2014-11-27 19:17:17 |
Thomas Ward |
bug |
|
|
added bug |
2014-11-27 19:25:07 |
Thomas Ward |
attachment added |
|
Trusty Debdiff: 1.10.6-1 to 1.12.1+g01b65bf-2~14.04.1 https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4269829/+files/trusty_wireshark_1.10.6-1_1.12.1%2Bg01b65bf-2%7E14.04.1.debdiff |
|
2014-11-27 19:25:29 |
Thomas Ward |
attachment added |
|
Utopic Debdiff: 1.12.0+git+4fab41a1-1 to 1.12.1+g01b65bf-2~14.10.1 https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4269830/+files/utopic_wireshark_1.12.0%2Bgit%2B4fab41a1-1_1.12.1%2Bg01b65bf-2%7E14.10.1.debdiff |
|
2014-11-27 19:27:54 |
Thomas Ward |
attachment added |
|
Precise Debdiff: 1.6.7-1 to 1.12.1+g01b65bf-2~12.04.1 https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4269840/+files/precise_wireshark_1.6.7-1_1.12.1%2Bg01b65bf-2%7E12.04.1.debdiff.tar.gz |
|
2014-11-27 19:29:11 |
Thomas Ward |
summary |
[Security] Update Wireshark in all repositories to 1.12.1 from Vivid, please. |
[Security] Update Wireshark in all repositories to 1.12.1+g01b65bf-2 (from Vivid) |
|
2014-11-27 19:29:27 |
Thomas Ward |
summary |
[Security] Update Wireshark in all repositories to 1.12.1+g01b65bf-2 (from Vivid) |
[Security] Update Wireshark in Precise, Trusty, and Utopic to 1.12.1+g01b65bf-2 (from Vivid) |
|
2014-11-27 19:30:53 |
Thomas Ward |
attachment removed |
Precise Debdiff: 1.6.7-1 to 1.12.1+g01b65bf-2~12.04.1 https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4269840/+files/precise_wireshark_1.6.7-1_1.12.1%2Bg01b65bf-2%7E12.04.1.debdiff.tar.gz |
|
|
2014-11-27 19:31:42 |
Thomas Ward |
attachment added |
|
Precise Debdiff: 1.6.7-1 to 1.12.1+g01b65bf-2~12.04.1 https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4269841/+files/precise_wireshark_1.6.7-1_1.12.1%2Bg01b65bf-2%7E12.04.1.debdiff.gz |
|
2014-11-27 19:32:46 |
Thomas Ward |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2014-11-27 19:38:58 |
Thomas Ward |
description |
In discussion with the Security team yesterday (November 26, 2014) in #ubuntu-hardened on IRC, I began digging through the list of Wireshark CVEs, attempting to correct the tracker and get the CVE statuses updated to reflect what actually does affect the versions in Trusty and later, rather than sit there with a ton of yellow and orange on the tracker.
During the discussion while I was making the revisions in my own branch of the CVE tracker, it was proposed by Marc Deslauriers that we look into a full version bump in the Wireshark package for all stable releases. Further discussion with Seth Arnold after that with me settled on targeting this for Precise, Trusty, and Utopic.
Unfortunately, security handling of this package is... tricky. There are so many CVEs that it becomes unwieldy to try and patch each individual CVE. Further discussion today (November 27, 2014) and input from Marc supports that conclusion. Therefore, it was suggested that we investigate whether we can safely
Vivid already has the patches that are included in the upstream version 1.12.2, and therefore has CVE fixes for the ones which were fixed in 1.12.2. To that end, I propose that we do a security update for Wireshark and apply the package from Vivid (with changes as necessary for releases) to earlier releases in order to fix the numerous security updates that are pending for the package.
------
The attached debdiffs are based off of the Vivid package. The package in Vivid contains all the security fixes in 1.12.2. The update would bring the Precise, Trusty, and Utopic into relative sync with the Vivid package.
The following is the details of the changes to the package that would need to be done for each release (and this will be outlined in debdiffs later) in order to build:
Precise:
* debian/control:
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Trusty:
* debian/control: program
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Utopic:
No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed.
------
There should not be any major regressions by doing the version bump. There may be some UI changes, however the functionality of Wireshark will be improved, with most (if not all) of the current CVEs against the package being fixed.
------
Test builds for the attached debdiffs (targeted for the release specifically instead of the security pocket, because of it being in a PPA) can be found here:
https://launchpad.net/~teward/+archive/ubuntu/wireshark-security/+packages |
In discussion with the Security team yesterday (November 26, 2014) in #ubuntu-hardened on IRC, I began digging through the list of Wireshark CVEs, attempting to correct the tracker and get the CVE statuses updated to reflect what actually does affect the versions in Trusty and later, rather than sit there with a ton of yellow and orange on the tracker.
During the discussion while I was making the revisions in my own branch of the CVE tracker, it was proposed by Marc Deslauriers that we look into a full version bump in the Wireshark package for all stable releases. Further discussion with Seth Arnold after that with me settled on targeting this for Precise, Trusty, and Utopic.
Unfortunately, security handling of this package is... tricky. There are so many CVEs that it becomes unwieldy to try and patch each individual CVE. Further discussion today (November 27, 2014) and input from Marc supports that conclusion. Therefore, it was suggested that we investigate updating the software to as close to latest as we can.
Vivid already has the patches that are included in the upstream version 1.12.2, and therefore has CVE fixes for the ones which were fixed in 1.12.2. To that end, I propose that we do a security update for Wireshark and apply the package from Vivid (with changes as necessary for releases) to earlier releases in order to fix the numerous security updates that are pending for the package.
------
The attached debdiffs are based off of the Vivid package. The package in Vivid contains all the security fixes in 1.12.2. The update would bring the Precise, Trusty, and Utopic into relative sync with the Vivid package.
The following is the details of the changes to the package that would need to be done for each release (and this will be outlined in debdiffs later) in order to build:
Precise:
* debian/control:
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Trusty:
* debian/control: program
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Utopic:
No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed.
------
There should not be any major regressions by doing the version bump. There may be some UI changes, however the functionality of Wireshark will be improved, with most (if not all) of the current CVEs against the package being fixed.
------
Test builds for the attached debdiffs (targeted for the release specifically instead of the security pocket, because of it being in a PPA) can be found here:
https://launchpad.net/~teward/+archive/ubuntu/wireshark-security/+packages |
|
2014-11-28 19:11:34 |
Thomas Ward |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
2014-11-28 19:16:22 |
Thomas Ward |
attachment removed |
Precise Debdiff: 1.6.7-1 to 1.12.1+g01b65bf-2~12.04.1 https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4269841/+files/precise_wireshark_1.6.7-1_1.12.1%2Bg01b65bf-2%7E12.04.1.debdiff.gz |
|
|
2014-11-28 19:16:32 |
Thomas Ward |
attachment removed |
Trusty Debdiff: 1.10.6-1 to 1.12.1+g01b65bf-2~14.04.1 https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4269829/+files/trusty_wireshark_1.10.6-1_1.12.1%2Bg01b65bf-2%7E14.04.1.debdiff |
|
|
2014-11-30 03:57:14 |
Adolfo Jayme Barrientos |
wireshark (Ubuntu): importance |
Undecided |
High |
|
2014-12-03 23:25:29 |
Thomas Ward |
summary |
[Security] Update Wireshark in Precise, Trusty, and Utopic to 1.12.1+g01b65bf-2 (from Vivid) |
[Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches. |
|
2014-12-03 23:25:40 |
Thomas Ward |
nominated for series |
|
Ubuntu Precise |
|
2014-12-03 23:25:40 |
Thomas Ward |
nominated for series |
|
Ubuntu Utopic |
|
2014-12-03 23:25:40 |
Thomas Ward |
nominated for series |
|
Ubuntu Trusty |
|
2014-12-03 23:27:46 |
Thomas Ward |
description |
In discussion with the Security team yesterday (November 26, 2014) in #ubuntu-hardened on IRC, I began digging through the list of Wireshark CVEs, attempting to correct the tracker and get the CVE statuses updated to reflect what actually does affect the versions in Trusty and later, rather than sit there with a ton of yellow and orange on the tracker.
During the discussion while I was making the revisions in my own branch of the CVE tracker, it was proposed by Marc Deslauriers that we look into a full version bump in the Wireshark package for all stable releases. Further discussion with Seth Arnold after that with me settled on targeting this for Precise, Trusty, and Utopic.
Unfortunately, security handling of this package is... tricky. There are so many CVEs that it becomes unwieldy to try and patch each individual CVE. Further discussion today (November 27, 2014) and input from Marc supports that conclusion. Therefore, it was suggested that we investigate updating the software to as close to latest as we can.
Vivid already has the patches that are included in the upstream version 1.12.2, and therefore has CVE fixes for the ones which were fixed in 1.12.2. To that end, I propose that we do a security update for Wireshark and apply the package from Vivid (with changes as necessary for releases) to earlier releases in order to fix the numerous security updates that are pending for the package.
------
The attached debdiffs are based off of the Vivid package. The package in Vivid contains all the security fixes in 1.12.2. The update would bring the Precise, Trusty, and Utopic into relative sync with the Vivid package.
The following is the details of the changes to the package that would need to be done for each release (and this will be outlined in debdiffs later) in order to build:
Precise:
* debian/control:
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Trusty:
* debian/control: program
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Utopic:
No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed.
------
There should not be any major regressions by doing the version bump. There may be some UI changes, however the functionality of Wireshark will be improved, with most (if not all) of the current CVEs against the package being fixed.
------
Test builds for the attached debdiffs (targeted for the release specifically instead of the security pocket, because of it being in a PPA) can be found here:
https://launchpad.net/~teward/+archive/ubuntu/wireshark-security/+packages |
In further discussion with the security team and others, it's probably easier (and more acceptable all over at this time) to backport all the fixes for the bugs into the various affected Wireshark versions already present in the repositories.
The original description for the bug is below, and is kept for historical reasons. Additional changes and actions on the bug will be in the comments.
==================
[Original Description]
In discussion with the Security team yesterday (November 26, 2014) in #ubuntu-hardened on IRC, I began digging through the list of Wireshark CVEs, attempting to correct the tracker and get the CVE statuses updated to reflect what actually does affect the versions in Trusty and later, rather than sit there with a ton of yellow and orange on the tracker.
During the discussion while I was making the revisions in my own branch of the CVE tracker, it was proposed by Marc Deslauriers that we look into a full version bump in the Wireshark package for all stable releases. Further discussion with Seth Arnold after that with me settled on targeting this for Precise, Trusty, and Utopic.
Unfortunately, security handling of this package is... tricky. There are so many CVEs that it becomes unwieldy to try and patch each individual CVE. Further discussion today (November 27, 2014) and input from Marc supports that conclusion. Therefore, it was suggested that we investigate updating the software to as close to latest as we can.
Vivid already has the patches that are included in the upstream version 1.12.2, and therefore has CVE fixes for the ones which were fixed in 1.12.2. To that end, I propose that we do a security update for Wireshark and apply the package from Vivid (with changes as necessary for releases) to earlier releases in order to fix the numerous security updates that are pending for the package.
------
The attached debdiffs are based off of the Vivid package. The package in Vivid contains all the security fixes in 1.12.2. The update would bring the Precise, Trusty, and Utopic into relative sync with the Vivid package.
The following is the details of the changes to the package that would need to be done for each release (and this will be outlined in debdiffs later) in order to build:
Precise:
* debian/control:
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Trusty:
* debian/control: program
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Utopic:
No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed.
------
There should not be any major regressions by doing the version bump. There may be some UI changes, however the functionality of Wireshark will be improved, with most (if not all) of the current CVEs against the package being fixed.
------
Test builds for the attached debdiffs (targeted for the release specifically instead of the security pocket, because of it being in a PPA) can be found here:
https://launchpad.net/~teward/+archive/ubuntu/wireshark-security/+packages |
|
2014-12-11 15:51:13 |
Marc Deslauriers |
bug task added |
|
wireshark (Ubuntu Precise) |
|
2014-12-11 15:51:26 |
Marc Deslauriers |
bug task added |
|
wireshark (Ubuntu Trusty) |
|
2014-12-11 15:51:32 |
Marc Deslauriers |
bug task added |
|
wireshark (Ubuntu Utopic) |
|
2014-12-11 15:55:10 |
Thomas Ward |
wireshark (Ubuntu Precise): importance |
Undecided |
High |
|
2014-12-11 15:55:10 |
Thomas Ward |
wireshark (Ubuntu Precise): status |
New |
In Progress |
|
2014-12-11 15:55:10 |
Thomas Ward |
wireshark (Ubuntu Precise): assignee |
|
Thomas Ward (teward) |
|
2014-12-11 15:55:22 |
Thomas Ward |
wireshark (Ubuntu Trusty): importance |
Undecided |
High |
|
2014-12-11 15:55:22 |
Thomas Ward |
wireshark (Ubuntu Trusty): status |
New |
In Progress |
|
2014-12-11 15:55:22 |
Thomas Ward |
wireshark (Ubuntu Trusty): assignee |
|
Thomas Ward (teward) |
|
2014-12-11 15:55:37 |
Thomas Ward |
wireshark (Ubuntu Utopic): importance |
Undecided |
High |
|
2014-12-11 15:55:37 |
Thomas Ward |
wireshark (Ubuntu Utopic): status |
New |
In Progress |
|
2014-12-11 15:55:37 |
Thomas Ward |
wireshark (Ubuntu Utopic): assignee |
|
Thomas Ward (teward) |
|
2014-12-11 23:32:00 |
Thomas Ward |
attachment added |
|
Utopic Debdiff: 1.12.0+git+4fab41a1-1 to 1.12.1+g01b65bf-2 (Utopic debian/ + 1.12.2 patches) https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+attachment/4279080/+files/utopic_debdiff_1.12.0-Utopic_1.12.1-Vivid.debdiff |
|
2014-12-11 23:33:08 |
Thomas Ward |
wireshark (Ubuntu Utopic): status |
In Progress |
Confirmed |
|
2014-12-11 23:33:11 |
Thomas Ward |
wireshark (Ubuntu Utopic): assignee |
Thomas Ward (teward) |
|
|
2014-12-12 15:51:49 |
Thomas Ward |
attachment removed |
Utopic Debdiff: 1.12.0+git+4fab41a1-1 to 1.12.1+g01b65bf-2 (Utopic debian/ + 1.12.2 patches) https://bugs.launchpad.net/ubuntu/precise/+source/wireshark/+bug/1397091/+attachment/4279080/+files/utopic_debdiff_1.12.0-Utopic_1.12.1-Vivid.debdiff |
|
|
2014-12-12 16:20:47 |
Thomas Ward |
attachment added |
|
Utopic Debdiff: 1.12.0+git+4fab41a1-1 to 1.12.1+g01b65bf-2 (Utopic debian/ + 1.12.2 patches and some Vivid changes) https://bugs.launchpad.net/ubuntu/precise/+source/wireshark/+bug/1397091/+attachment/4279725/+files/utopic_debdiff_1.12.0-Utopic_1.12.1-Vivid.debdiff |
|
2014-12-12 20:59:09 |
Launchpad Janitor |
wireshark (Ubuntu Utopic): status |
Confirmed |
Fix Released |
|
2014-12-12 20:59:09 |
Launchpad Janitor |
cve linked |
|
2014-8710 |
|
2014-12-12 20:59:09 |
Launchpad Janitor |
cve linked |
|
2014-8711 |
|
2014-12-12 20:59:09 |
Launchpad Janitor |
cve linked |
|
2014-8712 |
|
2014-12-12 20:59:09 |
Launchpad Janitor |
cve linked |
|
2014-8713 |
|
2014-12-12 20:59:09 |
Launchpad Janitor |
cve linked |
|
2014-8714 |
|
2014-12-17 16:30:29 |
Rolf Leggewie |
bug |
|
|
added subscriber Rolf Leggewie |
2015-01-05 17:26:30 |
Thomas Ward |
wireshark (Ubuntu Precise): status |
In Progress |
Confirmed |
|
2015-01-05 17:26:30 |
Thomas Ward |
wireshark (Ubuntu Precise): assignee |
Thomas Ward (teward) |
|
|
2015-01-05 17:27:35 |
Thomas Ward |
wireshark (Ubuntu Trusty): status |
In Progress |
Confirmed |
|
2015-01-05 17:27:35 |
Thomas Ward |
wireshark (Ubuntu Trusty): assignee |
Thomas Ward (teward) |
|
|
2015-01-14 17:15:34 |
Chris Mazuc |
bug |
|
|
added subscriber Chris Mazuc |
2017-05-30 14:53:29 |
Tyler Hicks |
wireshark (Ubuntu Precise): status |
Confirmed |
Won't Fix |
|
2017-05-30 14:53:43 |
Tyler Hicks |
nominated for series |
|
Ubuntu Yakkety |
|
2017-05-30 14:53:43 |
Tyler Hicks |
bug task added |
|
wireshark (Ubuntu Yakkety) |
|
2017-05-30 14:53:43 |
Tyler Hicks |
nominated for series |
|
Ubuntu Xenial |
|
2017-05-30 14:53:43 |
Tyler Hicks |
bug task added |
|
wireshark (Ubuntu Xenial) |
|
2017-05-30 14:54:00 |
Tyler Hicks |
nominated for series |
|
Ubuntu Zesty |
|
2017-05-30 14:54:00 |
Tyler Hicks |
bug task added |
|
wireshark (Ubuntu Zesty) |
|
2017-05-30 14:54:16 |
Tyler Hicks |
wireshark (Ubuntu Xenial): status |
New |
Confirmed |
|
2017-05-30 14:54:19 |
Tyler Hicks |
wireshark (Ubuntu Yakkety): status |
New |
Confirmed |
|
2017-05-30 14:54:21 |
Tyler Hicks |
wireshark (Ubuntu Zesty): status |
New |
Confirmed |
|
2017-05-30 14:54:28 |
Tyler Hicks |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2017-06-06 01:42:32 |
Launchpad Janitor |
wireshark (Ubuntu Zesty): status |
Confirmed |
Fix Released |
|
2017-06-06 01:42:40 |
Launchpad Janitor |
wireshark (Ubuntu Trusty): status |
Confirmed |
Fix Released |
|
2017-06-06 01:42:43 |
Launchpad Janitor |
wireshark (Ubuntu Xenial): status |
Confirmed |
Fix Released |
|
2017-06-06 01:52:44 |
Launchpad Janitor |
wireshark (Ubuntu Yakkety): status |
Confirmed |
Fix Released |
|
2017-06-13 19:39:44 |
Marc Deslauriers |
wireshark (Ubuntu): status |
Confirmed |
Fix Released |
|
2017-07-10 15:37:56 |
tadas |
wireshark (Ubuntu): assignee |
|
tadas (blinda) |
|
2017-07-10 15:38:28 |
tadas |
wireshark (Ubuntu): assignee |
tadas (blinda) |
|
|