Summary: | <net-analyzer/wireshark-3.2.7: Multiple vulnerabilities (CVE-2020-{25862,25863,25866}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Jeroen Roovers (RETIRED) <jer> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | netmon, qa |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.wireshark.org/lists/wireshark-announce/202009/msg00001.html | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=750692 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: |
=net-analyzer/wireshark-3.2.7-r1
|
Runtime testing required: | --- |
Description
Jeroen Roovers (RETIRED)
2020-09-25 08:52:03 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6abc81eb706e80d554d2fc68bd0131b8d9df5f58 commit 6abc81eb706e80d554d2fc68bd0131b8d9df5f58 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-09-25 08:51:46 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-09-25 08:52:22 +0000 net-analyzer/wireshark: Version 3.2.7 Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/744592 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/Manifest | 1 + net-analyzer/wireshark/wireshark-3.2.7.ebuild | 261 ++++++++++++++++++++++++++ 2 files changed, 262 insertions(+) Unable to check for sanity:
> no match for package: =net-analyzer/wireshark-3.2.7
Resetting sanity check; keywords are not fully specified and arches are not CC-ed. net-analyzer/wireshark-3.3.0, "an experimental release intended to test new features for Wireshark 3.4"[0] is vulnerable to at least wnpa-sec-2020-13. Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that ebuild was reverted due to unrelated reasons by someone apparently representing the QA team. [0] https://www.wireshark.org/lists/wireshark-announce/202009/msg00000.html The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0467141c801b9dd66196fabec0c1d674d2bee66 commit b0467141c801b9dd66196fabec0c1d674d2bee66 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-10-02 11:02:40 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-10-02 11:11:28 +0000 net-analyzer/wireshark: Fix EGIT_REPO_URI The old repository site is unmaintained, stuck in August 2020, and contains vulnerable code, yet still returns no redirect or other useful HTTP status code that would tell the user something is wrong. On visiting the site with a web browser, and some URL hacking, the original EGIT_REPO_URI does tell you where to go for the current repository, so use that instead. Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/744592 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/wireshark-99999999.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) arm done ppc64 stable x86 stable amd64 stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Jeroen Roovers from comment #4) > Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that > ebuild was reverted due to unrelated reasons by someone apparently > representing the QA team. $SOMEONE would still need to re-add net-analyzer/wireshark-3.3.1 as 3.3.0 is vulnerable. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f943db29b6756d207c6790470549b1d930f5576 commit 3f943db29b6756d207c6790470549b1d930f5576 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-10-09 08:55:51 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-10-09 08:56:40 +0000 net-analyzer/wireshark: Old Package-Manager: Portage-3.0.8, Repoman-3.0.1 Bug: https://bugs.gentoo.org/744592 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-analyzer/wireshark/Manifest | 1 - net-analyzer/wireshark/wireshark-3.2.6.ebuild | 261 -------------------------- 2 files changed, 262 deletions(-) (In reply to Jeroen Roovers from comment #10) > (In reply to Jeroen Roovers from comment #4) > > Adding net-analyzer/wireshark-3.3.1 fixed this, but the commit adding that > > ebuild was reverted due to unrelated reasons by someone apparently > > representing the QA team. > > $SOMEONE would still need to re-add net-analyzer/wireshark-3.3.1 as 3.3.0 is > vulnerable. Responsibility for version bumps would seem to fall to the maintainer. Please bump, keeping in mind why the last one was reverted. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=416da54e116f58cd4c2e3d59a07417348d3f79d7 commit 416da54e116f58cd4c2e3d59a07417348d3f79d7 Author: Sam James <sam@gentoo.org> AuthorDate: 2020-10-11 18:06:47 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2020-10-11 18:07:36 +0000 profiles/pacckage.mask: security mask ~arch net-analyser/wireshark The maintainer did not want to update this after QA intervention, so masking the ~arch version. Use the stable version for the fixed variant. Bug: https://bugs.gentoo.org/744592 Signed-off-by: Sam James <sam@gentoo.org> profiles/package.mask | 8 ++++++++ 1 file changed, 8 insertions(+) Unable to check for sanity:
> no match for package: =net-analyzer/wireshark-3.2.7
Obsoleted by https://security.gentoo.org/glsa/202011-08 anyway. |