Re: ethereal 0.10.11 fixes lots of security issues

To: Frederic Peters <fpeters@debian.org>, debian-release@lists.debian.org, security@debian.org
Subject: Re: ethereal 0.10.11 fixes lots of security issues
From: Andreas Barth <aba@not.so.argh.org>
Date: Thu, 5 May 2005 10:30:03 +0200
Message-id: <[🔎] 20050505083003.GL10453@mails.so.argh.org>
Mail-followup-to: Andreas Barth <aba@not.so.argh.org>, Frederic Peters <fpeters@debian.org>, debian-release@lists.debian.org, security@debian.org
In-reply-to: <[🔎] 20050505081955.GK10453@mails.so.argh.org>
References: <[🔎] 20050505070626.GA11676@entrouvert.com> <[🔎] 20050505081955.GK10453@mails.so.argh.org>

* Andreas Barth (aba@not.so.argh.org) [050505 10:25]:
> * Frederic Peters (fpeters@debian.org) [050505 09:10]:
> > Hello,
> > 
> > The ethereal project released 0.10.11 today which fixes even more
> > security issues than the usual release, they are detailed in
> >   http://www.ethereal.com/appnotes/enpa-sa-00019.html
> > and summarized in the Debian changelog entry:
> > 
> > ethereal (0.10.11-1) unstable; urgency=high
> > 
> >   * New upstream release; urgency high since it fixes security issues in the
> >     following dissectors:
> >     * format string vulnerabilities: ANSI A, DHCP
> >     * segmentation faults: GSM MAP, AIM, TZSP, Bittorrent, SMB, GSM, SMB
> >       NETLOGON
> >     * buffer overflows: DISTCC, FCELS, SIP, ISIS, CMIP, CMP, CMS, CRMF, ESS,
> >       OCSP, PKIX1Explitit, PKIX Qualified, X.509, NCP, ISUP, TCAP,
> >       Presentation
> >     * null pointer exception: KINK, WSP, SMB Mailslot, H.245, MGCP, RPC
> >     * infinite loops: LMP, EIGRP, MEGACO, L2TP
> >     * uncaught assertions: Telnet, 802.3, BER, IAX2, RADIUS, SMB PIPE, MRDISC
> >     * memory exhaustion: DICOM
> >     * unclassified: Fibre Channel, LDAP, NTLMSSP
> > 
> >  -- Frederic Peters <fpeters@debian.org>  Thu,  5 May 2005 08:43:00 +0200
> > 
> > 
> > Can I upload this to testing-proposed-updates ?  And is the correct
> > way simply to change the changelog first line to:
> >   ethereal (0.10.11-1) testing-proposed-updated unstable; urgency=high
> > ?
> 
> Well, if it is a security-only release, just upload to unstable, and
> I'll push it through. If there are changes not appropriate for sarge,
> than please either just upload the appropriate changes (that's our
> prefered policy), or upload 0.10.10-2sarge1 to t-p-u (and just write
> "testing" or "testing-proposed-updates" instead of unstable there).

Three further remarks:
- of course, a push-through from unstable can contain also non-security
  important and RC bug fixes, as well as documentation and i10n updates
  (see Steve's mail to d-d-a for reference)
- Also, there is the possibility of a security upload of the security
  team. Please see the developers-reference for details how to do that.
- If there are CAN-numbers etc assigned, plesse mention them in the
  changelog. If there are none, please coordinate with the security-team
  whether we need some.


Cheers,
Andi
-- 
   http://home.arcor.de/andreas-barth/
   PGP 1024/89FB5CE5  DC F1 85 6D A6 45 9C 0F  3B BE F1 D0 C5 D1 D9 0C

Reply to:

References:
- ethereal 0.10.11 fixes lots of security issues
  - From: Frederic Peters <fpeters@debian.org>
- Re: ethereal 0.10.11 fixes lots of security issues
  - From: Andreas Barth <aba@not.so.argh.org>

Prev by Date: Re: Bug#307706: m-tx: Can't fulfill the build dependencies in sarge
Next by Date: Re: ethereal 0.10.11 fixes lots of security issues
Previous by thread: Re: ethereal 0.10.11 fixes lots of security issues
Next by thread: Re: ethereal 0.10.11 fixes lots of security issues
Index(es):
- Date
- Thread