Zeek Files

We would like to thank @cccs-jsjm, @edoardomich, and the Canadian Cyber Defence Collective for their contributions to this release.

This release fixes the following security issue:

• Very large log records can cause Zeek to overflow memory and potentially crash. Due to the possibility of building these log records with packets from remote hosts, this is a DoS risk. The fix adds additional length checking when serializing log data for writing to logging streams. This can be controlled via a new Log::max_log_record_size redefinable constant, and reports a new log_record_too_large weird if the limitation is reached for any individual log entry. There is an also a new log-writer-discarded-writes metric that tracks when this limitation is reached.

This release fixes the following bugs:

• The Redis storage backend now requires libhiredis 1.1.0 or later.

• The websocket support in the Cluster framework gained the ability to listen on IPv6 addresses. This change deprecates the WebSocketServerOptions$listen_host in favor of WebSocketServerOptions$listen_addr.

• Likewise, the ZeroMQ cluster backend gained the ability to listen on IPv6 addresses.

• The response to BDAT LAST was never recognized by the SMTP analyzer, resulting in the BDAT LAST commands not being logged in a timely fashion and receiving the wrong status. Zeek now correctly reports these commands.

• The Docker images for zeek 7.0 releases now include the net-tools (for iproute2) package to silience a warning from zeekctl. They also now include the procps package (for top) to ensure the zeekctl top command works correctly.

• The Spicy submodule was updated to v1.13.2. This version fixes an error when extracting bytes with &eod. This would previously result in a cryptic error message.

• The ZeekJS submodule was updated to v0.18.0. This version fixes a compilation error with debug builds and GCC 15.1, as well as adding future support for Node v24.