Zeek releases

We would like to thank Anthony Alayo (@anthonyalayo), @cccs-graeme on Slack, @cccs-will,
Klemens Nanni (@klemensn), and Octave Charrin (@OctaveCharrin) for their contributions to
this release.

This release fixes the following security issues:

• A series of DNS messages containing long DNS compression chains can cause Zeek to spend
  a long time processing packets and potentially crash. Due to the fact that these packets
  can be received from remote hosts, this is a DoS risk. The fix included is to limit the
  amount of recursion when extracting labels and names from these chains. A weird is
  returned if the condition is met.

• A specially-crafted LDAP search request can cause Zeek to spend a long time processing
  the packet, resulting in Zeek silently dropping the LDAP analyzer for the
  connection. Due to the fact that these packets can be received from remote hosts, this
  is an evasion risk. The fix included is to limit the amount of recursion when processing
  search requests. An analyzer violation is returned and logged when the condition is met.

• A specially-crafted series of ASN.1 messages in LDAP packets can cause Zeek to spend a
  long time processing the packets, resulting in Zeek silently dropping the LDAP analyzer
  for the connection. Due to the fact that these packets can be received from remote
  hosts, this is an evasion risk. The fix included is to limit the amount of recursion
  when processing ASN.1 messages. An analyzer violation is returned and logged when the
  condition is met.

• A specially-crafted DNS packet containing HTTP SvcParam RRs can cause Zeek to reach a
  buffer overflow and potentially crash. Due to the fact that these packets can be
  received from remote hosts, this is a DoS risk. The fix included reworks the byte
  accounting when processing these RRs to avoid the overflow.

This release fixes the following bugs:

• Support for non-Broker cluster backends was added to the cluster/experimental set of
  scripts.

• The SQLite storage backend now uses quick_check instead of integrity_check in
  the default set of pragmas. This is a trade-off between a slightly fewer number of
  checks and a significant savings in startup time.

• The events ssl_extension_pre_shared_key_server_hello and
  ssl_extension_pre_shared_key_client_hello can now be used independently. Previously,
  both had to have a handler implemented for either of them to actually be invoked due to
  some logic confusion in the analyzer.

• The SSH analyzer now supports the ML-KEM family of key exchange algorithms.

• A memory leak in the telemetry framework's process handling on FreeBSD was fixed.

• The ZeroMQ cluster backend now disables ipv6 by default. This fixes an issue with
  running on systems without dual-stack socket support.

We would like to thank Anthony Alayo (@anthonyalayo), @cccs-graeme on Slack, @cccs-will,
and Octave Charrin (@OctaveCharrin) for their contributions to this release.

This release fixes the following security issues:

• A series of DNS messages containing long DNS compression chains can cause Zeek to spend
  a long time processing packets and potentially crash. Due to the fact that these packets
  can be received from remote hosts, this is a DoS risk. The fix included is to limit the
  amount of recursion when extracting labels and names from these chains. A weird is
  returned if the condition is met.

• A specially-crafted LDAP search request can cause Zeek to spend a long time processing
  the packet, resulting in Zeek silently dropping the LDAP analyzer for the
  connection. Due to the fact that these packets can be received from remote hosts, this
  is an evasion risk. The fix included is to limit the amount of recursion when processing
  search requests. An analyzer violation is returned and logged when the condition is met.

• A specially-crafted series of ASN.1 messages in LDAP packets can cause Zeek to spend a
  long time processing the packets, resulting in Zeek silently dropping the LDAP analyzer
  for the connection. Due to the fact that these packets can be received from remote
  hosts, this is an evasion risk. The fix included is to limit the amount of recursion
  when processing ASN.1 messages. An analyzer violation is returned and logged when the
  condition is met.

This release fixes the following bugs:

• Support for non-Broker cluster backends was added to the cluster/experimental set of
  scripts.

• The SQLite storage backend now uses quick_check instead of integrity_check in
  the default set of pragmas. This is a trade-off between a slightly fewer number of
  checks and a significant savings in startup time.

• The events ssl_extension_pre_shared_key_server_hello and
  ssl_extension_pre_shared_key_client_hello can now be used independently. Previously,
  both had to have a handler implemented for either of them to actually be invoked due to
  some logic confusion in the analyzer.

• The SSH analyzer now supports the ML-KEM family of key exchange algorithms.

• A memory leak in the telemetry framework's process handling on FreeBSD was fixed.

• ZeekJS was updated to v0.22.1.

We would like to thank Siavash Tahmureszadeh for their contribution to this release.

This release fixes the following security issues:

• Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or
  Content-Length headers set in MIME entities within HTTP bodies and change the
  analyzer behavior. This can be used to hide HTTP requests from analysis. Due to the fact
  that these packets can be received from remote hosts, this is an evasion risk. The fix
  is to only process the headers from the outermost MIME entity, which causes all internal
  entities to be parsed.

This release fixes the following bugs:

• A missing state check was added to the finalize_redis hook in the Redis
  analyzer. This was needed for rare cases where that hook got called and the rest of the
  analyzer had never been invoked, leading to Zeek throwing an error because the state
  didn't exist yet.

• A bug was fixed when attempting to append a vector to itself that would cause an
  infinite loop.

• A minor update was added to the documentation to better describe how what versions of
  docs we keep available on the website.

• A memory leak was fixed that occurred when looping over tables while running Zeek with
  ZAM enabled.

We would like to thank Siavash Tahmureszadeh for their contribution to this release.

This release fixes the following security issues:

• Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or
  Content-Length headers set in MIME entities within HTTP bodies and change the
  analyzer behavior. This can be used to hide HTTP requests from analysis. Due to the fact
  that these packets can be received from remote hosts, this is an evasion risk. The fix
  is to only process the headers from the outermost MIME entity, which causes all internal
  entities to be parsed.

This release fixes the following bugs:

• A missing state check was added to the finalize_redis hook in the Redis
  analyzer. This was needed for rare cases where that hook got called and the rest of the
  analyzer had never been invoked, leading to Zeek throwing an error because the state
  didn't exist yet.

• A bug was fixed when attempting to append a vector to itself that would cause an
  infinite loop.

• A minor update was added to the documentation to better describe how what versions of
  docs we keep available on the website.

• A memory leak was fixed that occurred when looping over tables while running Zeek with
  ZAM enabled.

• The upgraded library used for paraglob in Zeek 8.1.0 exposed an issue with handling
  very large data sets. This was fixed via better initialization of the library when
  creating the paraglob objects.

• Zeek now requires ZeroMQ 4.3.0 or later due to some missing API features in earlier
  versions.