Changelog: https://github.com/snort3/snort3/releases/tag/3.6.2.0
% snort --version
,,_ -*> Snort++ <*-
o" )~ Version 3.6.2.0
'''' By Martin Roesch & The Snort Team
http://snort.org/contact#team
Copyright (C) 2014-2024 Cisco and/or its affiliates. All rights reserved.
Copyright (C) 1998-2013 Sourcefire, Inc., et al.
Using DAQ version 3.0.18
Using Hyperscan version 5.4.2 2025-01-28
Using libpcap version 1.10.5 (with TPACKET_V3)
Using LuaJIT version 2.1.0-beta3
Using LZMA version 5.6.2
Using OpenSSL 3.0.15 3 Sep 2024
Using PCRE2 version 10.42 2022-12-11
Using ZLIB version 1.3.1
Signed-off-by: John Audia <therealgraysky@proton.me>
* improvement: Makefile: prepend `r` to PKG_RELEASE in binary and init script versions to match package version
* bugfix: init script: more reliable/robust start on boot
* improvement: init script: more compact output()
* improvement: init script: better DNS Hijack login
* improvement: init script: fold some dnsmasq-related functions into dhcp_backup()
Signed-off-by: Stan Grishin <stangri@melmac.ca>
* support smartdns as dns backend
* support top level domains in local white- and blackklist,
e.g. a 'de' in the blacklist blocks all domains with a german tld
and the tld compression removes all subdomains from the final blocklist
Signed-off-by: Dirk Brenken <dev@brenken.org>
The -r option is not required here but should also not hurt,
since it was already tested, that $key is a file.
However, to express the intent of the command more clearly,
let's drop it.
Signed-off-by: Michael Heimpold <mhei@heimpold.de>
Imitate dropbear init.d-script and make sure we
don't end up with corrupt keys.
This can happen if we use a caching filesystem,
like 'ubifs', and the DUT is powered off during
boot-up.
Signed-off-by: Markus Gothe <markus.gothe@genexis.eu>
If pppoe is used for wan access. script set 'eth1' as interface for curl
call. The correct interface is however 'pppoe-wan'.
These scripts use 'network_get_physdev' function to get real device for
bind_network but this is wrong. We need instead the l3_device of the the
logical interface.
In case if we don't use pppoe connection - 'l3_device' is equal to real device.
Follow P/R:
#14431
Signed-off-by: Coia Prant <coiaprant@gmail.com>
This is a security release.
Notable Changes
CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
Dependency update:
CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
If PKG_FORTIFY_SOURCE is not 0 and lto is enabled for package git, it
will fail to compile with the following example error:
/openwrt/staging_dir/toolchain-aarch64_generic_gcc-14.1.0_musl/include/stdio.h: In function 'process_curl_messages': /openwrt/staging_dir/toolchain-aarch64_generic_gcc-14.1.0_musl/include/stdio.h:90:8: error: inlining failed in call to 'always_inline' 'fwrite': function body can be overwritten at link time
90 | size_t fwrite(const void *__restrict, size_t, size_t, FILE *__restrict);
| ^
http.c:355:33: note: called from here
355 | fprintf(stderr, "Received DONE message for unknown request!\n");
| ^
A related issue is #13016 .
This commit set PKG_FORTIFY_SOURCE to 0 if CONFIG_USE_LTO is y.
Close#24366
Link: https://lore.kernel.org/git/CAHfWF5mjquES-nocQaK+CAEsqWgdy-_OYdGtN82heYs0eJP3eQ@mail.gmail.com/T/#t
Link: https://github.com/openwrt/openwrt/issues/13016
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110834
Signed-off-by: Ryan Keane <the.ra2.ifv@gmail.com>
* I had wrongly used config_get_bool for the option, so fixed it
* this also fixes the issue of /etc/init.d/vsftpd stop not working
Signed-off-by: Mohd Husaam Mehdi <husaam.mehdi@iopsys.eu>
Update to 1.29.2 and Change logfile path from /etc/syncthing/syncthing
log to /var/log/syncthing.log.
This utilizes tmpfs (memory-based storage) to prevent disk usage growth
caused by log file accumulation during extended operation.
Benefits:
- Avoids storage saturation from excessive log growth.
- Aligns with best practices for temporary log management.
- For systems using flash storage (e.g., SSDs or eMMC), storing logs in
tmpfs avoids flash memory wear caused by frequent writes to
/etc/syncthing.
Signed-off-by: Yun Wang <maoerpet@foxmail.com>
Updated lpac to 2.2.1 and added support for custom ISD-R AIDs.
This allows for a broader range of esim cards with non standard AIDs to be supported.
See https://github.com/estkme-group/lpac/pull/181 for additional info.
Signed-off-by: Dominik Borghorst <git@borghorst.net>
Summary of three PRs regarding new adblock sources with minor changes/additions:
- add new source reg_lithuania, PR provided by @Myginas
- add new source certpl, PR provided by @jkostorz
- add new source oisd_nsfw_small, PR provided by @Turjoy9
Signed-off-by: Dirk Brenken <dev@brenken.org>
AntiBlock program proxies DNS requests.
The IP addresses of the specified domains are added to
the routing table for routing through the specified interface.
Signed-off-by: Khachatryan Karen <karen0734@gmail.com>
* change the chain structure: only two regular chains contain the generated banIP sets.
“_inbound” covers the base chains WAN-Input and WAN-Forward, ‘_outbound’ covers the base chain LAN-Forward.
* pre-configure the default chains for every feed in the banip.feeds json file, no longer blocks
selected feeds in all chains by default
* it's now possible to split country and asn Sets by country or asn (disabled by default)
* support Set counters to report easily suspicious IPs per Set (disabled by default)
* make it possible, to opt out certain chains from the deduplication process
* the element search now returns all matches (and not only the first one)
* the report engine now includes statistics about the Inbound & Outbound chains and the Set counters (optional)
* save the temp. files of possible nft loading errors in "/tmp/banIP-errors" by default for easier debugging
* various code improvements
* remove ssbl feed (deprecated)
* add two new vpn feeds
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
Feature changes:
- on non-windows clients (MacOS, Linux, Unix) send "release" string from uname() call as IV_PLAT_VER to server
- Windows: protect cached username, password and token in client memory
- Windows: use new API to get dco-win driver version from driver
- Linux: pass --timeout=0 argument to systemd-ask-password, to avoid default timeout of 90 seconds
Security fixes:
- improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN
Notable bug fixes:
- FreeBSD DCO: fix memory leaks in nvlist handling
- purge proxy authentication credentials from memory after use
For details refer to https://github.com/OpenVPN/openvpn/blob/v2.6.13/Changes.rst
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
John Audia