The following vulnerabilities have been fixed: * [1]wnpa-sec-2018-01 Multiple dissectors could crash. ([2]Bug 14253) [3]CVE-2018-5336 * [4]wnpa-sec-2018-03 The IxVeriWave file parser could crash. ([5]Bug 14297) [6]CVE-2018-5334 * [7]wnpa-sec-2018-04 The WCP dissector could crash. ([8]Bug 14251) [9]CVE-2018-5335
CVE-2018-5336 (https://nvd.nist.gov/vuln/detail/CVE-2018-5336): In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the JSON, XML, NTP, XMPP, and GDB dissectors could crash. This was addressed in epan/tvbparse.c by limiting the recursion depth. CVE-2018-5335 (https://nvd.nist.gov/vuln/detail/CVE-2018-5335): In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the WCP dissector could crash. This was addressed in epan/dissectors/packet-wcp.c by validating the available buffer length. CVE-2018-5334 (https://nvd.nist.gov/vuln/detail/CVE-2018-5334): In Wireshark 2.4.0 to 2.4.3 and 2.2.0 to 2.2.11, the IxVeriWave file parser could crash. This was addressed in wiretap/vwr.c by correcting the signature timestamp bounds checks.
@ Maintainer(s): Can we already stabilize =net-analyzer/wireshark-2.4.4?
2.4.4 contains the fix, but targeting 2.4.5. @arches, please stabilize.
ia64 stable
ppc stable
ppc64 stable
arm stable, all arches done.
no vulnerable ebuilds left. GLSA Vote: No