Bug 14531 - wireshark new release 1.10.11 fixes security issues
Summary: wireshark new release 1.10.11 fixes security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/622618/
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-11-13 20:43 CET by David Walser
Modified: 2014-11-21 19:06 CET (History)
3 users (show)

See Also:
Source RPM: wireshark-1.10.10-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-11-13 20:43:51 CET
Upstream has released new versions on November 12:
https://www.wireshark.org/news/20141112.html

Freeze push requested for Cauldron for 1.12.2.

Updated packages uploaded for Mageia 3 and Mageia 4.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

SigComp UDVM buffer overflow (CVE-2014-8710).

AMQP crash (CVE-2014-8711).

NCP crashes (CVE-2014-8712, CVE-2014-8713).

TN5250 infinite loops (CVE-2014-8714).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8710
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8711
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8712
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8713
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8714
https://www.wireshark.org/security/wnpa-sec-2014-20.html
https://www.wireshark.org/security/wnpa-sec-2014-21.html
https://www.wireshark.org/security/wnpa-sec-2014-22.html
https://www.wireshark.org/security/wnpa-sec-2014-23.html
https://www.wireshark.org/docs/relnotes/wireshark-1.10.11.html
https://www.wireshark.org/news/20141112.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.10.11-1.mga3
libwireshark3-1.10.11-1.mga3
libwiretap3-1.10.11-1.mga3
libwsutil3-1.10.11-1.mga3
libwireshark-devel-1.10.11-1.mga3
wireshark-tools-1.10.11-1.mga3
tshark-1.10.11-1.mga3
rawshark-1.10.11-1.mga3
dumpcap-1.10.11-1.mga3
wireshark-1.10.11-1.mga4
libwireshark3-1.10.11-1.mga4
libwiretap3-1.10.11-1.mga4
libwsutil3-1.10.11-1.mga4
libwireshark-devel-1.10.11-1.mga4
wireshark-tools-1.10.11-1.mga4
tshark-1.10.11-1.mga4
rawshark-1.10.11-1.mga4
dumpcap-1.10.11-1.mga4

from SRPMS:
wireshark-1.10.11-1.mga3.src.rpm
wireshark-1.10.11-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-11-13 20:44:08 CET
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Wireshark

Whiteboard: (none) => MGA3TOO has_procedure

Comment 2 David Walser 2014-11-14 16:37:48 CET
Ran a capture and looked at some packets.

Analyzed the pcap PoC files from the wireshark.org bugs with tshark -nVxr and none of them crashed.

Testing complete Mageia 3 i586 and Mageia 4 i586.

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 3 Herman Viaene 2014-11-18 15:12:29 CET
Mageia 4 64-bit on AMD Phenom Quadcore.
Wireshark starts normally and i can access all items, and a capture session works (started Firefox).
However, there is a snag: the screen of the capture options extends below the screen resolution, so I can guess there are an OK and Cancel button hidden below, but  there is no way I can see these. I have to guess and tab to hit the OK button.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2014-11-19 10:40:19 CET
Forgot: I can resize the width of the "capture options" window, but not its heigth.
Comment 5 Herman Viaene 2014-11-19 11:17:19 CET
This is a known bug in Wireshark (bug8907) and is reported to be fixed in their version 1.12.x
Herman Viaene 2014-11-19 11:17:58 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA-64

Herman Viaene 2014-11-19 11:23:27 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA-64 => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA-64-OK

Herman Viaene 2014-11-19 11:43:00 CET

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK

Comment 6 Rémi Verschelde 2014-11-19 14:18:59 CET
Validating, advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK MGA4-64-OK advisory
CC: (none) => remi, sysadmin-bugs

Comment 7 Mageia Robot 2014-11-21 13:45:44 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0471.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-11-21 19:06:28 CET

URL: (none) => http://lwn.net/Vulnerabilities/622618/


Note You need to log in before you can comment on or make changes to this bug.