|Summary:||<net-analyzer/tcpdump-4.9.2: Multiple vulnerabilities|
|Product:||Gentoo Security||Reporter:||Kristian Fiskerstrand (RETIRED) <k_f>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||normal||CC:||denis, netmon, nobrowser, qa, zerochaos|
|Whiteboard:||B3 [glsa cve]|
|Runtime testing required:||---|
Description Kristian Fiskerstrand (RETIRED) 2017-09-06 19:21:54 UTC
Comment 1 Sergey Popov 2017-09-07 08:42:12 UTC
*** Bug 630078 has been marked as a duplicate of this bug. ***
Comment 2 Kristian Fiskerstrand (RETIRED) 2017-09-07 08:56:17 UTC
Adding upstream as CC to provide access, sorry, seems I missed bug 630078 when I opened this bug report.
Comment 3 Kristian Fiskerstrand (RETIRED) 2017-09-07 20:13:56 UTC
Cat is out of the bag with http://www.openwall.com/lists/oss-security/2017/09/07/8 referencing also: https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/tcpdump&id=ae8cb07d00feb32a4f8a500fc8fa668d3f8c5275 So I don't see any point in holding back bump at this point, although we won't do a full security release just yet.
Comment 4 Kristian Fiskerstrand (RETIRED) 2017-09-07 20:51:06 UTC
Unrestricting as per comments from upstream
Comment 5 Jeroen Roovers (RETIRED) 2017-09-08 04:12:41 UTC
WTF was netmon@ not CC'd?
Comment 6 Kristian Fiskerstrand (RETIRED) 2017-09-08 07:17:23 UTC
(In reply to Jeroen Roovers from comment #5) > WTF was netmon@ not CC'd? My mistake, I should've added it as CC when I removed the restriction of the bug. Restricted bugs can not CC/assign projects/aliases as that won't grant access to anyone, nor is it appropriate to do so for embargo handling. ZeroChaos is member of the netmon project and he has acknowledged the pre-release embargo policy at https://wiki.gentoo.org/wiki/Project:Security/Pre-Release-Disclosure , as such it was handled with involvement of a minimum set of trusted parties.
Comment 7 Rick Farina (Zero_Chaos) 2017-09-08 15:14:15 UTC
Jer, Is there any specific reason why you dropped the stable ebuild and downgraded the users? Your ebuild is extremely minimally different from the one I used, and certainly doesn't seem like the downgrade was worth it.
Comment 8 Sergei Trofimovich (RETIRED) 2017-09-09 11:54:23 UTC
Comment 9 Aaron Bauman (RETIRED) 2017-09-10 22:24:03 UTC
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
Comment 10 Christopher Díaz Riveros (RETIRED) 2017-09-12 00:23:37 UTC
amd64 tested, ok
Comment 11 Rick Farina (Zero_Chaos) 2017-09-12 20:51:20 UTC
adding QA as stable ebuild was dropped with no explanation which forces users to downgrade to known vulnerable software.
Comment 12 Jeroen Roovers (RETIRED) 2017-09-13 10:01:18 UTC
(In reply to Rick Farina (Zero_Chaos) from comment #11) > adding QA as stable ebuild was dropped with no explanation which forces > users to downgrade to known vulnerable software. I requested years ago that you submit your changes to packages to netmon@ for review after you managed to repeatedly introduce some pretty severe QA issues.
Comment 13 Tobias Klausmann (RETIRED) 2017-09-14 17:50:17 UTC
Stable on alpha.
Comment 14 Markus Meier 2017-09-15 04:41:11 UTC
arm stable, tested by Yury German
Comment 15 Kristian Fiskerstrand (RETIRED) 2017-09-16 13:48:26 UTC
commit b698a62ba12a09474e84f1b75d81da25f6809207 (HEAD -> master, origin/master, origin/HEAD) Author: Kristian Fiskerstrand <firstname.lastname@example.org> Date: Sat Sep 16 15:47:22 2017 +0200 net-analyzer/tcpdump: Restore stable 4.9.2 for amd64 and x86 Restoring stable keywords for amd64 and x86 that were removed in commit 2b45ef99159553b83e9a0bac9a597a1a300fe025. Fixes: 2b45ef99159553b83e9a0bac9a597a1a300fe025 Gentoo-Bug: 630110 Package-Manager: Portage-2.3.6, Repoman-2.3.1
Comment 16 Sergei Trofimovich (RETIRED) 2017-09-23 21:02:12 UTC
Comment 17 Sergei Trofimovich (RETIRED) 2017-09-24 17:36:14 UTC
Comment 18 Sergei Trofimovich (RETIRED) 2017-09-24 19:31:45 UTC
Comment 19 Yury German 2017-09-25 02:55:19 UTC
GLSA Vote: Yes New GLSA Request filed.
Comment 20 Yury German 2017-09-25 02:55:36 UTC
Maintainer(s), please drop the vulnerable version(s).
Comment 21 GLSAMaker/CVETool Bot 2017-09-25 11:56:14 UTC
This issue was resolved and addressed in GLSA 201709-23 at https://security.gentoo.org/glsa/201709-23 by GLSA coordinator Aaron Bauman (b-man).
Comment 22 Sergei Trofimovich (RETIRED) 2017-12-06 22:47:16 UTC
sparc stable (thanks to Rolf Eike Beer)