From ${URL} : The following vulnerabilities have been fixed. wnpa-sec-2015-01 The WCCP dissector could crash. (Bug 10720, Bug 10806) CVE-2015-0559, CVE-2015-0560 wnpa-sec-2015-02 The LPP dissector could crash. (Bug 10773) CVE-2015-0561 wnpa-sec-2015-03 The DEC DNA Routing Protocol dissector could crash. (Bug 10724) CVE-2015-0562 wnpa-sec-2015-04 The SMTP dissector could crash. (Bug 10823) CVE-2015-0563 wnpa-sec-2015-05 Wireshark could crash while decypting TLS/SSL sessions. Discovered by Noam Rathaus. CVE-2015-0564 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Arch teams, please test and mark stable: =net-analyzer/wireshark-1.12.3 Targeted stable KEYWORDS : alpha amd64 hppa ia64 ppc ppc64 sparc x86
amd64 stable
x86 stable
Stable for HPPA.
Stable on alpha (including sbc)
CVE-2015-0564 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0564): Buffer underflow in the ssl_decrypt_record function in epan/dissectors/packet-ssl-utils.c in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet that is improperly handled during decryption of an SSL session. CVE-2015-0563 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0563): epan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 uses an incorrect length value for certain string-append operations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2015-0562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0562): Multiple use-after-free vulnerabilities in epan/dissectors/packet-dec-dnart.c in the DEC DNA Routing Protocol dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory. CVE-2015-0561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0561): asn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not validate a certain index value, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet. CVE-2015-0560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0560): The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize certain data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. CVE-2015-0559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0559): Multiple use-after-free vulnerabilities in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory.
sparc stable
ppc64 stable
ppc stable
ia64 stable. Maintainer(s), please cleanup. Security, please vote.
Maintainer(s), Thank you for you for cleanup. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s).
Added to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201510-03 at https://security.gentoo.org/glsa/201510-03 by GLSA coordinator Kristian Fiskerstrand (K_F).