Bug 1493520 - bro-2.5.3 is available
Summary: bro-2.5.3 is available
Keywords:
Status: ON_QA
Alias: None
Product: Fedora
Classification: Fedora
Component: bro
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Fabian Affolter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-20 12:00 UTC by Upstream Release Monitoring
Modified: 2019-07-31 22:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Upstream Release Monitoring 2017-09-20 12:00:43 UTC
Latest upstream release: 2.5.1
Current version/release in rawhide: 2.4.1-3.fc25
URL: http://www.bro.org/downloads/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Based on the information from anitya:  https://release-monitoring.org/project/221/

Comment 1 Upstream Release Monitoring 2017-09-20 12:00:51 UTC
One or more of the specfile's Sources is not a valid URL so we cannot automatically build the new version for you. Please use a URL in your Source declarations if possible.

Comment 2 Upstream Release Monitoring 2017-10-18 00:11:11 UTC
Latest upstream release: 2.5.2
Current version/release in rawhide: 2.4.1-3.fc25
URL: http://www.bro.org/downloads/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Based on the information from anitya:  https://release-monitoring.org/project/221/

Comment 3 Upstream Release Monitoring 2017-10-18 00:11:16 UTC
One or more of the specfile's Sources is not a valid URL so we cannot automatically build the new version for you. Please use a URL in your Source declarations if possible.

Comment 4 Derek Ditch 2017-11-07 14:49:03 UTC
Fabian, I'd be happy to help you maintain this package. I am one of the core developers of RockNSM (http://rocknsm.io) and currently we package bro ourselves to maintain updates and package according to how the tool is used.

I filed a bug here: https://bugzilla.redhat.com/show_bug.cgi?id=1510261

To be clear: 2.5.2 is a security patch. All systems running something less are vulnerable to a remote exploit that will crash bro processes. I'm not sure there was a CVE assigned, however.

Release notes: https://www.bro.org/sphinx/install/release-notes.html#bro-2-5-2

My latest build is here: https://copr.fedorainfracloud.org/coprs/g/rocknsm/rocknsm-2.1/build/658633/

I took the existing SPEC from Fedora and modified from there. If it works for you, you can just take my work and publish.

Comment 5 Derek Ditch 2017-11-14 04:27:52 UTC
This package is now 3 releases behind AND contains a remote exploit. If Fabian is no longer interested in maintaining this, can we accept my proposed solution to push a newer release that fixes the security issue?

Comment 6 Jason Taylor 2017-11-14 13:06:49 UTC
Thanks Derek for the report. Have you tried sending an email to Fabian directly? Sometimes the BZ emails get filtered by maintainers.

I will get an email sent as well to all the maintainers (I can't remember the package owners alias format at the moment otherwise I would give you that) with you included to see if anyone is working on the updates.

If no one is working on the updates, I will take a look at what you have and see about pushing an update.

Thanks again

JT

Comment 7 Upstream Release Monitoring 2018-02-15 00:10:19 UTC
Latest upstream release: 2.5.3
Current version/release in rawhide: 2.4.1-3.fc25
URL: http://www.bro.org/downloads/

Please consult the package updates policy before you issue an update to a stable branch: https://fedoraproject.org/wiki/Updates_Policy

More information about the service that created this bug can be found at: https://fedoraproject.org/wiki/Upstream_release_monitoring

Please keep in mind that with any upstream change, there may also be packaging changes that need to be made. Specifically, please remember that it is your responsibility to review the new version to ensure that the licensing is still correct and that no non-free or legally problematic items have been added upstream.

Based on the information from anitya:  https://release-monitoring.org/project/221/

Comment 8 Derek Ditch 2018-02-16 03:24:30 UTC
I've continued to maintain a package outside of Fedora and EPEL. No one answers the emails to move this support forward. 2.5.3 is yet another security patch, and Fedora is two security patches behind.

I maintain my own package fork here: https://github.com/rocknsm/rpms/tree/master/bro

And I build on COPR here: https://copr.fedorainfracloud.org/coprs/g/rocknsm/rocknsm-2.1/package/bro/

I'm not currently a Fedora maintainer, there may be some SPEC file idioms that are better practice, and I'm happy to tweak where necessary. I do however maintain a popular open source network security monitoring platform that runs on EPEL7, so I have to keep these packages up to date for my own community.

Comment 9 Fedora Update System 2018-02-16 14:39:19 UTC
bro-2.5.3-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3

Comment 10 Fedora Update System 2018-02-16 15:32:42 UTC
bro-2.5.3-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-db5041e661

Comment 11 Fedora Update System 2018-02-16 16:28:53 UTC
bro-2.5.3-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3

Comment 12 Fedora Update System 2018-02-17 22:41:54 UTC
bro-2.5.3-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-db5041e661

Comment 13 Anthony Coddington 2018-02-27 00:00:18 UTC
Why does the configure step include --enable-debug?

This looks like it will disable compile time optimization. From a cursory look it appears bro is compiled in RelWithDebugInfo without this option which should be sufficient for debug symbols.

Comment 14 Anthony Coddington 2018-02-28 01:14:49 UTC
Will the updated bro.service file from the rocknsm repo also be included in this version? It looks like the spec file intends for bro to be run as the bro user but 2.5.3-1 is using the old service file.

diff --git a/bro.service b/rocknsm-rpms/bro/bro.service
index 9fda054..b3ac19f 100644
--- a/bro.service
+++ b/rocknsm-rpms/bro/bro.service
@@ -4,8 +4,11 @@ After=network.target

 [Service]
 Type=forking
-Environment=HOME=/
-ExecStart=/usr/bin/broctl start
+User=bro
+Group=bro
+Environment=HOME=/var/spool/bro
+ExecStart=/usr/bin/broctl deploy
+ExecStop=/usr/bin/broctl stop

 [Install]
 WantedBy=multi-user.target

I am unsure whether broctl deploy or start is the appropriate command to run here.

I also notice that the patches are not yet checked in to Pagure.

Comment 15 Anthony Coddington 2018-03-02 06:08:49 UTC
Submitted some other feedback under https://bodhi.fedoraproject.org/updates/FEDORA-2018-1ec1cd6db3 after realizing that is probably a better place, accidentally as anonymous. Some of the issues also exist in the rocknsm version of the spec file.


Note You need to log in before you can comment on or make changes to this bug.