[SECURITY] Fedora EPEL 6 Update: libhtp-0.5.16-1.el6

updates at fedoraproject.org updates at fedoraproject.org
Sat Jan 24 18:46:52 UTC 2015 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2014-4669
2014-12-14 21:05:43
--------------------------------------------------------------------------------

Name        : libhtp
Product     : Fedora EPEL 6
Version     : 0.5.16
Release     : 1.el6
URL         : http://www.libhtp.org
Summary     : Security-aware parser for the HTTP protocol and the related bits and pieces
Description :
LibHTP is a security-aware parser for the HTTP protocol and the related bits
and pieces. The goals of the project, in the order of importance, are as
follows:
1. Completeness of coverage;
2. Permissive parsing;
3. Awareness of evasion techniques;
4. Performance;

--------------------------------------------------------------------------------
Update Information:

This is a major update. API/ABI breaks are to be expected.

Extensive testing will be more than welcome.

Below is the upstream changelog from version 0.5.3 to the latest 0.5.16. Unfortunately, upstream didn't maintain a changelog before that.

More details can be obtained by [comparing the current version in EPEL6, 0.3.0, and the one in this update](https://github.com/OISF/libhtp/compare/0.3.0...0.5.16).

### 0.5.16 (11 December 2014)

* Per personality requestline leading whitespace handling [Victor Julien]
* Improve request line parsing with leading spaces [Victor Julien]
* Harden decompress code against memory stress [Victor Julien]

### 0.5.15 (1 August 2014)

* Fixed [#78] Make a case-insensitive comparision for the pattern "chunked" for "Transfer-Encoding" [Anoop Saldanha]

### 0.5.14 (22 July 2014)

* Fixed the tests sometimes not returning the correct status code. Increased the the compiler warnings for the tests.
* Fixed [#77] Fix compiler warnings in the tests

### 0.5.13 (16 July 2014)

* Fixed [#56] Investigate clean-up performance with a large number of transactions on a single connection

### 0.5.12 (25 June 2014)

* Fixed [#73] Fix double Content-Length issue [Wesley Shields]

### 0.5.11 (5 April 2014)

* Fixed [#72] On CONNECT requests inbound tx progress prematurely set to complete
* Fixed [#71] Fix missing files in distribution target [Pierre Chifflier]

### 0.5.10 (3 March 2014)

* Fixed [#63] Final response body data callback missing on compressed responses.
* Do not consume the byte that comes after an invalid UTF-8 character.
* Use case insensitive comparison for content-coding values. Warn if unknown response content encoding is encountered.
* Small fixes. [#66, #69] [Victor Julien]

### 0.5.9 (19 November 2013)

* Fixed an `HTP_HOST_AMBIGUOUS` false positive.
* Fixed the tests not compiling on OS X 10.9.

### 0.5.8 (21 October 2013)

* Fixed [#54] Compression and base64 tests failing on some architectures.
* Fixed [#55] Incorrect ambiguous host warning on some CONNECT requests.

### 0.5.7 (18 September 2013)

* Use `umask()` with `mkstemp()` to ensure that temporary files are created with correct permissions. This addresses the potential security problem, but creates another, because umask() is not thread safe. For this and other reasons (see #52), file extraction will be removed in a future release.
* Fix copying `hook_response_complete` instead of `hook_transaction_complete`.
* Fix several small memory leaks that occur when memory allocation fails.

### 0.5.6 (22 July 2013)

* Fix memory leaks in `htp_tx_t::request_auth_username` and `htp_tx_t::request_auth_password`.
* [#43] When processing the response line, treat stream closure as the end of line.
* Fix normalization when the URL begins with `./`.
* Do not fail a stream with an incorrectly formed digest username.
* Do not stop processing request headers on PUT requests.

### 0.5.5 (18 July 2013)

* Tagging for a Suricata beta release.
* [#46] Fix the segfault that occurs under certain conditions when an invalid hostname is supplied.
* [#44] Fix libiconv detection on OpenBSD. [Victor Julien]

### 0.5.4 (17 July 2013)

* Tagging for a Suricata beta release.
* Added `htp_get_version()`, which returns the complete library name (e.g., "LibHTP v0.5.4").
* Hard field limit is now treated as specifying the maximum amount of memory LibHTP will use for buffering per stream. Fields (e.g., headers) longer than this limit will be accepted if they are contained within a single buffer submitted to LibHTP (i.e., if LibHTP does not have to do any buffering in order to process them). Soft limits are currently not creating any warnings. This area will be improved in a future release.
* Invalid headers no longer fail the entire stream. They are now treated as headers without a name.
* `htp_conn_remove_tx()` now returns `HTP_DECLINED` (was `HTTP_ERROR`) if the specified transaction cannot be found.
* `htp_list_array_replace()` now returns `HTP_DECLINED` (was `HTP_ERROR`) if the element at the specified position does not exist.
* New public functions:
  * `htp_status_t htp_urldecode_inplace(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags);`
  * `htp_status_t htp_urldecode_inplace_ex(htp_cfg_t *cfg, enum htp_decoder_ctx_t ctx, bstr *input, uint64_t *flags, int *expected_status_code);`
* Improved test coverage (84.1% lines, 91.3% functions).

### 0.5.3 (14 June 2013)

* Fix stream error when valid Basic Authentication information is provided.
* Do not fail the entire stream if the Authorization header is invalid. Raise `HTP_AUTH_INVALID` instead.
* When a request does not contain the request URI, leave `htp_tx_t::request_uri` `NULL`.

--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1173605 - libhtp: denial of service with specific packets
        https://bugzilla.redhat.com/show_bug.cgi?id=1173605
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update libhtp' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list