wnpa-sec-2020-11[1] MIME Multipart dissector crash. Bug 16741[2]. Fixed in master: 2411eae9ed Fixed in master-3.2: 21f082cb6e Fixed in master-3.0: 14e274f3be Fixed in master-2.6: 5803c7b87b wnpa-sec-2020-12[3] TCP dissector crash. Bug 16816[4]. Fixed in master: c4634b1e99 Fixed in master-3.2: e9b727595b Fixed in master-3.0: 7f3fe6164a Fixed in master-2.6: 9d7ab8b46f wnpa-sec-2020-13[5] BLIP dissector crash. Bug 16866[6]. Fixed in master: 4a94842710 Fixed in master-3.2: 594d312b12 Fixed in master-3.0: 2fb6002559 Fixed in master-2.6: n/a [1] https://www.wireshark.org/security/wnpa-sec-2020-11 [2] https://gitlab.com/wireshark/wireshark/-/issues/16741 [3] https://www.wireshark.org/security/wnpa-sec-2020-12 [4] https://gitlab.com/wireshark/wireshark/-/issues/16816 [5] https://www.wireshark.org/security/wnpa-sec-2020-13 [6] https://gitlab.com/wireshark/wireshark/-/issues/16866
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6abc81eb706e80d554d2fc68bd0131b8d9df5f58 commit 6abc81eb706e80d554d2fc68bd0131b8d9df5f58 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-09-25 08:51:46 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-09-25 08:52:22 +0000 net-analyzer/wireshark: Version 3.2.7 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/744592 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/Manifest | 1 + net-analyzer/wireshark/wireshark-3.2.7.ebuild | 261 ++++++++++++++++++++++++++ 2 files changed, 262 insertions(+)
Unable to check for sanity: > no match for package: =net-analyzer/wireshark-3.2.7
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
net-analyzer/wireshark-3.3.0, "an experimental release intended to test new features for Wireshark 3.4"[0] is vulnerable to at least wnpa-sec-2020-13. Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that ebuild was reverted due to unrelated reasons by someone apparently representing the QA team. [0] https://www.wireshark.org/lists/wireshark-announce/202009/msg00000.html
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0467141c801b9dd66196fabec0c1d674d2bee66 commit b0467141c801b9dd66196fabec0c1d674d2bee66 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-10-02 11:02:40 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-10-02 11:11:28 +0000 net-analyzer/wireshark: Fix EGIT_REPO_URI The old repository site is unmaintained, stuck in August 2020, and contains vulnerable code, yet still returns no redirect or other useful HTTP status code that would tell the user something is wrong. On visiting the site with a web browser, and some URL hacking, the original EGIT_REPO_URI does tell you where to go for the current repository, so use that instead. Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/744592 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/wireshark-99999999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
arm done
ppc64 stable
x86 stable
amd64 stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Jeroen Roovers from comment #4) > Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that > ebuild was reverted due to unrelated reasons by someone apparently > representing the QA team. $SOMEONE would still need to re-add net-analyzer/wireshark-3.3.1 as 3.3.0 is vulnerable.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f943db29b6756d207c6790470549b1d930f5576 commit 3f943db29b6756d207c6790470549b1d930f5576 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-10-09 08:55:51 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-10-09 08:56:40 +0000 net-analyzer/wireshark: Old Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/744592 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/Manifest | 1 - net-analyzer/wireshark/wireshark-3.2.6.ebuild | 261 -------------------------- 2 files changed, 262 deletions(-)
(In reply to Jeroen Roovers from comment #10) > (In reply to Jeroen Roovers from comment #4) > > Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that > > ebuild was reverted due to unrelated reasons by someone apparently > > representing the QA team. > > $SOMEONE would still need to re-add net-analyzer/wireshark-3.3.1 as 3.3.0 is > vulnerable. Responsibility for version bumps would seem to fall to the maintainer. Please bump, keeping in mind why the last one was reverted.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=416da54e116f58cd4c2e3d59a07417348d3f79d7 commit 416da54e116f58cd4c2e3d59a07417348d3f79d7 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-10-11 18:06:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-10-11 18:07:36 +0000 profiles/pacckage.mask: security mask ~arch net-analyser/wireshark The maintainer did not want to update this after QA intervention, so masking the ~arch version. Use the stable version for the fixed variant. Bug: https://bugs.gentoo.org/744592 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+)
Obsoleted by https://security.gentoo.org/glsa/202011-08 anyway.
