XPost: linux.debian.devel.release
From: dev@andreas-dolp.de
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: suricata@packages.debian.org, dev@andreas-dolp.de,
satta@debian.org
Control: affects -1 + src:suricata
User: release.debian.org@packages.debian.org
Usertags: pu
Dear stable release managers,
I'd like to hand in security patches for suricata 7.0.10-1+deb13u2
in Debian trixie patching all the open CVEs for suricata from
January 2026. In accordance with the security team, the CVEs will
not warrant DSAs and should be included in the next point release
please.
[ Reason ]
Security fixes for:
- CVE-2026-22258
- CVE-2026-22259
- CVE-2026-22261
- CVE-2026-22262
- CVE-2026-22264
[ Impact ]
Exploiting these CVEs can lead to reduced availability or crashes.
Here is the upstream changelog of Suricata 7.0.14 [1]:
- Security #8198: dcerpc: unbounded fragment buffering leads to
memory exhaustion (7.0.x backport)(CRITICAL - CVE-2026-22258)
- Security #8200: dnp3: unbounded transaction growth
(7.0.x backport)(HIGH - CVE-2026-22259)
- Security #8209: eve/alert: http xff handling can lead to
denial of service (7.0.x backport)(LOW - CVE 2026-22261)
- Security #8112: datasets: stack overflow
(7.0.x backport)(HIGH - CVE-2026-22262)
- Security #8192: detect/alert: heap-use-after-free on alert queue
expansion (7.0.x backport)(HIGH - CVE-2026-22264)
Though the impact may seem to look rather small, the vulnerabilities
can be exploited quite easily by simply sending the 'wrong' packets
over the network. Suricata is therefore highly affected due to its
nature as an IDS by processing untrusted input from the network.
[ Tests ]
- autopkgtest runs the unit-tests and these are OK for the patched
package [2].
- Furthermore I used suricata-verify, an upstream tool for additional
testing with pcaps, which also has the same number of successful
tests between deb13u2 and deb13u3. See stable [3] vs. patched [4].
[ Risks ]
Because of successful unit tests, the risk should be OK. Not patching
the vulnerabilities can lead to crashing detection and that would
miss the point of an IDS/IPS.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
- Applied the upstream patches for 7.0.14 fixing the CVEs. Added
all commits/patches having the same upstream ticket numbers.
- d/p/CVE-2026-22259_[2-4].patch: Patches have to be adjusted and
refreshed to fit for Suricata 7.0.10.
- With the fix for CVE-2026-22259, DNP3 has reduced the default
maximum number of outstanding transactions from 500 down to 32.
This means a small change in stable Suricata behaviour to fix the
vulnerability!
Read the update instructions for Suricata 7.0.14 for more
details [6].
- Furthermore added Debian patch headers and changelog.
[ Other info ]
See the source-debdiff and the patches attached.
See the final branch at [5] which might be a bit easier to review,
because each change is documented as a single commit.
Thanks for your work!
[1] https://github.com/OISF/suricata/blob/163bd652dfa92959e918a9
2429b939fa81f7b88/ChangeLog
[2] https://salsa.debian.org/ecite/pkg-suricata/-/jobs/9094192
[3] https://salsa.debian.org/ecite/pkg-suricata/-/jobs/9101745
[4] https://salsa.debian.org/ecite/pkg-suricata/-/jobs/9094196
[5] https://salsa.debian.org/ecite/pkg-suricata/-/tree/debian/trixie
[6] https://docs.suricata.io/en/suricata-7.0.14/upgrade.html#upg
ading-to-7-0-14
diff -Nru suricata-7.0.10/debian/changelog suricata-7.0.10/debian/changelog
--- suricata-7.0.10/debian/changelog 2025-12-10 20:12:20.000000000 +0100
+++ suricata-7.0.10/debian/changelog 2026-02-22 13:28:52.000000000 +0100
@@ -1,3 +1,32 @@
+suricata (1:7.0.10-1+deb13u3) trixie; urgency=medium
+
+ * Fix CVE-2026-22258 in 7.0.10.
+ Cherry-Picked from:
+ * f82a388d0283725cb76782cf64e8341cab370830
+ * df389f8a43a06c718bb336ea082d6c80d6fefda0
+ * c9b80e5affe073ce9d95d0c935a8d67647c83bf7
+ * Fix CVE-2026-22262 in 7.0.10.
+ Cherry-Picked from:
+ * 32609e6896f9079c175665a94005417cec7637eb
+ * 27a2180bceaa3477419c78c54fce364398d011f1
+ * Fix CVE-2026-22264 in 7.0.10.
+ Cherry-Picked from 5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2.
+ * Fix CVE-2026-22259 in 7.0.10.
+ Cherry-Picked from:
+ * 63225d5f8ef64cc65164c0bb1800730842d54942
+ * 635af8dc8be09667689be71d781912718ca1aa49
+ * fdd79bdb14488244604729f1d68ca4bc60000dbd
+ * a6d950315d9b6c1e35c10c24d9bb7128d422c21f
+ With this fix, DNP3 has reduced the default maximum number of
+ outstanding transactions from 500 down to 32.
+ Read the update instructions for Suricata 7.0.14 for more details.
+ * Fix CVE-2026-22261 in 7.0.10.
+ Cherry-Picked from:
+ * 44d0c81f537f230e9215c769453fb4d7214217a1
+ * 7e704a3f50690b5f5d5cc573147ef41449fe37ac
+
+ -- Andreas Dolp Sun, 22 Feb 2026 13:28:52 +0100
+
suricata (1:7.0.10-1+deb13u2) trixie; urgency=medium
* Fix CVE-2025-64344 in 7.0.10.
diff -Nru suricata-7.0.10/debian/patches/CVE-2026-22258_1.patch
uricata-7.0.10/debian/patches/CVE-2026-22258_1.patch
--- suricata-7.0.10/debian/patches/CVE-2026-22258_1.patch 1970-01-01
01:00:00.000000000 +0100
+++ suricata-7.0.10/debian/patches/CVE-2026-22258_1.patch 2026-02-22
13:21:42.000000000 +0100
@@ -0,0 +1,286 @@
+From f82a388d0283725cb76782cf64e8341cab370830 Mon Sep 17 00:00:00 2001
+From: Shivani Bhardwaj
+Date: Tue, 6 Jan 2026 16:44:52 +0530
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
