Source: suricata Version: 1:7.0.10-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for suricata. CVE-2025-53538[0]: | Suricata is a network IDS, IPS and NSM engine developed by the OISF | (Open Information Security Foundation) and the Suricata community. | In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, | mishandling of data on HTTP2 stream 0 can lead to uncontrolled | memory usage, leading to loss of visibility. Workarounds include | disabling the HTTP/2 parser, and using a signature like drop http2 | any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; | byte_test:4,=,0,5; sid: 1;) where the first byte test tests the | HTTP2 frame type DATA and the second tests the stream id 0. This is | fixed in versions 7.0.11 and 8.0.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-53538 https://www.cve.org/CVERecord?id=CVE-2025-53538 [1] https://github.com/OISF/suricata/security/advisories/GHSA-qrr7-crgj-cmh3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
