CVE-2008-3146 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3146): Unspecified vulnerability in Wireshark and Ethereal on SUSE Linux allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.
I inquired upstream on a release date.
replied: "It should be out in the next couple of days."
It's out. To quote: Wireshark 1.0.3 fixes the following vulnerabilities: * The NCP dissector was susceptible to a number of problems, including buffer overflows and an infinite loop. (Bug 2675) Versions affected: 0.9.7 to 1.0.2 * Wireshark could crash while uncompressing zlib-compressed packet data. (Bug 2649) Versions affected: 0.10.14 to 1.0.2 * Wireshark could crash while reading a Tektronix .rf5 file. Versions affected: 0.99.6 to 1.0.2
*** Bug 236978 has been marked as a duplicate of this bug. ***
wireshark-1.0.3 was added to the tree. Arch teams, please, stabilize.
Stable for HPPA.
alpha/ia64/sparc/x86 stable
ppc and ppc64 stable
amd64 done.. all arches done... your turn to glsa (or not)
CVE-2008-3932 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3932): Wireshark (formerly Ethereal) 0.9.7 through 1.0.2 allows attackers to cause a denial of service (hang) via a crafted NCP packet that triggers an infinite loop. CVE-2008-3933 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3933): Wireshark (formerly Ethereal) 0.10.14 through 1.0.2 allows attackers to cause a denial of service (crash) via a packet with crafted zlib-compressed data that triggers an invalid read in the tvb_uncompress function. CVE-2008-3934 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3934): Unspecified vulnerability in Wireshark (formerly Ethereal) 0.99.6 through 1.0.2 allows attackers to cause a denial of service (crash) via a crafted Tektronix .rf5 file.
We already sent GLSA for this kind of stuff so... voting yes.
YES too, request filed.
GLSA 200809-17