2015-02-04 20:35:33 |
Thomas Ward |
bug |
|
|
added bug |
2015-02-04 20:36:05 |
Thomas Ward |
description |
There are several new vulnerabilities found in Wireshark in 2015.
WCCP Dissector Crash (CVE-2015-0559, CVE-2015-0560) (https://www.wireshark.org/security/wnpa-sec-2015-01.html)
Description: The WCCP dissector could crash.
Impact: "It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file."
LPP dissector crash (CVE-2015-0561) (https://www.wireshark.org/security/wnpa-sec-2015-02.html)
Description: The LPP dissector could crash.
Impact: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
DEC DNA Routing Protocol dissector crash (CVE-2015-0562) (https://www.wireshark.org/security/wnpa-sec-2015-03.html)
Description: The DEC DNA Routing Protocol dissector could crash.
Impact: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
SMTP dissector crash (CVE-2015-0563) (https://www.wireshark.org/security/wnpa-sec-2015-04.html)
Description: The SMTP dissector could crash.
Impact: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
TLS/SSL decryption crash (CVE-2015-0564) (https://www.wireshark.org/security/wnpa-sec-2015-05.html)
Description: Wireshark could underflow a buffer while decypting TLS/SSL sessions. Discovered by Noam Rathaus.
Impact: "It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file."
------
Debian has already patched these in 1.12.1+g01b65bf-3.
Vivid is unaffected as it has the Debian version in which this is fixed. Utopic is known to be affected as it is an affected (and unpatched) 1.12.x version. Trusty is also known to be affected, as it has an affected (and unpatched) version of 1.10.x.
Precise is assumed to be affected, however this is unconfirmed.
------
A debdiff shall be attached to this bug shortly for Utopic. |
There are several new vulnerabilities found in Wireshark in 2015.
WCCP Dissector Crash (CVE-2015-0559, CVE-2015-0560)
(https://www.wireshark.org/security/wnpa-sec-2015-01.html)
Description: The WCCP dissector could crash.
Impact: "It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file."
LPP dissector crash (CVE-2015-0561)
(https://www.wireshark.org/security/wnpa-sec-2015-02.html)
Description: The LPP dissector could crash.
Impact: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
DEC DNA Routing Protocol dissector crash (CVE-2015-0562)
(https://www.wireshark.org/security/wnpa-sec-2015-03.html)
Description: The DEC DNA Routing Protocol dissector could crash.
Impact: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
SMTP dissector crash (CVE-2015-0563)
(https://www.wireshark.org/security/wnpa-sec-2015-04.html)
Description: The SMTP dissector could crash.
Impact: It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
TLS/SSL decryption crash (CVE-2015-0564)
(https://www.wireshark.org/security/wnpa-sec-2015-05.html)
Description: Wireshark could underflow a buffer while decypting TLS/SSL sessions. Discovered by Noam Rathaus.
Impact: "It may be possible to make Wireshark crash by injecting a malformed packet onto the wire or by convincing someone to read a malformed packet trace file."
------
Debian has already patched these in 1.12.1+g01b65bf-3.
Vivid is unaffected as it has the Debian version in which this is fixed. Utopic is known to be affected as it is an affected (and unpatched) 1.12.x version. Trusty is also known to be affected, as it has an affected (and unpatched) version of 1.10.x.
Precise is assumed to be affected, however this is unconfirmed.
------
A debdiff shall be attached to this bug shortly for Utopic. |
|
2015-02-04 20:36:27 |
Thomas Ward |
nominated for series |
|
Ubuntu Precise |
|
2015-02-04 20:36:27 |
Thomas Ward |
nominated for series |
|
Ubuntu Utopic |
|
2015-02-04 20:36:27 |
Thomas Ward |
nominated for series |
|
Ubuntu Trusty |
|
2015-02-04 20:38:07 |
Marc Deslauriers |
bug task added |
|
wireshark (Ubuntu Precise) |
|
2015-02-04 20:38:12 |
Marc Deslauriers |
bug task added |
|
wireshark (Ubuntu Trusty) |
|
2015-02-04 20:38:18 |
Marc Deslauriers |
bug task added |
|
wireshark (Ubuntu Utopic) |
|
2015-02-04 20:39:15 |
Thomas Ward |
wireshark (Ubuntu): status |
Confirmed |
Fix Released |
|
2015-02-04 20:39:18 |
Thomas Ward |
wireshark (Ubuntu Precise): status |
New |
Confirmed |
|
2015-02-04 20:39:21 |
Thomas Ward |
wireshark (Ubuntu Trusty): status |
New |
Confirmed |
|
2015-02-04 20:39:22 |
Thomas Ward |
wireshark (Ubuntu Utopic): status |
New |
Confirmed |
|
2015-02-04 20:39:23 |
Thomas Ward |
wireshark (Ubuntu Precise): importance |
Undecided |
Medium |
|
2015-02-04 20:39:26 |
Thomas Ward |
wireshark (Ubuntu Utopic): importance |
Undecided |
Medium |
|
2015-02-04 20:39:29 |
Thomas Ward |
wireshark (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2015-02-04 20:51:07 |
Thomas Ward |
cve linked |
|
2015-0559 |
|
2015-02-04 20:51:17 |
Thomas Ward |
cve linked |
|
2015-0560 |
|
2015-02-04 20:51:29 |
Thomas Ward |
cve linked |
|
2015-0561 |
|
2015-02-04 20:51:48 |
Thomas Ward |
cve linked |
|
2015-0562 |
|
2015-02-04 20:51:57 |
Thomas Ward |
cve linked |
|
2015-0563 |
|
2015-02-04 20:52:12 |
Thomas Ward |
cve linked |
|
2015-0564 |
|
2015-02-04 20:58:57 |
Thomas Ward |
wireshark (Ubuntu Precise): status |
Confirmed |
New |
|
2015-02-04 21:03:16 |
Thomas Ward |
attachment added |
|
Debdiff for Utopic (excluding GTK crash patch from Debian) https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1418211/+attachment/4312479/+files/wireshark-security-utopic-LP1418211.debdiff |
|
2015-02-04 21:04:54 |
Thomas Ward |
attachment removed |
Debdiff for Utopic (excluding GTK crash patch from Debian) https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1418211/+attachment/4312479/+files/wireshark-security-utopic-LP1418211.debdiff |
|
|
2015-02-04 21:10:16 |
Thomas Ward |
attachment added |
|
Debdiff for Utopic (excluding GTK crash patch from Debian) https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1418211/+attachment/4312486/+files/wireshark-security-utopic-LP1418211.debdiff |
|
2015-02-04 21:16:47 |
Thomas Ward |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2015-02-05 16:01:27 |
Marc Deslauriers |
wireshark (Ubuntu Utopic): status |
Confirmed |
Fix Committed |
|
2015-02-05 16:01:30 |
Marc Deslauriers |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
2015-02-05 18:26:15 |
Launchpad Janitor |
wireshark (Ubuntu Utopic): status |
Fix Committed |
Fix Released |
|
2021-10-14 01:25:10 |
Steve Langasek |
wireshark (Ubuntu Precise): status |
New |
Won't Fix |
|