Re: ethereal 0.10.11 fixes lots of security issues
* Andreas Barth (aba@not.so.argh.org) [050505 10:25]:
> * Frederic Peters (fpeters@debian.org) [050505 09:10]:
> > Hello,
> >
> > The ethereal project released 0.10.11 today which fixes even more
> > security issues than the usual release, they are detailed in
> > http://www.ethereal.com/appnotes/enpa-sa-00019.html
> > and summarized in the Debian changelog entry:
> >
> > ethereal (0.10.11-1) unstable; urgency=high
> >
> > * New upstream release; urgency high since it fixes security issues in the
> > following dissectors:
> > * format string vulnerabilities: ANSI A, DHCP
> > * segmentation faults: GSM MAP, AIM, TZSP, Bittorrent, SMB, GSM, SMB
> > NETLOGON
> > * buffer overflows: DISTCC, FCELS, SIP, ISIS, CMIP, CMP, CMS, CRMF, ESS,
> > OCSP, PKIX1Explitit, PKIX Qualified, X.509, NCP, ISUP, TCAP,
> > Presentation
> > * null pointer exception: KINK, WSP, SMB Mailslot, H.245, MGCP, RPC
> > * infinite loops: LMP, EIGRP, MEGACO, L2TP
> > * uncaught assertions: Telnet, 802.3, BER, IAX2, RADIUS, SMB PIPE, MRDISC
> > * memory exhaustion: DICOM
> > * unclassified: Fibre Channel, LDAP, NTLMSSP
> >
> > -- Frederic Peters <fpeters@debian.org> Thu, 5 May 2005 08:43:00 +0200
> >
> >
> > Can I upload this to testing-proposed-updates ? And is the correct
> > way simply to change the changelog first line to:
> > ethereal (0.10.11-1) testing-proposed-updated unstable; urgency=high
> > ?
>
> Well, if it is a security-only release, just upload to unstable, and
> I'll push it through. If there are changes not appropriate for sarge,
> than please either just upload the appropriate changes (that's our
> prefered policy), or upload 0.10.10-2sarge1 to t-p-u (and just write
> "testing" or "testing-proposed-updates" instead of unstable there).
Three further remarks:
- of course, a push-through from unstable can contain also non-security
important and RC bug fixes, as well as documentation and i10n updates
(see Steve's mail to d-d-a for reference)
- Also, there is the possibility of a security upload of the security
team. Please see the developers-reference for details how to do that.
- If there are CAN-numbers etc assigned, plesse mention them in the
changelog. If there are none, please coordinate with the security-team
whether we need some.
Cheers,
Andi
--
http://home.arcor.de/andreas-barth/
PGP 1024/89FB5CE5 DC F1 85 6D A6 45 9C 0F 3B BE F1 D0 C5 D1 D9 0C
Reply to: