Bug 28915 - wireshark new release 3.4.5 fixes security issue
Summary: wireshark new release 3.4.5 fixes security issue
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2021-05-13 23:08 CEST by David Walser
Modified: 2021-05-27 15:44 CEST (History)
4 users (show)

See Also:
Source RPM: wireshark-3.4.4-1.mga8.src.rpm
CVE: CVE-2021-22207
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-13 23:08:48 CEST 
Upstream has released new versions on April 21:
https://www.wireshark.org/news/20210421.html

Updated package uploaded for Mageia 8.

Advisory:
========================

Updated wireshark packages fix security vulnerability:

The MS-WSP dissector could consume excessive amounts of memory
(CVE-2021-22207).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22207
https://www.wireshark.org/security/wnpa-sec-2021-04
https://www.wireshark.org/docs/relnotes/wireshark-3.4.5.html
https://www.wireshark.org/news/20210421.html
========================

Updated packages in core/updates_testing:
========================
wireshark-3.4.5-1.mga8
libwireshark-devel-3.4.5-1.mga8
wireshark-tools-3.4.5-1.mga8
libwiretap11-3.4.5-1.mga8
tshark-3.4.5-1.mga8
dumpcap-3.4.5-1.mga8
rawshark-3.4.5-1.mga8
libwsutil12-3.4.5-1.mga8
libwireshark14-3.4.5-1.mga8

from wireshark-3.4.5-1.mga8.src.rpm
Comment 1 David Walser 2021-05-13 23:09:16 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Wireshark

Keywords: (none) => has_procedure

Comment 2 Aurelien Oudelet 2021-05-16 02:20:28 CEST 
Adding possible already reported issue in Bug 28852.

CC: (none) => ouaurelien
Blocks: (none) => 28852

Comment 3 David Walser 2021-05-16 02:22:04 CEST 
That's INVALID and has nothing to do with this update.

Blocks: 28852 => (none)

Comment 4 Brian Rockwell 2021-05-24 02:55:59 CEST 
The following 14 packages are going to be installed:

- dumpcap-3.4.5-1.mga8.x86_64
- lib64bcg729_0-1.1.1-1.mga8.x86_64
- lib64nl-route3_200-3.5.0-2.mga8.x86_64
- lib64qt5multimedia5-5.15.2-1.mga8.x86_64
- lib64qt5printsupport5-5.15.2-4.2.mga8.x86_64
- lib64smi2-0.5.0-4.mga8.x86_64
- lib64snappy1-1.1.8-2.mga8.x86_64
- lib64wireshark14-3.4.5-1.mga8.x86_64
- lib64wiretap11-3.4.5-1.mga8.x86_64
- lib64wsutil12-3.4.5-1.mga8.x86_64
- libsmi-mibs-std-0.5.0-4.mga8.x86_64
- smi-tools-0.5.0-4.mga8.x86_64
- wireshark-3.4.5-1.mga8.x86_64
- wireshark-tools-3.4.5-1.mga8.x86_64


# uname -a
Linux localhost 5.10.37-desktop-2.mga8 #1 SMP Mon May 17 16:35:04 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux


# wireshark

collected capture.  opened captures, filters works. 

Can confirm wireshark appears to be working as designed.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => brtians1

Comment 5 Thomas Andrews 2021-05-26 01:32:10 CEST 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Aurelien Oudelet 2021-05-26 18:19:52 CEST

Keywords: (none) => advisory
CVE: (none) => CVE-2021-22207

Comment 6 Mageia Robot 2021-05-27 15:44:41 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0222.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.