[Security] Multitude of Vulnerabilities against 1.6.7 in Precise
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| wireshark (Ubuntu) |
In Progress
|
High
|
Thomas Ward | ||
Bug Description
The Wireshark CVE tracker for the Ubuntu Security Team is here: http://
Per the tracker, and upstream sources such as Debian and elsewhere, the version of Wireshark present in the Precise repositories is both ancient but also is full of security holes, and vulnerable to a huge multitude of CVEs.
The Precise version of the package is, therefore, in need of updating. We had initially looked at backporting Wireshark 1.12 to all releases before Vivid and Utopic, however this will break private third-party modules and some software in the repositories which depend on the 1.6.x API, as the APIs are not reverse compatible in Wireshark versions.
As such, that option went off the table, and the remaining option is to backport as many of the fixes as possible. To that extent, this bug will serve as a master bug to cover those CVEs of which patches and fixes already exist for the 1.6.x branch. (Later bugs may be made for versions which need the fixes modified and manually backported / reverse-
------
A little different to triage, this bug has been created as "In Progress" and I have assigned it to myself. Given the large number of CVEs impacting it, I have set the Importance as "High" as a result.
The rationale for this is as follows:
(1) All the CVEs already exist and are confirmed.
(2) Several days will need to be taken by me to add each CVE to the bug here, to identify which CVEs need to be fixed.
(3) At the same time, I will be grabbing patches to incorporate into the packaging for a debdiff which will have all the CVE fixes.
(4) Upon 2 and 3 being completed, this bug will be marked as "Confirmed" and myself unsubscribed, at which point I will upload a Security debdiff for consideration and sponsoring by the Security team.
This is likely going to be a multi-day, if not a multi-week, project. This is also not the first bug that will be made for this, it is merely the first of several that are likely to be made.
CVE References
- 2012-2392
- 2012-2393
- 2012-2394
- 2012-3548
- 2012-3825
- 2012-3826
- 2012-4048
- 2012-4049
- 2012-4285
- 2012-4288
- 2012-4289
- 2012-4290
- 2012-4291
- 2012-4292
- 2012-4293
- 2012-4296
- 2012-4297
- 2012-6053
- 2012-6058
- 2012-6059
- 2012-6060
- 2012-6061
- 2012-6062
- 2013-1572
- 2013-1573
- 2013-1574
- 2013-1575
- 2013-1576
- 2013-1577
- 2013-1578
- 2013-1579
- 2013-1580
- 2013-1581
- 2013-1582
- 2013-1583
- 2013-1584
- 2013-1585
- 2013-1586
- 2013-1588
- 2013-1589
- 2013-1590
| Evan Huus (eapache) wrote | #1 |
As mentioned in our previous discussion: it may simplify your life by moving to the last stable 1.6 release (1.6.16 if I recall correctly) and only applying extra patches on top of that. Otherwise you will just end up duplicating a lot of work that the Wireshark team already did when 1.6 series was still supported. Micro-releases within a series do not break the API and contain only security and bug fixes.