Nov 03 11:21:23 mach6.hviaene.thuis systemd[1]: Started Suricata Intrusion Detection Service.
Nov 03 11:21:23 mach6.hviaene.thuis suricata[15321]: 3/11/2020 -- 11:21:23 - <Notice> - This is Suricata version 4.1.9 RELEASE
Nov 03 11:21:24 mach6.hviaene.thuis suricata[15321]: 3/11/2020 -- 11:21:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES(42)] - No rule files match the pattern /var/lib/suricata/rules/suricata.rules
Nov 03 11:21:24 mach6.hviaene.thuis suricata[15321]: 3/11/2020 -- 11:21:24 - <Warning> - [ERRCODE: SC_ERR_NO_RULES_LOADED(43)] - 1 rule files specified, but no rule was loaded at all!
Nov 03 11:21:24 mach6.hviaene.thuis suricata[15321]: 3/11/2020 -- 11:21:24 - <Notice> - all 4 packet processing threads, 4 management threads initialized, engine started.

ps aux | grep suricata
suricata 15321  2.7  3.2 673728 64900 ?        Ssl  11:21   0:31 /sbin/suricata -c /etc/suricata/suricata.yaml -i wlan0 --user suricata
root     16156  0.0  0.0 178008   812 pts/1    S+   11:40   0:00 grep --color suricata

That's the end for me as far as I understand this. OK'ing unless someone has objections.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 5 Thomas Andrews 2020-11-05 20:59:00 CET 
Validating. Advisory in Comment 3.

CC: (none) => andrewsfarm

Thomas Andrews 2020-11-05 20:59:49 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Aurelien Oudelet 2020-11-05 22:23:39 CET

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 6 Mageia Robot 2020-11-08 15:15:54 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0401.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED