The following vulnerabilities have been fixed: * [1]wnpa-sec-2016-58 Profinet I/O long loop. ([2]Bug 12851) * [3]wnpa-sec-2016-59 AllJoyn crash. ([4]Bug 12953) * [5]wnpa-sec-2016-60 OpenFlow crash. ([6]Bug 13071) * [7]wnpa-sec-2016-61 DCERPC crash. ([8]Bug 13072) * [9]wnpa-sec-2016-62 DTN infinite loop. ([10]Bug 13097)
CVE-2016-9376 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9376): In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the OpenFlow dissector could crash with memory exhaustion, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-openflow_v5.c by ensuring that certain length values were sufficiently large. CVE-2016-9375 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9375): In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DTN dissector could go into an infinite loop, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dtn.c by checking whether SDNV evaluation was successful. CVE-2016-9374 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9374): In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector could crash with a buffer over-read, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-alljoyn.c by ensuring that a length variable properly tracked the state of a signature variable. CVE-2016-9373 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9373): In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the DCERPC dissector could crash with a use-after-free, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-dcerpc-nt.c and epan/dissectors/packet-dcerpc-spoolss.c by using the wmem file scope for private strings. CVE-2016-9372 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-9372): In Wireshark 2.2.0 to 2.2.1, the Profinet I/O dissector could loop excessively, triggered by network traffic or a capture file. This was addressed in plugins/profinet/packet-pn-rtc-one.c by rejecting input with too many I/O objects.
Arch teams, please test and mark stable: =net-analyzer/wireshark-2.2.2 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Please fix that lame Summary policy. It's not working.
(In reply to Jeroen Roovers from comment #3) > Please fix that lame Summary policy. It's not working. When I changed the summary back the ebuild was not in Portage after a fresh Git sync. So if you are trying to save yourself time or bug changes then just leave a comment letting us know the ebuild is inbound. Not that difficult so be don't be a dick.
(In reply to Aaron Bauman from comment #4) > (In reply to Jeroen Roovers from comment #3) > > Please fix that lame Summary policy. It's not working. > > When I changed the summary back the ebuild was not in Portage after a fresh > Git sync. Yes, that policy. Fix it. > So if you are trying to save yourself time or bug changes then > just leave a comment letting us know the ebuild is inbound. But then you have this "normalised" Summary that doesn't say anything about a particular version, and that's wrong. > Not that difficult so be don't be a dick. Rude.
(In reply to Jeroen Roovers from comment #5) > (In reply to Aaron Bauman from comment #4) > > (In reply to Jeroen Roovers from comment #3) > > > Please fix that lame Summary policy. It's not working. > > > > When I changed the summary back the ebuild was not in Portage after a fresh > > Git sync. > > Yes, that policy. Fix it. > > > So if you are trying to save yourself time or bug changes then > > just leave a comment letting us know the ebuild is inbound. > > But then you have this "normalised" Summary that doesn't say anything about > a particular version, and that's wrong. > > > Not that difficult so be don't be a dick. > > Rude. The policy states that unless the ebuild is in the tree then the version number should not be in the summary. This allows the security team to identify bugs which can be worked further. If the ebuild does not exist we cannot call for stabilization etc. Timing got us as you were bumping the ebuild and I saw the bug mail and there was no ebuild. So just leave a comment when you open the bug or bump the ebuild first. If you don't like the policy then ask for it to be changed, but it works and makes sense.
amd64 stable
x86 stable
Stable for HPPA PPC64.
Stable on alpha.
arm stable
sparc stable
ia64 stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No