Bug 1493520
Summary: | bro-2.5.3 is available | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Upstream Release Monitoring <upstream-release-monitoring> |
Component: | bro | Assignee: | Fabian Affolter <mail> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | rawhide | CC: | anthony.coddington, derek, mail |
Target Milestone: | --- | Keywords: | FutureFeature, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-08-25 20:09:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Upstream Release Monitoring
2017-09-20 12:00:43 UTC
One or more of the specfile's Sources is not a valid URL so we cannot automatically build the new version for you. Please use a URL in your Source declarations if possible. Latest upstream release: 2.5.2 Current version/release in rawhide: 2.4.1-3.fc25 URL: http://www.bro.org/downloads/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/221/ One or more of the specfile's Sources is not a valid URL so we cannot automatically build the new version for you. Please use a URL in your Source declarations if possible. Fabian, I'd be happy to help you maintain this package. I am one of the core developers of RockNSM (http://rocknsm.io) and currently we package bro ourselves to maintain updates and package according to how the tool is used. I filed a bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1510261 To be clear: 2.5.2 is a security patch. All systems running something less are vulnerable to a remote exploit that will crash bro processes. I'm not sure there was a CVE assigned, however. Release notes: https://www.bro.org/sphinx/install/release-notes.html#bro-2-5-2 My latest build is here: https://copr.fedorainfracloud.org/coprs/g/rocknsm/rocknsm-2.1/build/658633/ I took the existing SPEC from Fedora and modified from there. If it works for you, you can just take my work and publish. This package is now 3 releases behind AND contains a remote exploit. If Fabian is no longer interested in maintaining this, can we accept my proposed solution to push a newer release that fixes the security issue? Thanks Derek for the report. Have you tried sending an email to Fabian directly? Sometimes the BZ emails get filtered by maintainers. I will get an email sent as well to all the maintainers (I can't remember the package owners alias format at the moment otherwise I would give you that) with you included to see if anyone is working on the updates. If no one is working on the updates, I will take a look at what you have and see about pushing an update. Thanks again JT Latest upstream release: 2.5.3 Current version/release in rawhide: 2.4.1-3.fc25 URL: http://www.bro.org/downloads/ Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream. Based on the information from anitya: https://release-monitoring.org/project/221/ I've continued to maintain a package outside of Fedora and EPEL. No one answers the emails to move this support forward. 2.5.3 is yet another security patch, and Fedora is two security patches behind. I maintain my own package fork here: https://github.com/rocknsm/rpms/tree/master/bro And I build on COPR here: https://copr.fedorainfracloud.org/coprs/g/rocknsm/rocknsm-2.1/package/bro/ I'm not currently a Fedora maintainer, there may be some SPEC file idioms that are better practice, and I'm happy to tweak where necessary. I do however maintain a popular open source network security monitoring platform that runs on EPEL7, so I have to keep these packages up to date for my own community. bro-2.5.3-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3 bro-2.5.3-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db5041e661 bro-2.5.3-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3 bro-2.5.3-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-db5041e661 Why does the configure step include --enable-debug? This looks like it will disable compile time optimization. From a cursory look it appears bro is compiled in RelWithDebugInfo without this option which should be sufficient for debug symbols. Will the updated bro.service file from the rocknsm repo also be included in this version? It looks like the spec file intends for bro to be run as the bro user but 2.5.3-1 is using the old service file. diff --git a/bro.service b/rocknsm-rpms/bro/bro.service index 9fda054..b3ac19f 100644 --- a/bro.service +++ b/rocknsm-rpms/bro/bro.service @@ -4,8 +4,11 @@ After=network.target [Service] Type=forking -Environment=HOME=/ -ExecStart=/usr/bin/broctl start +User=bro +Group=bro +Environment=HOME=/var/spool/bro +ExecStart=/usr/bin/broctl deploy +ExecStop=/usr/bin/broctl stop [Install] WantedBy=multi-user.target I am unsure whether broctl deploy or start is the appropriate command to run here. I also notice that the patches are not yet checked in to Pagure. Submitted some other feedback under https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3 after realizing that is probably a better place, accidentally as anonymous. Some of the issues also exist in the rocknsm version of the spec file. bro was retired. |