Bug#550191: wireshark 1.0.2-3+lenny6 security fixes

To: 550191@bugs.debian.org
Cc: Moritz Mühlenhoff <jmm@debian.org>
Subject: Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 23 Oct 2009 14:20:47 -0400
Message-id: <[🔎] 20091023142047.a6c905ab.michael.s.gilbert@gmail.com>
Reply-to: Michael Gilbert <michael.s.gilbert@gmail.com>, 550191@bugs.debian.org
In-reply-to: <[🔎] ee1a84a50910231046k5b9e1ddbxca317d8c9e59f229@mail.gmail.com>
References: <[🔎] ee1a84a50910231046k5b9e1ddbxca317d8c9e59f229@mail.gmail.com>

On Fri, 23 Oct 2009 19:46:24 +0200, Bálint Réczey wrote:
> Hi,
> 
> Moritz proposed to upload fixes for DoS only security problems to
> stable and handle onnly more serious problems via stable-security:
> > On Monday 06 July 2009 20:42:21 Moritz Muehlenhoff wrote:
> >> On Wed, Jul 01, 2009 at 03:36:44PM -0700, Bálint Réczey wrote:
> >> > Hi,
> >> >
> >> > Wireshark 1.0.8 fixes CVE-2009-1829 and contain other changes fixing
> >> > crashes and one fix for a memory leak.
> >> >
> ...
> >> Traditionally we've been treating Wireshark crashes triggerable by
> >> network traffic as security issues, since someone could use tshark
> >> as a networking monitoring/intrusion detection tool. OTOH, both
> >> Wireshark's security record and the mere concept (analysing network
> >> traffic in a flaky implementation language like C) make this an
> >> impractical approach. I would like to propose to document in a file
> >> like README.Debian or README.Debian.security that  Wireshark is
> >> great tool to analyse traffic patterns, but that crashes cannot be
> >> ruled out due to the complex nature of the task. Thus, it should
> >> not be deployed in scenarios where used for live network monitoring
> >> and live pure crash bugs unfixed. Of course all bugs which could
> >> trigger code injection will still be fixed in regular DSAs.
> >> Additionally we could talk to the stable release managers to allow
> >> the latest Wireshark point updates for each stable point update
> >> (since the QA done by upstream is quite good). There are similar
> >> exceptions already done for some packages, e.g. PostgreSQL.
> >
> > I support this approach.
> >
> > Joost
> >
> 
> The original suggestion was to upload full Wireshark releases from the
> stable and old stable Wireshark maintenance branches, but later we
> chose to extract the security related fixes and add only those to the
> Debian package.
> 
> According to that plan I would like to upload the package to "stable"
> and I corrected the attached patch to reflect this.

please submit a bug (including debdiff) to release.debian.org requesting
acceptance of the new version for the next lenny point release.

mike

Reply to:

Follow-Ups:
- Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
  - From: Bálint Réczey <balint@balintreczey.hu>

Prev by Date: Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Next by Date: Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Previous by thread: Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Next by thread: Bug#550191: wireshark 1.0.2-3+lenny6 security fixes
Index(es):
- Date
- Thread