OSSEC 4.0.0 - OSSEC

OSSEC 4.0.0

March 23, 2026     release-sync

Release Maintainers

Contributors on this release

  • @atomicturtle

Release Notes

Major security and stability release addressing critical memory safety issues and modernizing cryptographic implementations. This release includes fixes for multiple heap use-after-free (UAF) vulnerabilities, uncontrolled recursion in XML parsing, and implementation of secure random number generation for agent key creation. Additionally, file integrity monitoring has been modernized with SHA-256 support, and several external dependencies have been updated to their latest stable versions.

⚠️ Breaking Changes

[!WARNING]
AES Encryption Now Default for Agent Communication

OSSEC 4.0.0 agents now use AES encryption by default for agent-server communication. This is NOT backwards compatible with OSSEC 3.8.0 and older servers.

Migration Options:

  1. Upgrade servers first (recommended): Update all OSSEC servers to 4.0.0 before upgrading agents.
  2. Use legacy Blowfish encryption on 4.0.0 agents: Add the following to your agent’s ossec.conf:
    xml
    <client>
    <crypto_method>blowfish</crypto_method>
    </client>

Configuration Changes

  • SHA-256 File Integrity Monitoring: SHA-256 is now enabled by default for all monitored directories. No configuration changes are required for new installs.
  • To disable SHA-256 (if needed for compatibility):
    xml
    <syscheck>
    <directories check_sha256sum="no">/etc</directories>
    </syscheck>

🔒 Security Fixes

  • Critical Memory Safety: Fix critical UAF bug in memory leak fix (Issue #1818) – PR 2178
  • Heap UAF: Fix Issue #1817: Heap UAF in OSSEC Alert decoder with leak-free Eventinfo refactor – PR 2177
  • Recursion Fix: Fix uncontrolled recursion in os_xml _ReadElem (Issue #1953) – PR 2175
  • Secure RNG: Implement secure RNG for agent key generation using OpenSSL RAND_bytes – PR 2167

General Fixes & Improvements

  • FIM Modernization: SHA-256 integration and safe buffer handling – PR 2166
  • Lua Update: Update Lua to version 5.4.7 – PR 2165
  • zlib Update: Update zlib to version 1.3.1 – PR 2164
  • cJSON Update: Update cJSON to version 1.7.18 – PR 2163
  • Windows Builds: Build fixes for Windows – PR 2162
  • Packaging: Add RPM spec file – PR 2147
  • Agent Auth: Handle SSL EOF condition in agent-auth – PR 2146
  • Performance: Ignore ENOENT in OS_RemoveCounter to prevent benign error messages – PR 2171
  • Stability: Improve logcollector crash fix to check read function pointer (Issue #2156) – PR 2168
  • Testing: Improve error message in ossec-testrule for missing rule matches (Issue #2093) – PR 2170
  • CLI: Fix help/version argument exit codes – PR 2174
  • Bugfix: Fix for Issue #2056 in syscheck decoder – PR 2173
  • Code Quality: Clean up redundant NULL checks in report filter function (Issue #2133) – PR 2169

View on GitHub