Bug 25827 - wireshark new release 3.0.7 fixes security issue
Summary: wireshark new release 3.0.7 fixes security issue
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-12-05 16:07 CET by David Walser
Modified: 2019-12-13 19:27 CET (History)
3 users (show)

See Also:
Source RPM: wireshark-3.0.4-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-12-05 16:07:46 CET 
Upstream has released new versions on December 4:
https://www.wireshark.org/news/20191204.html

Updated package uploaded for Mageia 7.

Advisory:
========================

Updated wireshark packages fix security vulnerability:

CMS dissector crash (CVE-2019-19553).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19553
https://www.wireshark.org/security/wnpa-sec-2019-22
https://www.wireshark.org/docs/relnotes/wireshark-3.0.5.html
https://www.wireshark.org/docs/relnotes/wireshark-3.0.6.html
https://www.wireshark.org/docs/relnotes/wireshark-3.0.7.html
https://www.wireshark.org/news/20190920.html
https://www.wireshark.org/news/20191023.html
https://www.wireshark.org/news/20191204.html
========================

Updated packages in core/updates_testing:
========================
wireshark-3.0.7-1.mga7
libwireshark12-3.0.7-1.mga7
libwiretap9-3.0.7-1.mga7
libwscodecs2-3.0.7-1.mga7
libwsutil10-3.0.7-1.mga7
libwireshark-devel-3.0.7-1.mga7
wireshark-tools-3.0.7-1.mga7
tshark-3.0.7-1.mga7
rawshark-3.0.7-1.mga7
dumpcap-3.0.7-1.mga7

from wireshark-3.0.7-1.mga7.src.rpm
Comment 1 Herman Viaene 2019-12-11 16:56:22 CET 
MGA7-64 Plasma on Lenovo B50
I coud not install libwireshark-devel-3.0.7-1.mga7 because of:
# urpmi lib64wireshark-devel
De volgende pakketten kunnen niet worden geïnstalleerd omdat ze afhangen
van pakketten die ouder zijn dan de reeds geïnstalleerde pakketten: could not install because depenedent on older packages than the ones already installed.
lib64croco-devel-0.6.13-1.mga7
gettext-devel-0.19.8.1-4.mga7
lib64gnutls-devel-3.6.7-1.mga7
lib64wireshark-devel-3.0.7-1.mga7
Toch doorgaan met de installatie? (J/n) n :continue: no
[root@mach5 rpm]# urpme lib64croco-devel-0.6.13-1.mga7
onbekend pakket: lib64croco-devel-0.6.13-1.mga7 unknown package
I could do 
rpm --rebuilddb
but that didn't help
Leaving that problem alone, I added my user to the wireshark group, logged out and in again, the proceeded with tests as in bug 25436 Comment 1
The commands and outputs are all literaly the same, so I don't reapeat these here.
OK for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 2 Thomas Andrews 2019-12-12 22:53:11 CET 
Starting with a 64-bit install which didn't have wireshark, I installed version 3.0.4, which pulled in a number of dependencies, and I installed lib64wireshark-devel 3.0.4, which pulled in many more dependencies.

All packages installed cleanly. Then I used the list from Comment 0 in qarepo, adding "64" to all libraries. Again, all packages installed cleanly.

Herman, I have no idea why you couldn't install the devel package, unless you were inadvertently mixing 64-bit and 32-bit libraries.

Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 3 Rémi Verschelde 2019-12-13 17:03:16 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 4 Mageia Robot 2019-12-13 19:27:20 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0384.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.