diff options
author | Adrian Bunk <bunk@debian.org> | 2021-02-06 22:10:08 +0200 |
---|---|---|
committer | Adrian Bunk <bunk@debian.org> | 2021-02-06 22:23:32 +0200 |
commit | f66b14926ae3a57473b1802480bb9be3e5f90015 (patch) | |
tree | 8241a825af71157a3b5a072b1fd006e0dd6e433b /data | |
parent | 7ce05b4c8b4d3768e7e94756eb82c1a50feffe49 (diff) |
Reserve DLA-2547-1 for wireshark
Diffstat (limited to 'data')
-rw-r--r-- | data/CVE/2019.list | 6 | ||||
-rw-r--r-- | data/CVE/2020.list | 26 | ||||
-rw-r--r-- | data/DLA/list | 3 | ||||
-rw-r--r-- | data/dla-needed.txt | 17 |
4 files changed, 19 insertions, 33 deletions
diff --git a/data/CVE/2019.list b/data/CVE/2019.list index e811896ddb..4591951e6c 100644 --- a/data/CVE/2019.list +++ b/data/CVE/2019.list @@ -3689,7 +3689,7 @@ CVE-2019-19554 CVE-2019-19553 (In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector cou ...) - wireshark 3.0.7-1 (low) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x DSA) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <postponed> (Can be fixed along in next 1.12.x DLA) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15961 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=34d2e0d5318d0a7e9889498c721639e5cbf4ce45 @@ -11768,7 +11768,7 @@ CVE-2019-16277 (PicoC 2.1 has a heap-based buffer overflow in StringStrcpy in cs CVE-2019-16319 (In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector ...) - wireshark 3.0.4-1 (low) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x DSA) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2019-21.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16020 @@ -18974,7 +18974,7 @@ CVE-2019-13620 CVE-2019-13619 (In Wireshark 3.0.0 to 3.0.2, 2.6.0 to 2.6.9, and 2.4.0 to 2.4.15, the ...) - wireshark 2.6.10-1 (low) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next 2.6.x release) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <not-affected> (vulnerable code not present, binary encoding not yet supported) NOTE: https://www.wireshark.org/security/wnpa-sec-2019-20.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15870 diff --git a/data/CVE/2020.list b/data/CVE/2020.list index 22f4e40d89..1b13a52d27 100644 --- a/data/CVE/2020.list +++ b/data/CVE/2020.list @@ -6422,7 +6422,7 @@ CVE-2020-28031 (eramba through c2.8.1 allows HTTP Host header injection with (fo CVE-2020-28030 (In Wireshark 3.2.0 to 3.2.7, the GQUIC dissector could crash. This was ...) - wireshark 3.2.8-0.1 (bug #974689) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Minor issue, Can be fixed in next DLA by backporting patch together with earlier fix for invalid parameter) + [stretch] - wireshark 2.6.20-0+deb9u1 NOTE: https://gitlab.com/wireshark/wireshark/-/commit/b287e7165e8aa89cde6ae37e7c257c5d87d16b9b NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-15.html @@ -9850,7 +9850,7 @@ CVE-2020-26576 CVE-2020-26575 (In Wireshark through 3.2.7, the Facebook Zero Protocol (aka FBZERO) di ...) - wireshark 3.2.8-0.1 (bug #974688) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Minor issue, can be fixed in next DLA by backporting patch) + [stretch] - wireshark 2.6.20-0+deb9u1 NOTE: https://gitlab.com/wireshark/wireshark/-/commit/3ff940652962c099b73ae3233322b8697b0d10ab NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16887 NOTE: https://gitlab.com/wireshark/wireshark/-/merge_requests/467 @@ -10193,7 +10193,7 @@ CVE-2020-26422 (Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 al CVE-2020-26421 (Crash in USB HID protocol dissector and possibly other dissectors in W ...) - wireshark 3.4.1-1 [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Minor issue, can be fixed in next DLA by backporting patch) + [stretch] - wireshark 2.6.20-0+deb9u1 NOTE: https://gitlab.com/wireshark/wireshark/-/commit/d5f2657825e63e4126ebd7d13a59f3c6e8a9e4e1 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16958 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-17.html @@ -10214,7 +10214,7 @@ CVE-2020-26419 (Memory leak in the dissection engine in Wireshark 3.4.0 allows d CVE-2020-26418 (Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 t ...) - wireshark 3.4.1-1 [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Minor issue, code was reshuffled when support for more recent Kafka versions was added but backporting is trivial) + [stretch] - wireshark 2.6.20-0+deb9u1 NOTE: https://gitlab.com/wireshark/wireshark/-/commit/f4374967bbf9c12746b8ec3cd54dddada9dd353e NOTE: https://gitlab.com/wireshark/wireshark/-/commit/c7e6b798255e9d78d88abb84b951ca7815e0f880 NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16739 @@ -11446,13 +11446,13 @@ CVE-2020-25864 CVE-2020-25863 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the ...) - wireshark 3.2.7-1 [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Minor issue, can be fixed along in next DLA) + [stretch] - wireshark 2.6.20-0+deb9u1 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-11.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16741 CVE-2020-25862 (In Wireshark 3.2.0 to 3.2.6, 3.0.0 to 3.0.13, and 2.6.0 to 2.6.20, the ...) - wireshark 3.2.7-1 [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Minor issue, can be fixed along in next DLA) + [stretch] - wireshark 2.6.20-0+deb9u1 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-12.html NOTE: https://gitlab.com/wireshark/wireshark/-/issues/16816 CVE-2020-25861 @@ -33641,7 +33641,7 @@ CVE-2020-15467 (The administrative interface of Cohesive Networks vns3:vpn appli CVE-2020-15466 (In Wireshark 3.2.0 to 3.2.4, the GVCP dissector could go into an infin ...) - wireshark 3.2.5-1 (low) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0) + [stretch] - wireshark 2.6.20-0+deb9u1 NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16029 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=11f40896b696e4e8c7f8b2ad96028404a83a51a4 NOTE: https://www.wireshark.org/security/wnpa-sec-2020-09.html @@ -39444,7 +39444,7 @@ CVE-2020-13165 CVE-2020-13164 (In Wireshark 3.2.0 to 3.2.3, 3.0.0 to 3.0.10, and 2.6.0 to 2.6.16, the ...) - wireshark 3.2.4-1 (low) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <postponed> (Can be fixed along with other CVEs) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16476 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=e6e98eab8e5e0bbc982cfdc808f2469d7cab6c5a @@ -43326,7 +43326,7 @@ CVE-2020-11648 CVE-2020-11647 (In Wireshark 3.2.0 to 3.2.2, 3.0.0 to 3.0.9, and 2.6.0 to 2.6.15, the ...) - wireshark 3.2.3-1 (low; bug #958213) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <postponed> (Minor, can be fixed along in a future update) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16474 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=6f56fc9496db158218243ea87e3660c874a0bab0 @@ -48895,7 +48895,7 @@ CVE-2020-9419 CVE-2020-9431 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the ...) - wireshark 3.2.2-1 [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <not-affected> (composite TVB handling added later) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-03.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16341 @@ -48903,7 +48903,7 @@ CVE-2020-9431 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, CVE-2020-9430 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the ...) - wireshark 3.2.2-1 [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-04.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16368 @@ -48913,7 +48913,7 @@ CVE-2020-9430 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, CVE-2020-9428 (In Wireshark 3.2.0 to 3.2.1, 3.0.0 to 3.0.8, and 2.6.0 to 2.6.14, the ...) - wireshark 3.2.2-1 (low) [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <not-affected> (Vulnerable code not present) NOTE: https://www.wireshark.org/security/wnpa-sec-2020-05.html NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16397 @@ -54485,7 +54485,7 @@ CVE-2020-7046 (lib-smtp in submission-login and lmtp in Dovecot 2.3.9 before 2.3 CVE-2020-7045 (In Wireshark 3.0.x before 3.0.8, the BT ATT dissector could crash. Thi ...) - wireshark 3.2.0-1 [buster] - wireshark 2.6.20-0+deb10u1 - [stretch] - wireshark <postponed> (Can be fixed along in next DSA/update to 3.0) + [stretch] - wireshark 2.6.20-0+deb9u1 [jessie] - wireshark <not-affected> (Doesn't support request-respone tracking in affected code passage, yet) NOTE: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16258 NOTE: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=commit;h=01f261de41f4dd3233ef578e5c0ffb9c25c7d14d diff --git a/data/DLA/list b/data/DLA/list index d8883612f4..5d6def5bc4 100644 --- a/data/DLA/list +++ b/data/DLA/list @@ -1,3 +1,6 @@ +[06 Feb 2021] DLA-2547-1 wireshark - security update + {CVE-2019-12295 CVE-2019-13619 CVE-2019-16319 CVE-2019-19553 CVE-2020-7045 CVE-2020-9428 CVE-2020-9430 CVE-2020-9431 CVE-2020-11647 CVE-2020-13164 CVE-2020-15466 CVE-2020-25862 CVE-2020-25863 CVE-2020-26418 CVE-2020-26421 CVE-2020-26575 CVE-2020-28030} + [stretch] - wireshark 2.6.20-0+deb9u1 [06 Feb 2021] DLA-2546-1 intel-microcode - security update {CVE-2020-8695 CVE-2020-8696 CVE-2020-8698} [stretch] - intel-microcode 3.20201118.1~deb9u1 diff --git a/data/dla-needed.txt b/data/dla-needed.txt index fef29b22ae..126579f36b 100644 --- a/data/dla-needed.txt +++ b/data/dla-needed.txt @@ -108,23 +108,6 @@ spotweb NOTE: 20210122: Upstream fix trivially bypassed, reported under CVE-2021-3286 NOTE: 20210127: Upstream says "we can fix this but it may take some time", revisit later (Beuc) -- -wireshark (Adrian Bunk) - NOTE: 20201007: during last triage, I marked some CVEs as no-dsa, it'd be great to include - NOTE: 20201007: those fixes as well! \o/ (utkarsh) - NOTE: 20201108: 2.6.8-1.1 backported as first step - NOTE: 20201108: will try to update wireshark in the next - NOTE: 20201108: buster point release followed by another backport (bunk) - NOTE: 20201123: NMU for unstable prepared as first step (bunk) - NOTE: 20201129: buster-pu in #975932, will backport to stretch when in buster (bunk) - NOTE: 20201130: As seen int he bug above the plan is to first update buster and then backport to stretch. - NOTE: 20201130: This will fix several CVEs but not all. To fix all an backport of 3.4.2 is needed. (ola) - NOTE: 20201230: https://www.wireshark.org/security/ gives good overview of what will be fixed in each upstream version, unfortunately not with the CVE reference (ola) - NOTE: 20201231: These 4 new CVEs: - NOTE: 20201231: 2 CVEs marked as not-affected since vulnerabilities - NOTE: 20201231: were introduced in 3.2.0 resp. 3.4.0 - NOTE: 20201231: 2 CVEs are trivial to backport, will update #975932 (bunk) - NOTE: 20210201: Will be release on 6.2.2021 after the buster point release (bunk) --- xcftools NOTE: 20200111: wrote a patch + reproducer for CVE-2019-5086, waiting for upstream review (hle) NOTE: 20200414: Flurry of activity on/around 20200401 essentially rejecting original patch |