rpm package
opensuse/suricata&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/suricata&distro=openSUSE%20Tumbleweed
Vulnerabilities (54)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-59150 | — | < 8.0.1-1.1 | 8.0.1-1.1 | Oct 1, 2025 | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. Th | ||
| CVE-2025-59149 | — | < 8.0.1-1.1 | 8.0.1-1.1 | Oct 1, 2025 | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In version 8.0.0, rules using keyword ldap.responses.attribute_type (which is long) with transforms can lead to a stack buffer overflow during Su | ||
| CVE-2025-59148 | — | < 8.0.1-1.1 | 8.0.1-1.1 | Oct 1, 2025 | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 8.0.0 and below incorrectly handle the entropy keyword when not anchored to a "sticky" buffer, which can lead to a segmentation fault. T | ||
| CVE-2025-59147 | — | < 8.0.1-1.1 | 8.0.1-1.1 | Oct 1, 2025 | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different se | ||
| CVE-2025-29918 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Apr 10, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility a | ||
| CVE-2025-29917 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Apr 10, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations o | ||
| CVE-2025-29916 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Apr 10, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. U | ||
| CVE-2025-29915 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Apr 10, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size | ||
| CVE-2024-55629 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Jan 6, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, le | ||
| CVE-2024-55628 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Jan 6, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to ve | ||
| CVE-2024-55627 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Jan 6, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsign | ||
| CVE-2024-55626 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Jan 6, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricat | ||
| CVE-2024-55605 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Jan 6, 2025 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers, | ||
| CVE-2024-47522 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addr | ||
| CVE-2024-47188 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead t | ||
| CVE-2024-47187 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset f | ||
| CVE-2024-45797 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Oct 16, 2024 | LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Prior to version 0.5.49, unbounded processing of HTTP request and response headers can lead to excessive CPU time and memory utilization, possibly leading to extreme slowdowns. This issue is | ||
| CVE-2024-45796 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this | ||
| CVE-2024-45795 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Oct 16, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to de | ||
| CVE-2024-38536 | — | < 8.0.0-1.1 | 8.0.0-1.1 | Jul 11, 2024 | Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6. |
- CVE-2025-59150Oct 1, 2025affected < 8.0.1-1.1fixed 8.0.1-1.1
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Version 8.0.0's usage of the tls.subjectaltname keyword can lead to a segmentation fault when the decoded subjectaltname contains a NULL byte. Th
- CVE-2025-59149Oct 1, 2025affected < 8.0.1-1.1fixed 8.0.1-1.1
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In version 8.0.0, rules using keyword ldap.responses.attribute_type (which is long) with transforms can lead to a stack buffer overflow during Su
- CVE-2025-59148Oct 1, 2025affected < 8.0.1-1.1fixed 8.0.1-1.1
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 8.0.0 and below incorrectly handle the entropy keyword when not anchored to a "sticky" buffer, which can lead to a segmentation fault. T
- CVE-2025-59147Oct 1, 2025affected < 8.0.1-1.1fixed 8.0.1-1.1
Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. Versions 7.0.11 and below, as well as 8.0.0, are vulnerable to detection bypass when crafted traffic sends multiple SYN packets with different se
- CVE-2025-29918Apr 10, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility a
- CVE-2025-29917Apr 10, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The bytes setting in the decode_base64 keyword is not properly limited. Due to this, signatures using the keyword and setting can cause large memory allocations o
- CVE-2025-29916Apr 10, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Datasets declared in rules have an option to specify the `hashsize` to use. This size setting isn't properly limited, so the hash table allocation can be large. U
- CVE-2025-29915Apr 10, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. The AF_PACKET defrag option is enabled by default and allows AF_PACKET to re-assemble fragmented packets before reaching Suricata. However the default packet size
- CVE-2024-55629Jan 6, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, TCP streams with TCP urgent data (out of band data) can lead to Suricata analyzing data differently than the applications at the TCP endpoints, le
- CVE-2024-55628Jan 6, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.8, DNS resource name compression can lead to small DNS messages containing very large hostnames which can be costly to decode, and lead to ve
- CVE-2024-55627Jan 6, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a specially crafted TCP stream can lead to a very large buffer overflow while being zero-filled during initialization with memset due to an unsign
- CVE-2024-55626Jan 6, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large BPF filter file provided to Suricata at startup can lead to a buffer overflow at Suricata startup. The issue has been addressed in Suricat
- CVE-2024-55605Jan 6, 2025affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to 7.0.8, a large input buffer to the to_lowercase, to_uppercase, strip_whitespace, compress_whitespace, dotprefix, header_lowercase, strip_pseudo_headers,
- CVE-2024-47522Oct 16, 2024affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, invalid ALPN in TLS/QUIC traffic when JA4 matching/logging is enabled can lead to Suricata aborting with a panic. This issue has been addr
- CVE-2024-47188Oct 16, 2024affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to byte-range tracking having predictable hash table behavior. This can lead t
- CVE-2024-47187Oct 16, 2024affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, missing initialization of the random seed for "thash" leads to datasets having predictable hash table behavior. This can lead to dataset f
- CVE-2024-45797Oct 16, 2024affected < 8.0.0-1.1fixed 8.0.0-1.1
LibHTP is a security-aware parser for the HTTP protocol and the related bits and pieces. Prior to version 0.5.49, unbounded processing of HTTP request and response headers can lead to excessive CPU time and memory utilization, possibly leading to extreme slowdowns. This issue is
- CVE-2024-45796Oct 16, 2024affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, a logic error during fragment reassembly can lead to failed reassembly for valid traffic. An attacker could craft packets to trigger this
- CVE-2024-45795Oct 16, 2024affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. Prior to version 7.0.7, rules using datasets with the non-functional / unimplemented "unset" option can trigger an assertion during traffic parsing, leading to de
- CVE-2024-38536Jul 11, 2024affected < 8.0.0-1.1fixed 8.0.0-1.1
Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A memory allocation failure due to `http.memcap` being reached leads to a NULL-ptr reference leading to a crash. Upgrade to 7.0.6.
Page 2 of 3