group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #13694
[Bug 1397091] Re: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches.
This bug was fixed in the package wireshark - 2.2.6+g32dac6a-
2ubuntu0.16.10
---------------
wireshark (2.2.6+g32dac6a-2ubuntu0.16.10) yakkety; urgency=medium
* Security Update to Address Multiple CVEs (LP: #1397091)
-- Balint Reczey <rbalint@xxxxxxxxxx> Mon, 29 May 2017 20:10:55 +0200
** Changed in: wireshark (Ubuntu Yakkety)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1397091
Title:
[Security] Update Wireshark in Precise, Trusty, and Utopic to include
relevant security patches.
Status in wireshark package in Ubuntu:
Confirmed
Status in wireshark source package in Precise:
Won't Fix
Status in wireshark source package in Trusty:
Fix Released
Status in wireshark source package in Utopic:
Fix Released
Status in wireshark source package in Xenial:
Fix Released
Status in wireshark source package in Yakkety:
Fix Released
Status in wireshark source package in Zesty:
Fix Released
Bug description:
In further discussion with the security team and others, it's probably
easier (and more acceptable all over at this time) to backport all the
fixes for the bugs into the various affected Wireshark versions
already present in the repositories.
The original description for the bug is below, and is kept for
historical reasons. Additional changes and actions on the bug will be
in the comments.
==================
[Original Description]
In discussion with the Security team yesterday (November 26, 2014) in
#ubuntu-hardened on IRC, I began digging through the list of Wireshark
CVEs, attempting to correct the tracker and get the CVE statuses
updated to reflect what actually does affect the versions in Trusty
and later, rather than sit there with a ton of yellow and orange on
the tracker.
During the discussion while I was making the revisions in my own
branch of the CVE tracker, it was proposed by Marc Deslauriers that we
look into a full version bump in the Wireshark package for all stable
releases. Further discussion with Seth Arnold after that with me
settled on targeting this for Precise, Trusty, and Utopic.
Unfortunately, security handling of this package is... tricky. There
are so many CVEs that it becomes unwieldy to try and patch each
individual CVE. Further discussion today (November 27, 2014) and
input from Marc supports that conclusion. Therefore, it was suggested
that we investigate updating the software to as close to latest as we
can.
Vivid already has the patches that are included in the upstream
version 1.12.2, and therefore has CVE fixes for the ones which were
fixed in 1.12.2. To that end, I propose that we do a security update
for Wireshark and apply the package from Vivid (with changes as
necessary for releases) to earlier releases in order to fix the
numerous security updates that are pending for the package.
------
The attached debdiffs are based off of the Vivid package. The package
in Vivid contains all the security fixes in 1.12.2. The update would
bring the Precise, Trusty, and Utopic into relative sync with the
Vivid package.
The following is the details of the changes to the package that would
need to be done for each release (and this will be outlined in
debdiffs later) in order to build:
Precise:
* debian/control:
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Trusty:
* debian/control: program
- libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty
- Remove qt build deps, to prevent the Qt builds from being done/attempted.
- Remove the wireshark-qt package.
* debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue.
* debian/wireshark-qt.*: Remove the wireshark-qt package
Utopic:
No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed.
------
There should not be any major regressions by doing the version bump.
There may be some UI changes, however the functionality of Wireshark
will be improved, with most (if not all) of the current CVEs against
the package being fixed.
------
Test builds for the attached debdiffs (targeted for the release
specifically instead of the security pocket, because of it being in a
PPA) can be found here:
https://launchpad.net/~teward/+archive/ubuntu/wireshark-
security/+packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+subscriptions