← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1397091] Re: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches.

 

This bug was fixed in the package wireshark - 2.2.6+g32dac6a-
2ubuntu0.16.10

---------------
wireshark (2.2.6+g32dac6a-2ubuntu0.16.10) yakkety; urgency=medium

  * Security Update to Address Multiple CVEs (LP: #1397091)

 -- Balint Reczey <rbalint@xxxxxxxxxx>  Mon, 29 May 2017 20:10:55 +0200

** Changed in: wireshark (Ubuntu Yakkety)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1397091

Title:
  [Security] Update Wireshark in Precise, Trusty, and Utopic to include
  relevant security patches.

Status in wireshark package in Ubuntu:
  Confirmed
Status in wireshark source package in Precise:
  Won't Fix
Status in wireshark source package in Trusty:
  Fix Released
Status in wireshark source package in Utopic:
  Fix Released
Status in wireshark source package in Xenial:
  Fix Released
Status in wireshark source package in Yakkety:
  Fix Released
Status in wireshark source package in Zesty:
  Fix Released

Bug description:
  In further discussion with the security team and others, it's probably
  easier (and more acceptable all over at this time) to backport all the
  fixes for the bugs into the various affected Wireshark versions
  already present in the repositories.

  The original description for the bug is below, and is kept for
  historical reasons.  Additional changes and actions on the bug will be
  in the comments.

  ==================

  [Original Description]

  In discussion with the Security team yesterday (November 26, 2014) in
  #ubuntu-hardened on IRC, I began digging through the list of Wireshark
  CVEs, attempting to correct the tracker and get the CVE statuses
  updated to reflect what actually does affect the versions in Trusty
  and later, rather than sit there with a ton of yellow and orange on
  the tracker.

  During the discussion while I was making the revisions in my own
  branch of the CVE tracker, it was proposed by Marc Deslauriers that we
  look into a full version bump in the Wireshark package for all stable
  releases.  Further discussion with Seth Arnold after that with me
  settled on targeting this for Precise, Trusty, and Utopic.

  Unfortunately, security handling of this package is... tricky.  There
  are so many CVEs that it becomes unwieldy to try and patch each
  individual CVE.  Further discussion today (November 27, 2014) and
  input from Marc supports that conclusion.  Therefore, it was suggested
  that we investigate updating the software to as close to latest as we
  can.

  Vivid already has the patches that are included in the upstream
  version 1.12.2, and therefore has CVE fixes for the ones which were
  fixed in 1.12.2.  To that end, I propose that we do a security update
  for Wireshark and apply the package from Vivid (with changes as
  necessary for releases) to earlier releases in order to fix the
  numerous security updates that are pending for the package.

  ------

  The attached debdiffs are based off of the Vivid package.  The package
  in Vivid contains all the security fixes in 1.12.2.  The update would
  bring the Precise, Trusty, and Utopic into relative sync with the
  Vivid package.

  The following is the details of the changes to the package that would
  need to be done for each release (and this will be outlined in
  debdiffs later) in order to build:

  Precise:
  * debian/control:
    - libgnutls28-dev has a version specified in it.  To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise
    - Remove qt build deps, to prevent the Qt builds from being done/attempted.
    - Remove the wireshark-qt package.
  * debian/rules: There is a reference in the rules to the qtshark compiled executable.  It needs to be removed in order for the builds to continue.
  * debian/wireshark-qt.*: Remove the wireshark-qt package

  Trusty:
  * debian/control:  program
    - libgnutls28-dev has a version specified in it.  To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty
    - Remove qt build deps, to prevent the Qt builds from being done/attempted.
    - Remove the wireshark-qt package.
  * debian/rules: There is a reference in the rules to the qtshark compiled executable.  It needs to be removed in order for the builds to continue.
  * debian/wireshark-qt.*: Remove the wireshark-qt package

  Utopic:
  No changes need to be made to the package other than a new changelog entry targeting utopic-security.  The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed.

  ------

  There should not be any major regressions by doing the version bump.
  There may be some UI changes, however the functionality of Wireshark
  will be improved, with most (if not all) of the current CVEs against
  the package being fixed.

  ------

  Test builds for the attached debdiffs (targeted for the release
  specifically instead of the security pocket, because of it being in a
  PPA) can be found here:

  https://launchpad.net/~teward/+archive/ubuntu/wireshark-
  security/+packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+subscriptions