Summary: | <net-analyzer/tcpdump-4.9.2: Multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | denis, netmon, nobrowser, qa, zerochaos |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: |
net-analyzer/tcpdump-4.9.2
|
Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
2017-09-06 19:21:54 UTC
*** Bug 630078 has been marked as a duplicate of this bug. *** Adding upstream as CC to provide access, sorry, seems I missed bug 630078 when I opened this bug report. Cat is out of the bag with http://www.openwall.com/lists/oss-security/2017/09/07/8 referencing also: https://git.archlinux.org/svntogit/packages.git/commit/trunk/PKGBUILD?h=packages/tcpdump&id=ae8cb07d00feb32a4f8a500fc8fa668d3f8c5275 So I don't see any point in holding back bump at this point, although we won't do a full security release just yet. Unrestricting as per comments from upstream WTF was netmon@ not CC'd? (In reply to Jeroen Roovers from comment #5) > WTF was netmon@ not CC'd? My mistake, I should've added it as CC when I removed the restriction of the bug. Restricted bugs can not CC/assign projects/aliases as that won't grant access to anyone, nor is it appropriate to do so for embargo handling. ZeroChaos is member of the netmon project and he has acknowledged the pre-release embargo policy at https://wiki.gentoo.org/wiki/Project:Security/Pre-Release-Disclosure , as such it was handled with involvement of a minimum set of trusted parties. Jer, Is there any specific reason why you dropped the stable ebuild and downgraded the users? Your ebuild is extremely minimally different from the one I used, and certainly doesn't seem like the downgrade was worth it. ia64 stable sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9 amd64 tested, ok adding QA as stable ebuild was dropped with no explanation which forces users to downgrade to known vulnerable software. (In reply to Rick Farina (Zero_Chaos) from comment #11) > adding QA as stable ebuild was dropped with no explanation which forces > users to downgrade to known vulnerable software. I requested years ago that you submit your changes to packages to netmon@ for review after you managed to repeatedly introduce some pretty severe QA issues. Stable on alpha. arm stable, tested by Yury German commit b698a62ba12a09474e84f1b75d81da25f6809207 (HEAD -> master, origin/master, origin/HEAD) Author: Kristian Fiskerstrand <k_f@gentoo.org> Date: Sat Sep 16 15:47:22 2017 +0200 net-analyzer/tcpdump: Restore stable 4.9.2 for amd64 and x86 Restoring stable keywords for amd64 and x86 that were removed in commit 2b45ef99159553b83e9a0bac9a597a1a300fe025. Fixes: 2b45ef99159553b83e9a0bac9a597a1a300fe025 Gentoo-Bug: 630110 Package-Manager: Portage-2.3.6, Repoman-2.3.1 ppc64 stable ppc stable hppa stable GLSA Vote: Yes New GLSA Request filed. Maintainer(s), please drop the vulnerable version(s). This issue was resolved and addressed in GLSA 201709-23 at https://security.gentoo.org/glsa/201709-23 by GLSA coordinator Aaron Bauman (b-man). sparc stable (thanks to Rolf Eike Beer) |