We would like to thank Siavash Tahmureszadeh for their contribution to this release.

This release fixes the following security issues:

• Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or
  Content-Length headers set in MIME entities within HTTP bodies and change the
  analyzer behavior. This can be used to hide HTTP requests from analysis. Due to the fact
  that these packets can be received from remote hosts, this is a DoS risk. The fix is to
  only process the headers from the outermost MIME entity, which causes all internal
  entities to be parsed.

This release fixes the following bugs:

• A missing state check was added to the finalize_redis hook in the Redis
  analyzer. This was needed for rare cases where that hook got called and the rest of the
  analyzer had never been invoked, leading to Zeek throwing an error because the state
  didn't exist yet.

• A bug was fixed when attempting to append a vector to itself that would cause an
  infinite loop.

• A minor update was added to the documentation to better describe how what versions of
  docs we keep available on the website.

• A memory leak was fixed that occurred when looping over tables while running Zeek with
  ZAM enabled.

• The upgraded library used for paraglob in Zeek 8.1.0 exposed an issue with handling
  very large data sets. This was fixed via better initialization of the library when
  creating the paraglob objects.

• Zeek now requires ZeroMQ 4.3.0 or later due to some missing API features in earlier
  versions.

We would like to thank Siavash Tahmureszadeh for their contribution to this release.

This release fixes the following security issues:

• Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding or
  Content-Length headers set in MIME entities within HTTP bodies and change the
  analyzer behavior. This can be used to hide HTTP requests from analysis. Due to the fact
  that these packets can be received from remote hosts, this is a DoS risk. The fix is to
  only process the headers from the outermost MIME entity, which causes all internal
  entities to be parsed.

This release fixes the following bugs:

• A missing state check was added to the finalize_redis hook in the Redis
  analyzer. This was needed for rare cases where that hook got called and the rest of the
  analyzer had never been invoked, leading to Zeek throwing an error because the state
  didn't exist yet.

• A bug was fixed when attempting to append a vector to itself that would cause an
  infinite loop.

• A minor update was added to the documentation to better describe how what versions of
  docs we keep available on the website.

• A memory leak was fixed that occurred when looping over tables while running Zeek with
  ZAM enabled.

We would like to thank clopmz, Mohan Dhawan (@Mohan-Dhawan), and Zach Robinette for their
contributions to this release.

This release fixes the following bugs:

• ZeekJS was upgraded to v0.22.

• The to_subnet() built-in function's parsing of IPv6 subnets was changed to align
  with how IPv6 subnet literals are parsed in Zeek scripts. Previously, any subnet
  containing the ::ffff:0:0/96 IPv4-mapped prefix would produce an IPv4 subnet, even
  if provided prefix was shorter than the required 96 bits.

  Internally, the behavior of the IPPrefix::ConvertString() API was changed to
  accommodate for this.

• Zeek now reports a better error message when a table constructor is called without
  square brackets around the keys.

• ssl.log will now correctly report certificate fingerprints when a protocol error is
  encountered after certificates are passed, but before the connection is
  logged. Previously, the log wouldn't contain the fingerprints.

• An unbounded growth issue was fixed with Zeek's internal regex engine, which caused
  excessive memory usage when constructing large numbers of patterns.

• An attribute error related to metrics ports reported by zeekctl when using standalone
  mode was fixed. The metrics_port entry is no longer automatically rendered for
  standalone mode if MetricsPort is set to zero in zeekctl.cfg.

• Zeek now correctly handles blocks being used when defining Spicy units. Previously, it
  would report an error.

• A potential crash around evaluating invalid expressions during Zeek initialization was
  fixed.

• Zeek now properly accounts for originator and responder packets and byte counts when a
  connection flip happens on the second packet. Previously, one packet and its data
  payload were associated with the wrong endpoint.

We'd like to thank Andrew Raffman (@andyraf), @arm7mm, Artyom Kalabukhov (@predator89090),
Benjamin Grap (@blightzero), @biswajitutil, @cccs-jsjm, @chrisjlly, Craig P
(@multicast-bytes), @DigiAngel, Mike Dopheide (@dopheide-esnet), Edoardo Mich
(@edoardomich), @franky-m, Fupeng Zhao (@AmazingPP), Jan Grashöfer (@J-Gras), Klemens
Nanni (@klemens-ya), Klemens Nanni (@klemensn), @kshitiz56, Mark Overholser
(@markoverholser), Mohan Dhawan (@Mohan-Dhawan), Peter Cullen (@pbcullen), RyugaXhypeR
(@RyugaXhypeR), Seth Hall (@sethhall), Yacin Nadji (@ynadji), Zhang Liang (@JosenLiang),
Zach Robinette (@zrobinette12) and @zzzdong for their contributions to this release.

Breaking Changes

• A standalone zeek invocation on the command line will now default to running a No-op
  Cluster backend (Cluster::CLUSTER_BACKEND_NONE). Previously this defaulted to Broker
  without having any real effect. For a multi-process / cluster deployment of Zeek, a
  cluster backend policy script needs to be loaded explicitly.

  Zeekctl has been updated to use the ZeroMQ cluster backend by default and should require
  no other action. If you encounter issues with ZeroMQ, it is possible to re-enable the
  Broker cluster backend by adding the following entry into zeekctl.cfg and running
  `zeekctl deploy``:

  ClusterBackend = Broker

  If you manage a non-Zeekctl Zeek setup, load
  policy/frameworks/cluster/backend/zeromq or
  policy/frameworks/cluster/backend/broker. If you forget to do so, Zeek will
  recognize that Cluster::node is set (e.g. the CLUSTER_NODE environment variable
  or Cluster::node=... is set) but no cluster backend was chosen and will terminate
  with a fatal error:

  fatal error in <...>/main.zeek, line 425: Cluster::node set to 'worker-1', but
  Cluster::backend is Cluster::CLUSTER_BACKEND_NONE - please select a cluster backend to
  use.

  If you used Zeekctl on a single physical system or virtual machine previously, this
  should all be transparent to you.

• The Broker-specific &backend and &broker_store attributes will result in startup
  errors when a non-Broker cluster backend is selected. See the entry about their
  deprecation below for more details.

• Python 3.10 is now required for Zeek and all of its associated subprojects.

• The &optional script attribute will now error when applied to anything that's not a
  record field. Previously, this would have surprising behavior.

• The BinPAC, Bifcl, and Gen-ZAM tools have all moved directly into the Zeek repo, which
  should ease maintenance on them a bit. They were moved from the auxil directory to
  the tools directory. Along with this, the --gen-zam argument for configure
  was removed and the internal version will always be used.

• The zeek-af_packet-plugin git submodule was moved directly into the Zeek repo. This used
  to live in the auxil directory, after having moved there from an external plugin.
  It is now automatically built as part of the main Zeek build whenever building on Linux.

• The global g_frame_stack C++ variable was removed. This variable was used to track
  the current stack of script-function frames, mostly for the built-in script debugger. We
  realized that we were also tracking this information in the global call_stack
  variable, used by the script profiler. These two have now been combined together into
  call_stack. Plugins using g_frame_stack will need to be adapted to use the other
  variable. We opted to not use a deprecation cycle for this due to the complication with
  managing the state across both variables.

• The unique_id and unique_id_from BIFs now return 96-bit UIDs, which makes them
  consistent with other UIDs created by Zeek such as connection IDs. They were previously
  returning shorter 64-bit UIDs.

• The metrics zeek_msgthread_pending_messages_in_buckets and
  zeek_msgthread_pending_messages_out_buckets had labels that did not conform with
  Prometheus' checks via promtool. The labels have been renamed from le to
  leq, given that they technically are less-than-or-equal values.

• The iosource/Packet.h header no longer depends on libpcap being installed and no
  longer directly includes the pcap.h header. This may cause some knock-on effects in
  building plugins that were depending on this header and others that it included
  indirectly.

• External plugins do not implicitly require OpenSSL and Broker anymore. Starting with
  Zeek 8.1, plugins that depend on these libraries are now required to explicitly call
  find_package(OpenSSL REQUIRED) and pass OPENSSL_LIBRARIES as dependencies to the
  zeek_add_plugin() call:

  find_package(OpenSSL REQUIRED)

  zeek_add_plugin(
  ...
  INCLUDE_DIRS
  ${OPENSSL_INCLUDE_DIR}
  DEPENDENCIES
  ${OPENSSL_LIBRARIES}
  )

• We are revisiting removing support for MD5 hashing across the Zeek code base. In support
  of this, the following changes were made:

  • The host_key field in ssh.log was removed and replaced with a new
    host_key_fingerprint field. The old field held an MD5 hash of the host key. The
    new field holds a base64-encoded version of the hash of the host key, in the same
    format that the ssh-keygen -l command would return. It currently uses SHA256 for
    the hashing, so the output is of the format SHA256:<fingerprint>. A new
    policy/protocols/ssh/md5-host-key-logging.zeek script was added to restore the old
    field if desired.

  • The auth_ticket and new_ticket fields in krb.log were removed and replaced
    with new auth_ticket_sha256 and new_ticket_sha256 fields. The old fields held
    MD5 hashes of the tickets and the new fields hold SHA256 hashes of the same. A new
    policy/protocols/krb/md5-ticket-logging.zeek script was added to restore the old
    fields if desired.

  • A new mime_content_hash_sha256 event was added to send a SHA256 version of the
    content in MIME messages. This is similar to the existing mime_content_hash event
    that sends MD5 versions.

  • The MD5 IP anonymizers (RANDOM_MD5 and PREFIX_PRESERVING_MD5) have been
    deprecated in favor of new SHA256 anonymizers.

  • The md5_hmac BIF has been deprecated in favor of a new sha256_hmac BIF.

New Functionality

• After recently-merged fixes to the node formula for Homebrew, JavaScript support via
  ZeekJS can now be built on macOS using that installation of Node.

• A new TapAnalyzer class was added allowing to tap into all packets delivered to
  child analyzers attached to session adapters.

• Two new hooks, Cluster::on_subscribe() and Cluster::on_unsubscribe() have been
  added to allow observing Subscribe() and Unsubscribe() calls on backends by Zeek
  scripts.

• The ability to control the length of strings and containers in log output was added. The
  maximum length of individual log fields can be set, as well as the total length of all
  string or container fields in a single log record. This feature is controlled via four
  new script-level variables:

  Log::default_max_field_string_bytes
  Log::default_max_total_string_bytes
  Log::default_max_field_container_elements
  Log::default_max_total_container_elements

  When one of the field limits is reached, the individual field is truncated. When one
  of the total limits is reached, all further strings will returned as empty and all
  further container elements will not be output. See the documentation for those variables
  for more detail.

  The above variables control the truncation globally, but they can also be set for log
  streams individually. This is controlled by variables with the same names that can be
  set when the log stream is created.

  Two new weirds were added to report the truncation: log_string_field_truncated and
  log_container_field_truncated. New metrics were added to track how many truncations
  have occurred: zeek_log_writer_truncated_string_fields_total and
  zeek_log_writer_truncated_containers_total. The metrics are reported for each log
  stream.

• There exists a new configuration file <PREFIX>/etc/zeek/zeek.conf and a small
  executable called zeek-systemd-generator that acts as a systemd unit file
  generator. These two pieces allow for quickly running an opinionated single node cluster
  deployment using systemd. See the tools/systemd-generator/README.md and
  tools/systemd-generator/etc/zeek/zeek.conf files for more information.

  If you've previously built Zeek process management by hand or with tools like
  supervisord, runit, s6, etc on Linux, this might be a viable option to explore.

  This is all Linux specific right now. However, the zeek.conf file is OS-agnostic to
  keep options open for re-use it elsewhere.

• The DNS analyzer now returns the set of parameters for SVCB data. It previously handled
  SVCB packets, but omitted the parameters while parsing.

• The QUIC analyzer now raises a QUIC::discarded_packet event when a packet with
  fixed_bit set to 0 is encountered. Such an occurrence is included in the QUIC
  history as X. This functionality can be controlled with
  QUIC::max_discarded_packet_events. Setting this variable to -1 disables the
  QUIC::discarded_packet event.

• Added SHA224, SHA384, and SHA512 calculation BiFs: sha224_hash, sha224_hash_init,
  sha224_hash_update, sha224_hash_finish. sha384_hash, sha384_hash_init,
  sha384_hash_update, sha384_hash_finish. sha512_hash, sha512_hash_init,
  sha512_hash_update, and sha512_hash_finish.

• Added SHA224, SHA384 and SHA512 file hash analyzers. The analyz...

We would like to thank Edoardo Mich (@edoardomich) and Peter Cullen (@pbcullen) for their
contributions to this release.

This release fixes the following bugs:

• Reverts an inadvertent change to Zeekctl's pysubnettree submodule that was causing
  Zeekctl to require Python 3.10. A new version of Zeekctl is now included with more
  targeted fixes that don't include that requirement.

• The Docker container image now contains the websockets python package as well as the
  existing websocket package. This fixes a warning from Zeekctl when using the
  UseWebSocket option.

• A potential crash involving deleting items from tables with the &ordered
  attribute was fixed.

• zeek-client was updated to the newly-released v1.5.0.

We would like to thank Zeek Slack user James_inthe_box for their contribution to this
release.

This release fixes the following bugs:

• zeekctl stats should no longer report a Python error.

• The management framework controller configuration has a new tls_options_websocket
  variable for setting TLS options for the controller's Websocket server.

• Fixed Broker errors being visible/sent to WebSocket clients unrelated to their own
  connection.

We would like to thank Jeff McJunkin (@jeffmcjunkin) and Peter Cullen (@pbcullen) for
their contributions to this release.

This release fixes the following security issue:

• The KRB analyzer can leak information about hosts in analyzed traffic via external DNS
  lookups. This only happens if the script-level variable KRB::keytab is set to point
  at a valid Kerberos keytab file. We're opting to fix the analyzer so it can't happen at
  all. The fix is to use a different method from libkrb5 that reuses known host
  information from the packets instead of re-requesting the same information externally.

This release fixes the following bugs:

• The get_current_packet_header() BIF now populates the returned record also for
  fragmented IP datagrams.

• The decompose_uri() script function now correctly handles URIs containing IPv6
  addresses.

• The QUIC parser now discards packets with the fixed_bit field set to 0, rather than
  continuing to parse and potentially running into analyzer violations.

We would like to thank Jeff McJunkin (@jeffmcjunkin) and Peter Cullen (@pbcullen) for
their contributions to this release.

This release fixes the following security issue:

• The KRB analyzer can leak information about hosts in analyzed traffic via external DNS
  lookups. This only happens if the script-level variable KRB::keytab is set to point
  at a valid Kerberos keytab file. We're opting to fix the analyzer so it can't happen at
  all. The fix is to use a different method from libkrb5 that reuses known host
  information from the packets instead of re-requesting the same information externally.

This release fixes the following bugs:

• The get_current_packet_header() BIF now populates the returned record also for
  fragmented IP datagrams.

• The decompose_uri() script function now correctly handles URIs containing IPv6
  addresses.

We would like to thank Fupeng Zhao (@AmazingPP), Mike Dopheide (@dopheide-esnet), and
@DigiAngel for their contributions to this release.

• The official Zeek docker images are now based on Debian 13.0 (trixie).

• Cluster data passed via websockets was previously double-wrapping Broker data records,
  leading to decoding issues. This is now resolved.

• Cluster events will no longer pass empty arrays for metadata if there was no metadata
  for the event.

• The PostgreSQL analyzer now only reports login success after a ReadyForQuery message
  is received.

• Zeekctl added a new MetricsAddr address to override the address that the telemetry
  uses to communicate to Prometheus. It defaults to 0.0.0.0 and the documentation
  describes how to override it.

• Zeekctl added documentation for the MetricsPort option used to control what ports
  the telemetry framework listens on to communicate with Prometheus. It describes how
  the range is chosen, as well as how to override it.

• The deprecation warning for the zeek::Event should be more clear as to what action
  plugin authors need to take.

We would like to thank Artyom Kalabukhov (@predator89090) for their contribution to this
release.

• The SMB parser now correctly parses the data_offset field correctly. It previously tried
  to parse it as 16 bits, when the field is only 8 bits in the spec.