[Git][security-tracker-team/security-tracker][master] Reserve DLA-2547-1 for wireshark

Adrian Bunk bunk at debian.org
Sat Feb 6 20:23:55 GMT 2021 


Adrian Bunk pushed to branch master at Debian Security Tracker / security-tracker


Commits:
210dd08a by Adrian Bunk at 2021-02-06T22:23:32+02:00
Reserve DLA-2547-1 for wireshark

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -25702,7 +25702,7 @@ CVE-2020-28031 (eramba through c2.8.1 allows HTTP Host header injection with (fo
 CVE-2020-28030 (In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was ...)
 	- wireshark 3.2.8-0.1 (bug #974689)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Minor issue, Can be fixed in next DLA by backporting patch together with earlier fix for invalid parameter)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b287e7165e8aa89cde6ae37e7c257c5d87d16b9b
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-15.html
@@ -29740,7 +29740,7 @@ CVE-2020-26576
 CVE-2020-26575 (In Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) di ...)
 	- wireshark 3.2.8-0.1 (bug #974688)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Minor issue, can be fixed in next DLA by backporting patch)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/3ff940652962c099b73ae3233322b8697b0d10ab
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887
 	NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/467
@@ -30119,7 +30119,7 @@ CVE-2020-26422 (Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 al
 CVE-2020-26421 (Crash in USB HID protocol dissector and possibly other dissectors in W ...)
 	- wireshark 3.4.1-1
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Minor issue, can be fixed in next DLA by backporting patch)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/d5f2657825e63e4126ebd7d13a59f3c6e8a9e4e1
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16958
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-17.html
@@ -30140,7 +30140,7 @@ CVE-2020-26419 (Memory leak in the dissection engine in Wireshark 3.4.0 allows d
 CVE-2020-26418 (Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 t ...)
 	- wireshark 3.4.1-1
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Minor issue, code was reshuffled when support for more recent Kafka versions was added but backporting is trivial)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/f4374967bbf9c12746b8ec3cd54dddada9dd353e
 	NOTE: https://gitlab.com/wireshark/wireshark/-/commit/c7e6b798255e9d78d88abb84b951ca7815e0f880
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16739
@@ -31398,13 +31398,13 @@ CVE-2020-25864
 CVE-2020-25863 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the ...)
 	- wireshark 3.2.7-1
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Minor issue, can be fixed along in next DLA)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-11.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16741
 CVE-2020-25862 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the ...)
 	- wireshark 3.2.7-1
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Minor issue, can be fixed along in next DLA)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-12.html
 	NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16816
 CVE-2020-25861
@@ -53703,7 +53703,7 @@ CVE-2020-15467 (The administrative interface of Cohesive Networks vns3:vpn appli
 CVE-2020-15466 (In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infin ...)
 	- wireshark 3.2.5-1 (low)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16029
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=11f40896b696e4e8c7f8b2ad96028404a83a51a4
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-09.html
@@ -59989,7 +59989,7 @@ CVE-2020-13165
 CVE-2020-13164 (In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the ...)
 	- wireshark 3.2.4-1 (low)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <postponed> (Can be fixed along with other CVEs)
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16476
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a
@@ -64874,7 +64874,7 @@ CVE-2020-11648
 CVE-2020-11647 (In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the  ...)
 	- wireshark 3.2.3-1 (low; bug #958213)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <postponed> (Minor, can be fixed along in a future update)
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f56fc9496db158218243ea87e3660c874a0bab0
@@ -71119,7 +71119,7 @@ CVE-2020-9419
 CVE-2020-9431 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the  ...)
 	- wireshark 3.2.2-1
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <not-affected> (composite TVB handling added later)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-03.html
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16341
@@ -71127,7 +71127,7 @@ CVE-2020-9431 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
 CVE-2020-9430 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the  ...)
 	- wireshark 3.2.2-1
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <not-affected> (Vulnerable code not present)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-04.html
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16368
@@ -71137,7 +71137,7 @@ CVE-2020-9430 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14,
 CVE-2020-9428 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the  ...)
 	- wireshark 3.2.2-1 (low)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <not-affected> (Vulnerable code not present)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2020-05.html
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16397
@@ -77067,7 +77067,7 @@ CVE-2020-7046 (lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3
 CVE-2020-7045 (In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. Thi ...)
 	- wireshark 3.2.0-1
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <not-affected> (Doesn't support request-respone tracking in affected code passage, yet)
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16258
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=01f261de41f4dd3233ef578e5c0ffb9c25c7d14d
@@ -90773,7 +90773,7 @@ CVE-2019-19554
 CVE-2019-19553 (In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector cou ...)
 	- wireshark 3.0.7-1 (low)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x DSA)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <postponed> (Can be fixed along in next 1.12.x DLA)
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961
 	NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=34d2e0d5318d0a7e9889498c721639e5cbf4ce45
@@ -103832,7 +103832,7 @@ CVE-2010-5333 (The web server in Integard Pro and Home before 2.0.0.9037 and 2.2
 CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector ...)
 	- wireshark 3.0.4-1 (low)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x DSA)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <not-affected> (Vulnerable code not present)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2019-21.html
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020
@@ -112654,7 +112654,7 @@ CVE-2019-13620
 CVE-2019-13619 (In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the  ...)
 	- wireshark 2.6.10-1 (low)
 	[buster] - wireshark 2.6.20-0+deb10u1
-	[stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release)
+	[stretch] - wireshark 2.6.20-0+deb9u1
 	[jessie] - wireshark <not-affected> (vulnerable code not present, binary encoding not yet supported)
 	NOTE: https://www.wireshark.org/security/wnpa-sec-2019-20.html
 	NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15870


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[06 Feb 2021] DLA-2547-1 wireshark - security update
+	{CVE-2019-12295 CVE-2019-13619 CVE-2019-16319 CVE-2019-19553 CVE-2020-7045 CVE-2020-9428 CVE-2020-9430 CVE-2020-9431 CVE-2020-11647 CVE-2020-13164 CVE-2020-15466 CVE-2020-25862 CVE-2020-25863 CVE-2020-26418 CVE-2020-26421 CVE-2020-26575 CVE-2020-28030}
+	[stretch] - wireshark 2.6.20-0+deb9u1
 [06 Feb 2021] DLA-2546-1 intel-microcode - security update
 	{CVE-2020-8695 CVE-2020-8696 CVE-2020-8698}
 	[stretch] - intel-microcode 3.20201118.1~deb9u1


=====================================
data/dla-needed.txt
=====================================
@@ -108,23 +108,6 @@ spotweb
   NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286
   NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc)
 --
-wireshark (Adrian Bunk)
-  NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include
-  NOTE: 20201007: those fixes as well! \o/ (utkarsh)
-  NOTE: 20201108: 2.6.8-1.1 backported as first step
-  NOTE: 20201108: will try to update wireshark in the next
-  NOTE: 20201108: buster point release followed by another backport (bunk)
-  NOTE: 20201123: NMU for unstable prepared as first step (bunk)
-  NOTE: 20201129: buster-pu in #975932, will backport to stretch when in buster (bunk)
-  NOTE: 20201130: As seen int he bug above the plan is to first update buster and then backport to stretch.
-  NOTE: 20201130: This will fix several CVEs but not all. To fix all an backport of 3.4.2 is needed. (ola)
-  NOTE: 20201230: https://www.wireshark.org/security/ gives good overview of what will be fixed in each upstream version, unfortunately not with the CVE reference (ola)
-  NOTE: 20201231: These 4 new CVEs:
-  NOTE: 20201231: 2 CVEs marked as not-affected since vulnerabilities
-  NOTE: 20201231: were introduced in 3.2.0 resp. 3.4.0
-  NOTE: 20201231: 2 CVEs are trivial to backport, will update #975932 (bunk)
-  NOTE: 20210201: Will be release on 6.2.2021 after the buster point release (bunk)
---
 xcftools
   NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle)
   NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/210dd08ae860db7aeafe1eea563e9ab11642f539

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/210dd08ae860db7aeafe1eea563e9ab11642f539
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210206/e73c9f96/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list