Source: suricata
Version: 1:7.0.10-1
Severity: important
Tags: security upstream
X-Debbugs-Cc:
[email protected], Debian Security Team <
[email protected]>
Hi,
The following vulnerability was published for suricata.
CVE-2025-53538[0]:
| Suricata is a network IDS, IPS and NSM engine developed by the OISF
| (Open Information Security Foundation) and the Suricata community.
| In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1,
| mishandling of data on HTTP2 stream 0 can lead to uncontrolled
| memory usage, leading to loss of visibility. Workarounds include
| disabling the HTTP/2 parser, and using a signature like drop http2
| any any -> any any (frame:http2.hdr; byte_test:1,=,0,3;
| byte_test:4,=,0,5; sid: 1;) where the first byte test tests the
| HTTP2 frame type DATA and the second tests the stream id 0. This is
| fixed in versions 7.0.11 and 8.0.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-53538
https://www.cve.org/CVERecord?id=CVE-2025-53538
[1]
https://github.com/OISF/suricata/security/advisories/GHSA-qrr7-crgj-cmh3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)