Bug 15924 - wireshark new release 1.10.14 fixes security issues
Summary: wireshark new release 1.10.14 fixes security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/644512/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-05-13 15:02 CEST by David Walser
Modified: 2015-05-14 17:45 CEST (History)
2 users (show)

See Also:
Source RPM: wireshark-1.10.14-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-05-13 15:02:10 CEST
Upstream has released new versions on May 12:
https://www.wireshark.org/news/20150512.html

Freeze push requested for Cauldron for 1.12.5.

Updated package uploaded for Mageia 4.

Advisory:
========================

Updated wireshark packages fix security vulnerabilities:

The WCP dissector could crash while decompressing data (CVE-2015-3811).

The X11 dissector could leak memory (CVE-2015-3812).

The IEEE 802.11 dissector could go into an infinite loop (CVE-2015-3814).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3811
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3812
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3814
https://www.wireshark.org/security/wnpa-sec-2015-14.html
https://www.wireshark.org/security/wnpa-sec-2015-15.html
https://www.wireshark.org/security/wnpa-sec-2015-17.html
https://www.wireshark.org/docs/relnotes/wireshark-1.10.14.html
https://www.wireshark.org/news/20150512.html
========================

Updated packages in core/updates_testing:
========================
wireshark-1.10.14-1.mga4
libwireshark3-1.10.14-1.mga4
libwiretap3-1.10.14-1.mga4
libwsutil3-1.10.14-1.mga4
libwireshark-devel-1.10.14-1.mga4
wireshark-tools-1.10.14-1.mga4
tshark-1.10.14-1.mga4
rawshark-1.10.14-1.mga4
dumpcap-1.10.14-1.mga4

from wireshark-1.10.14-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-13 15:02:26 CEST
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Wireshark

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2015-05-13 17:13:37 CEST
I dissected the three PoC pcap files with tshark -nVxr and had no issues.  Doing a capture and analysis with Wireshark works fine too.  Testing complete Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 Shlomi Fish 2015-05-13 18:15:49 CEST
Works fine on x86-64 - my Acer Laptop.

CC: (none) => shlomif
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2015-05-13 18:17:50 CEST
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2015-05-13 19:19:47 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0223.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-05-14 17:45:03 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644512/


Note You need to log in before you can comment on or make changes to this bug.