Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package suricata for openSUSE:Factory checked in at 2026-05-28 17:28:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/suricata (Old) and /work/SRC/openSUSE:Factory/.suricata.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "suricata" Thu May 28 17:28:48 2026 rev:5 rq:1355547 version:8.0.5 Changes: -------- --- /work/SRC/openSUSE:Factory/suricata/suricata.changes 2026-03-27 16:52:54.391977065 +0100 +++ /work/SRC/openSUSE:Factory/.suricata.new.1937/suricata.changes 2026-05-28 17:29:32.762193396 +0200 @@ -1,0 +2,28 @@ +Wed May 27 19:23:47 UTC 2026 - Eyad Issa <[email protected]> + +- Update to version 8.0.5: + * CVE-2026-45764: CRITICAL + * CVE-2026-45766: CRITICAL + * CVE-2026-45769: CRITICAL + * CVE-2026-45768: CRITICAL + * CVE-2026-46387: HIGH + * CVE-2026-45759: HIGH + * CVE-2026-45762: HIGH + * CVE-2026-45765: HIGH + * CVE-2026-45770: HIGH + * CVE-2026-46352: HIGH + * CVE-2026-45767: HIGH + * CVE-2026-45763: HIGH + * CVE-2026-45751: MODERATE + * CVE-2026-45752: MODERATE + * CVE-2026-45761: LOW + * All tickets available at: + https://redmine.openinfosecfoundation.org/versions/233 +- Implement security hardening and non-privileged execution: + * Implement static system user 'suricata' via sysuser-tools. + * Hardened systemd service + * Updated logrotate to use 'su suricata suricata'. + * Restricted permissions for /var/log/suricata and + /var/lib/suricata (0750). + +------------------------------------------------------------------- Old: ---- suricata-8.0.4.tar.gz suricata-8.0.4.tar.gz.sig New: ---- suricata-8.0.5.tar.gz suricata-8.0.5.tar.gz.sig suricata-user.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ suricata.spec ++++++ --- /var/tmp/diff_new_pack.pimG31/_old 2026-05-28 17:29:33.930241745 +0200 +++ /var/tmp/diff_new_pack.pimG31/_new 2026-05-28 17:29:33.930241745 +0200 @@ -17,7 +17,7 @@ # -%define soname 8_0_4 +%define soname 8_0_5 # Handling libxdp support %if (0%{?suse_version} <= 1500) && (0%{?sle_version} <= 150500) && (0%{?is_opensuse}) @@ -48,7 +48,7 @@ %endif Name: suricata -Version: 8.0.4 +Version: 8.0.5 Release: 0 Summary: Open Source Next Generation Intrusion Detection and Prevention Engine License: GPL-2.0-only @@ -59,6 +59,7 @@ Source3: suricata.service Source4: suricata.sysconfig Source5: suricata.logrotate +Source6: %{name}-user.conf BuildRequires: cargo BuildRequires: cargo-packaging BuildRequires: chrpath @@ -69,6 +70,7 @@ BuildRequires: python3-setuptools BuildRequires: rust >= 1.63.0 BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: pkgconfig(hiredis) BuildRequires: pkgconfig(jansson) BuildRequires: pkgconfig(libcap-ng) @@ -89,6 +91,7 @@ Requires(pre): %fillup_prereq Recommends: jq Recommends: logrotate +%sysusers_requires %{?systemd_requires} %if %{with libmagic} %if 0%{?suse_version} >= 1600 @@ -173,6 +176,7 @@ # --output-sync=none is needed to avoid GNU Make # buffering the entire cargo build output %make_build --output-sync=none +%sysusers_generate_pre %{SOURCE6} %{name} %{name}-user.conf %install %make_install install-library install-headers @@ -196,10 +200,10 @@ install -Dpm 0644 %{SOURCE3} %{buildroot}%{_unitdir}/%{name}.service install -Dpm 0644 %{SOURCE4} %{buildroot}%{_fillupdir}/sysconfig.%{name} install -Dpm 0644 %{SOURCE5} %{buildroot}%{_sysconfdir}/logrotate.d/%{name} +install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysusersdir}/%{name}-user.conf mkdir -p %{buildroot}%{_sbindir} ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcsuricata -mkdir -p %{buildroot}%{_localstatedir}/log/suricata # fix RPATH in the binary chrpath --delete %{buildroot}%{_bindir}/suricata @@ -212,13 +216,33 @@ find %{buildroot}%{_prefix}/lib/suricata/python -type f -name "*.py" \ -exec chmod a-x {} \; -%pre +%pre -f %{name}.pre %service_add_pre %{name}.service %post %service_add_post %{name}.service %fillup_only -suricata-update +# Migrate existing logs and libs to the new user if they exist +if [ $1 -ge 1 ]; then + chown -R suricata:suricata %{_localstatedir}/log/suricata || : + chown -R suricata:suricata %{_localstatedir}/lib/suricata || : + + # Notify the user about the security hardening only once + if [ ! -f %{_localstatedir}/lib/suricata/.migrated-to-nonroot ]; then + mkdir -p %{_localstatedir}/adm/update-messages + cat > %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release} << EOF +Suricata has been hardened and now runs as a non-privileged 'suricata' user. +Existing logs in %{_localstatedir}/log/suricata and data in %{_localstatedir}/lib/suricata +have been migrated to the new user ownership. + +If you have custom rule files or configurations outside these directories, +please ensure they are readable by the 'suricata' user. +EOF + touch %{_localstatedir}/lib/suricata/.migrated-to-nonroot + chown suricata:suricata %{_localstatedir}/lib/suricata/.migrated-to-nonroot || : + fi +fi +suricata-update || : %preun %service_del_preun %{name}.service @@ -241,16 +265,19 @@ %dir %{_prefix}/lib/suricata/python %{_prefix}/lib/suricata/python/suricata/ %{_datadir}/suricata* -%dir %{_localstatedir}/log/suricata +%dir %attr(0750,suricata,suricata) %{_localstatedir}/log/suricata %{_mandir}/man1/suricata.1%{?ext_man} %{_mandir}/man1/suricatasc.1%{?ext_man} %{_mandir}/man1/suricatactl.1%{?ext_man} %{_mandir}/man1/suricatactl-filestore.1%{?ext_man} -%dir %{_localstatedir}/lib/suricata +%dir %attr(0750,suricata,suricata) %{_localstatedir}/lib/suricata %{_unitdir}/%{name}.service +%{_sysusersdir}/%{name}-user.conf %config(noreplace) %{_sysconfdir}/logrotate.d/%{name} %{_fillupdir}/sysconfig.%{name} +%ghost %{_localstatedir}/lib/suricata/.migrated-to-nonroot +%ghost %{_localstatedir}/adm/update-messages/%{name}-%{version}-%{release} %files -n libsuricata%{soname} %{_libdir}/libsuricata.so.* ++++++ suricata-8.0.4.tar.gz -> suricata-8.0.5.tar.gz ++++++ /work/SRC/openSUSE:Factory/suricata/suricata-8.0.4.tar.gz /work/SRC/openSUSE:Factory/.suricata.new.1937/suricata-8.0.5.tar.gz differ: char 24, line 1 ++++++ suricata-user.conf ++++++ # Type Name ID GECOS Home Shell u suricata - "Suricata IDS" /var/lib/suricata ++++++ suricata.logrotate ++++++ --- /var/tmp/diff_new_pack.pimG31/_old 2026-05-28 17:29:34.030245884 +0200 +++ /var/tmp/diff_new_pack.pimG31/_new 2026-05-28 17:29:34.050246713 +0200 @@ -1,11 +1,12 @@ /var/log/suricata/*.log /var/log/suricata/*.json { + su suricata suricata nocompress maxage 30 rotate 99 dateext missingok - create + create 0640 suricata suricata sharedscripts postrotate systemctl reload suricata.service ++++++ suricata.service ++++++ --- /var/tmp/diff_new_pack.pimG31/_old 2026-05-28 17:29:34.074247706 +0200 +++ /var/tmp/diff_new_pack.pimG31/_new 2026-05-28 17:29:34.082248038 +0200 @@ -5,16 +5,35 @@ [Service] EnvironmentFile=-/etc/sysconfig/suricata -ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml $SURICATA_OPTIONS +User=suricata +Group=suricata +RuntimeDirectory=suricata +RuntimeDirectoryMode=0750 +StateDirectory=suricata +StateDirectoryMode=0750 +LogsDirectory=suricata +LogsDirectoryMode=0750 +ExecStart=/usr/bin/suricata $SURICATA_OPTIONS ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_ADMIN CAP_SYS_RESOURCE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_ADMIN CAP_SYS_RESOURCE +NoNewPrivileges=yes PrivateTmp=yes ProtectHome=yes -ProtectSystem=yes ProtectSystem=full ProtectKernelTunables=yes ProtectControlGroups=yes ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectClock=yes +ProtectHostname=yes +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_PACKET AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +LockPersonality=yes +SystemCallFilter=@system-service @network-io @privileged @resources +SystemCallErrorNumber=EPERM [Install] WantedBy=multi-user.target ++++++ suricata.sysconfig ++++++ --- /var/tmp/diff_new_pack.pimG31/_old 2026-05-28 17:29:34.110249196 +0200 +++ /var/tmp/diff_new_pack.pimG31/_new 2026-05-28 17:29:34.114249362 +0200 @@ -1,10 +1,10 @@ ## Path: Network/Security ## Description: suricata configuration ## Type: string(-i,-q,-l) -## Default: "" +## Default: "-c /etc/suricata/suricata.yaml -i eth0" ## ServiceRestart: suricata # Parameters for suricata. See the manual page for the # accepted parameters. -SURICATA_OPTIONS="" - +# IMPORTANT: Use absolute paths as the service runs as a non-privileged user. +SURICATA_OPTIONS="-c /etc/suricata/suricata.yaml -i eth0"
