Univention Bugzilla – Bug 52755
wireshark: Multiple issues (4.4)
Last modified: 2021-02-10 17:26:16 CET
New Debian wireshark 2.6.20-0+deb9u1 fixes: This update addresses the following issues: * missing dissection recursion checks leads to denial of service (CVE-2019-12295) * ASN.1 BER dissector crash (wnpa-sec-2019-20) (CVE-2019-13619) * gryphon dissector infinite loop (wnpa-sec-2019-21) (CVE-2019-16319) * CMS dissector crash (wnpa-sec-2019-22) (CVE-2019-19553) * invalid memory access in BT ATT dissector (CVE-2020-7045) * injecting a malformed packet may cause the EAP dissector to crash due to out-of-bounds read (CVE-2020-9428) * injecting a malformed packet may cause WiMax DLMAP dissector to crash due to out-of-bound read (CVE-2020-9430) * LTE RRC dissector memory leak could result in excessive memory resource consumption (CVE-2020-9431) * BACapp dissector crash (wnpa-sec-2020-07) (CVE-2020-11647) * NFS dissector crash (wnpa-sec-2020-08) (CVE-2020-13164) * GVCP dissector infinite loop (CVE-2020-15466) * TCP dissector crash (wnpa-sec-2020-12) (CVE-2020-25862) * MIME multipart dissector crash (wnpa-sec-2020-11) (CVE-2020-25863) * Kafka dissector memory leak (wnpa-sec-2020-16) (CVE-2020-26418) * USB HID dissector crash (wnpa-sec-2020-17) (CVE-2020-26421) * FBZERO dissector could enter an infinite loop (CVE-2020-26575) * malformed packet on wire could make GQUIC protocol dissector loop (CVE-2020-28030)
--- mirror/ftp/4.4/unmaintained/4.4-7/source/wireshark_2.6.8-1.1~deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-7/source/wireshark_2.6.20-0+deb9u1.dsc @@ -1,7 +1,41 @@ -2.6.8-1.1~deb9u1 [Sat, 31 Oct 2020 21:05:56 +0200] Adrian Bunk <bunk@debian.org>: +2.6.20-0+deb9u1 [Sun, 31 Jan 2021 19:44:22 +0200] Adrian Bunk <bunk@debian.org>: - * Non-maintainer upload by the LTS team. - * Rebuild for stretch. + * Non-maintainer upload. + * New upstream version including the following security fixes: + - CVE-2019-16319: The Gryphon dissector could go into an infinite loop. + - CVE-2019-19553: The CMS dissector could crash. + - CVE-2020-7045: The BT ATT dissector could crash. + - CVE-2020-9428: The EAP dissector could crash. + - CVE-2020-9430: The WiMax DLMAP dissector could crash. + - CVE-2020-9431: The LTE RRC dissector could leak memory. + - CVE-2020-11647: The BACapp dissector could crash. (Closes: #958213) + - CVE-2020-13164: The NFS dissector could crash. + - CVE-2020-15466: The GVCP dissector could go into an infinite loop. + - CVE-2020-25862: The TCP dissector could crash. + - CVE-2020-25863: The MIME Multipart dissector could crash. + * Adjust 17_libdir_location.patch for context changes. + * Since Wireshark 2.6.14 tests are run automatically by debhelper, + backport the build fix and making test failures non-fatal. + * CVE-2020-26575: The Facebook Zero Protocol (aka FBZERO) dissector + could enter an infinite loop. (Closes: #974688) + * CVE-2020-28030: The GQUIC dissector could crash. (Closes: #974689) + * CVE-2020-26418: Memory leak in the Kafka protocol dissector. + * CVE-2020-26421: Crash in USB HID protocol dissector. + +2.6.10-1 [Wed, 17 Jul 2019 23:23:05 +0200] Balint Reczey <rbalint@ubuntu.com>: + + * New upstream version 2.6.10 + - security fixes: + - ASN.1 BER and related dissectors crash (CVE-2019-13619) + - fix QIcon crash on exit on Ubuntu 16.04 with Qt 5.5.1 (LP: #1803808) + * debian/gitlab-ci.yml: User minimal reference configuration + +2.6.9-1 [Thu, 30 May 2019 22:13:15 +0200] Balint Reczey <rbalint@ubuntu.com>: + + * Acknowledge NMU + * New upstream version 2.6.9 + * Drop obsolete CVE-2019-12295.patch + * Refresh patches 2.6.8-1.1 [Mon, 27 May 2019 16:08:44 +0200] Dr. Tobias Quathamer <toddy@debian.org>: <http://10.200.17.11/4.4-7/#1830791323758375061>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.4-7] 8aed2ad3b3 Bug #52755: wireshark 2.6.20-0+deb9u1 doc/errata/staging/wireshark.yaml | 49 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+)
<https://errata.software-univention.de/#/?erratum=4.4x891>