suricata (1.2.1-2+deb7u4) wheezy-security; urgency=medium

  * Non-maintainer upload by the ELTS Security Team.
  * CVE-2019-10053: heap-based buffer over-read in SSHParseBanner.

 -- Hugo Lefeuvre <hle@debian.org>  Sun, 02 Jun 2019 15:12:39 +0200

suricata (1.2.1-2+deb7u3) wheezy-security; urgency=high

  * Non-maintainer upload by the ELTS team.
  * Fix the following security vulnerabilities:
    - CVE-2015-0928:
      A NULL pointer dereference allows remote attackers to cause a
      denial-of-service by specially crafted network traffic.
    - CVE-2015-8954:
      The MemcmpLowercase function in Suricata improperly excludes the first
      byte from comparisons, which might allow remote attackers to bypass
      intrusion-prevention functionality via a crafted HTTP request.
    - CVE-2018-6794:
      Suricata is prone to an HTTP detection bypass vulnerability
      in detect.c and stream-tcp.c. If a malicious server breaks a normal TCP
      flow and sends data before the 3-way handshake is complete, then the data
      sent by the malicious server will be accepted by web clients such as a
      web browser or Linux CLI utilities, but ignored by Suricata IDS
      signatures. This mostly affects IDS signatures for the HTTP protocol and
      TCP stream content; signatures for TCP packets will inspect such network
      traffic as usual.
    - TEMP-0000000-C04FE8 (no CVE assigned yet)
      If memory allocation fails and Suricata runs out of memory, a flaw in the
      DCERP parser may lead to a denial-of-service (application crash).

 -- Markus Koschany <apo@debian.org>  Mon, 03 Dec 2018 14:43:55 +0100

suricata (1.2.1-2+deb7u2) wheezy-security; urgency=high

  * Non-maintainer upload by the ELTS Team. 
  * CVE-2016-10728
    If an ICMPv4 error packet is received as the first packet on a flow
    in the to_client direction, it can lead to missed TCP/UDP detection
    in packets arriving afterwards.
 
 -- Thorsten Alteholz <debian@alteholz.de>  Mon, 24 Sep 2018 19:03:02 +0200

suricata (1.2.1-2+deb7u1) wheezy-security; urgency=high

  * CVE-2017-7177: The IP protocol was not being used to match fragments with
    their packets allowing a carefully constructed packet (with a different
    protocol) to be matched, thus creating a packet that would not be
    re-assembled by the destination host. (Closes: #856649)

 -- Chris Lamb <lamby@debian.org>  Wed, 22 Mar 2017 22:21:55 +0000

suricata (1.2.1-2) unstable; urgency=low

  * Use override targets in rules files (Closes: #666330)
  * Add support for parallel build in debian/rules

 -- Pierre Chifflier <pollux@debian.org>  Thu, 12 Apr 2012 01:56:48 +0200

suricata (1.2.1-1) unstable; urgency=low

  * Imported Upstream version 1.2.1
  * Add libmagic-dev to build-deps
  * Convert to DH version 9
    - Switch from hardening-wrapper to dpkg-buildflags

 -- Pierre Chifflier <pollux@debian.org>  Mon, 23 Jan 2012 21:47:26 +0100

suricata (1.1.1-2) unstable; urgency=low

  * Add *.config files to default installation
  * Trigger rebuild with libhtp versioned symbols

 -- Pierre Chifflier <pollux@debian.org>  Thu, 05 Jan 2012 08:20:24 +0100

suricata (1.1.1-1) unstable; urgency=low

  * Imported Upstream version 1.1.1
  * Add configure option --enable-af-packet

 -- Pierre Chifflier <pollux@debian.org>  Wed, 07 Dec 2011 21:52:53 +0100

suricata (1.1-1) unstable; urgency=low

  * Imported Upstream version 1.1
  * Add instructions on getting new rules using oinkmaster
  * Add Recommends on oinkmaster
  * Move snort-rules-default to Recommends

 -- Pierre Chifflier <pollux@debian.org>  Thu, 17 Nov 2011 23:20:51 +0100

suricata (1.0.5-1) unstable; urgency=low

  * Imported Upstream version 1.0.5

 -- Pierre Chifflier <pollux@debian.org>  Wed, 27 Jul 2011 08:20:25 +0200

suricata (1.0.4-1) unstable; urgency=low

  * Imported Upstream version 1.0.4
  * Bump Standards Version to 3.9.2
  * Enable hardening-wrapper

 -- Pierre Chifflier <pollux@debian.org>  Sat, 25 Jun 2011 13:45:44 +0200

suricata (1.0.3-1) unstable; urgency=low

  * Imported Upstream version 1.0.3

 -- Pierre Chifflier <pollux@debian.org>  Wed, 13 Apr 2011 16:59:32 +0200

suricata (1.0.2-2) unstable; urgency=low

  * Add init script (thanks to Edward Fjellskål)
  * Switch to dpkg-source 3.0 (quilt) format

 -- Pierre Chifflier <pollux@debian.org>  Sun, 19 Dec 2010 18:35:50 +0100

suricata (1.0.2-1) unstable; urgency=low

  * New Upstream version 1.0.2 (Closes: #598389)

 -- Pierre Chifflier <pollux@debian.org>  Wed, 29 Sep 2010 10:02:52 +0200

suricata (1.0.1-1) unstable; urgency=low

  * Imported Upstream version 1.0.1 (Closes: #591559)
  * Bump Standards version to 3.9.1
  * Create /var/log/suricata (Closes: #590861)

 -- Pierre Chifflier <pollux@debian.org>  Wed, 11 Aug 2010 14:45:14 +0200

suricata (1.0.0-1) unstable; urgency=low

  * Imported Upstream version 1.0.0
  * Remove arch=native flag from build (Closes: #587714)
  * Bump Standards version to 3.9.0

 -- Pierre Chifflier <pollux@debian.org>  Thu, 01 Jul 2010 21:28:41 +0200

suricata (0.9.2-1) unstable; urgency=low

  * Imported Upstream version 0.9.2

 -- Pierre Chifflier <pollux@debian.org>  Sat, 19 Jun 2010 17:39:14 +0200

suricata (0.9.1-1) unstable; urgency=low

  * Imported Upstream version 0.9.1
  * Update watch file

 -- Pierre Chifflier <pollux@debian.org>  Wed, 26 May 2010 23:09:07 +0200

suricata (0.9.0-1) unstable; urgency=low

  * Imported Upstream version 0.9.0
  * Add libcap-ng-dev to build-deps

 -- Pierre Chifflier <pollux@debian.org>  Sun, 09 May 2010 10:43:44 +0200

suricata (0.8.2-1) unstable; urgency=low

  * Imported Upstream version 0.8.2
  * Force selection of external libhtp during build
  * Enable Prelude support
  * Update watch file

 -- Pierre Chifflier <pollux@debian.org>  Sun, 02 May 2010 10:50:05 +0200

suricata (0.8.0-2) unstable; urgency=low

  * Update debian/copyright to include all files

 -- Pierre Chifflier <pollux@debian.org>  Sun, 21 Feb 2010 21:45:33 +0100

suricata (0.8.0-1) unstable; urgency=low

  * Initial release (Closes: #563422)

 -- Pierre Chifflier <pollux@debian.org>  Sat, 30 Jan 2010 18:25:05 +0100
