[Git][security-tracker-team/security-tracker][master] Updates on new wireshark CVEs

Adrian Bunk bunk at debian.org
Thu Dec 31 08:48:44 GMT 2020 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a26fe206 by Adrian Bunk at 2020-12-31T10:47:02+02:00
Updates on new wireshark CVEs

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -17131,25 +17131,24 @@ CVE-2020-26421 (Crash in USB HID protocol dissector and possibly other dissector
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-17.html
 CVE-2020-26420 (Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to ...)
 	- wireshark 3.4.1-1
-	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
-	[stretch] - wireshark <postponed> (Minor issue, can be by backporting patch, part of the problem do not exist in 2.6.8)
+	[buster] - wireshark <not-affected> (Vulnerable code was introduced in 3.2.0)
+	[stretch] - wireshark <not-affected> (Vulnerable code was introduced in 3.2.0)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/33e63d19e5496c151bad69f65cdbc7cba2b4c211
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16994
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-18.html
 CVE-2020-26419 (Memory leak in the dissection engine in Wireshark 3.4.0 allows denial  ...)
 	- wireshark 3.4.1-1
-	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
-	[stretch] - wireshark <postponed> (Minor issue, not even clear whether the vulnerability is there)
-	NOTE: The case that is corrected does not exist in 2.6.8. Maybe the vulnerability can be
-	NOTE: caused by something else.
+	[buster] - wireshark <not-affected> (Vulnerable code was introduced in 3.4.0)
+	[stretch] - wireshark <not-affected> (Vulnerable code was introduced in 3.4.0)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/a9fc769d7bb4b491efb61c699d57c9f35269d871
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/17032
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-19.html
 CVE-2020-26418 (Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 t ...)
 	- wireshark 3.4.1-1
 	[buster] - wireshark <postponed> (Minor issue, can be fixed along in next DSA)
-	[stretch] - wireshark <postponed> (Minor issue, fixing this requires a lot of other fixes)
+	[stretch] - wireshark <postponed> (Minor issue, code was reshuffled when support for more recent Kafka versions was added but backporting is trivial)
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/f4374967bbf9c12746b8ec3cd54dddada9dd353e
+	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/c7e6b798255e9d78d88abb84b951ca7815e0f880
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16739
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-16.html
 CVE-2020-26417 (Information disclosure via GraphQL in GitLab CE/EE 13.1 and later expo ...)


=====================================
data/dla-needed.txt
=====================================
@@ -184,6 +184,10 @@ wireshark
   NOTE: 20201130: This will fix several CVEs but not all. To fix all an backport of 3.4.2 is needed. (ola)
   NOTE: 20201230: https://www.wireshark.org/security/ gives good overview of what will be fixed in each upstream version, unfortunately not with the CVE reference (ola)
   NOTE: 20201230: Note that all issues are postponed so there is no immediate need of a DLA. Should this entry be removed? (ola)
+  NOTE: 20201231: These 4 new CVEs:
+  NOTE: 20201231: 2 CVEs marked as not-affected since vulnerabilities
+  NOTE: 20201231: were introduced in 3.2.0 resp. 3.4.0
+  NOTE: 20201231: 2 CVEs are trivial to backport, will update #975932 (bunk)
 --
 xcftools
   NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a26fe206028ec7a20b21a4871c37c5a7325ba059

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a26fe206028ec7a20b21a4871c37c5a7325ba059
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201231/b82b2881/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list