Debian Bug report logs -
#929446
wireshark: CVE-2019-12295
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Balint Reczey <rbalint@ubuntu.com>:
Bug#929446; Package src:wireshark.
(Thu, 23 May 2019 18:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Balint Reczey <rbalint@ubuntu.com>.
(Thu, 23 May 2019 18:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: wireshark
Version: 2.6.8-1
Severity: grave
Tags: security upstream
Forwarded: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778
Control: found -1 2.6.7-1~deb9u1
Hi,
The following vulnerability was published for wireshark.
CVE-2019-12295[0]:
| In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the
| dissection engine could crash. This was addressed in epan/packet.c by
| restricting the number of layers and consequently limiting recursion.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12295
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12295
[1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778
[2] https://www.wireshark.org/security/wnpa-sec-2019-19.html
Regards,
Salvatore
Marked as found in versions wireshark/2.6.7-1~deb9u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 23 May 2019 18:00:05 GMT) (full text, mbox, link).
Reply sent
to toddy@debian.org (Dr. Tobias Quathamer):
You have taken responsibility.
(Mon, 27 May 2019 14:45:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 27 May 2019 14:45:03 GMT) (full text, mbox, link).
Message #12 received at 929446-close@bugs.debian.org (full text, mbox, reply):
Source: wireshark
Source-Version: 2.6.8-1.1
We believe that the bug you reported is fixed in the latest version of
wireshark, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929446@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated wireshark package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 27 May 2019 16:08:44 +0200
Source: wireshark
Architecture: source
Version: 2.6.8-1.1
Distribution: unstable
Urgency: medium
Maintainer: Balint Reczey <rbalint@ubuntu.com>
Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
Closes: 929446
Changes:
wireshark (2.6.8-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2019-12295
In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14,
the dissection engine could crash. This was addressed in
epan/packet.c by restricting the number of layers and
consequently limiting recursion. (Closes: #929446)
Checksums-Sha1:
638a99183f0251eae3adcddc57e683e3b925ec84 3531 wireshark_2.6.8-1.1.dsc
55c82bbb3e02077378a512f69f6ff8e0f4dcc5cf 71716 wireshark_2.6.8-1.1.debian.tar.xz
e4ea88d8c0ddfbc1e510b9c76d088d2229e2eebc 25763 wireshark_2.6.8-1.1_amd64.buildinfo
Checksums-Sha256:
71f0a3be5a1360c0b2e60eda3f71fc9d771254099e2296ed0839679c61f41b5a 3531 wireshark_2.6.8-1.1.dsc
4161d9c12abceb7ffce74e581b5762f4ee49f947b06fb690b408a95be1c8bd2c 71716 wireshark_2.6.8-1.1.debian.tar.xz
8f16585bc19d4455fcd4ae73c811e8494d7211a1dada520252db807480b54941 25763 wireshark_2.6.8-1.1_amd64.buildinfo
Files:
00b410721d6db832f99b54d345fe28ae 3531 net optional wireshark_2.6.8-1.1.dsc
6c5f09f829283d29f4d3211f40839c5d 71716 net optional wireshark_2.6.8-1.1.debian.tar.xz
821834ae84ee480417346744f29fe2aa 25763 net optional wireshark_2.6.8-1.1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlzr8vwACgkQEwLx8Dbr
6xk4Ag/+JpqEK+LFiT40ZkBPOobmDZlGSdNcimDcdKQJQ49HBzo/im11w9w/Udxf
ZCy8bVGqZWLvKuzE0zsY6uCMG0uZxRAX8W8xyKGKNHxiInyNM2NkabZvkifBRg+V
WcY8BsjHRS5kpP7grlDA4wkoG1y8StVLhNXmt45bmySaylpw7Fc7VVPKKd8gStSJ
nT82ifOaTqsdV2YcJaoLlWl7+Z5N/O8xVuT9uB76zzC10pPyXQq461Mcf+GYvNLm
CIQo1mLG2DQzxM8TDDKfk2UMWjutK21IIvCM1BGPPOTiESmapIVhmX2vX3pRrLoR
/0dr2p2tJwiEsQ7iKD7CwJmtQ3kgQBojCbillRbSyKvHCL1pWImIKAlGQouxid53
0VAa07lyzFeLsHDcACRX/hVG7TZt86H6fw5wmHTKKD4hsP/3klIkKymsXaKu3bGi
hbnsjhCnNG+DZLoxNv/cH5KMTpWdBneuT80wGqmpcsKBdlmp5U7HlJM/4fcxXAqn
sRRauNxvgSWMIQMYmIj3fferJfjBbwYNWj3p82ED+evAueHFkHdN7Sv0qrbwc2dO
0yM+Ez/L1ocqsLA98DgxLq4jPKHBV+RAsthPvy6mYRJplcyW07KYMzwR6zNgIwN2
cdw8XND8PBf5FjaFCHIP3F/6kZ/1DVuyyuecdQ91OYfczyoy5Rk=
=Glfy
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Balint Reczey <rbalint@ubuntu.com>:
Bug#929446; Package src:wireshark.
(Mon, 27 May 2019 17:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Balint Reczey <balint.reczey@canonical.com>:
Extra info received and forwarded to list. Copy sent to Balint Reczey <rbalint@ubuntu.com>.
(Mon, 27 May 2019 17:09:02 GMT) (full text, mbox, link).
Message #17 received at 929446@bugs.debian.org (full text, mbox, reply):
Hi Tobias,
Thank you for taking care of packages with open security issues, but
I'm wondering why you chose to do an immediate NMU.
I planed uploading 2.6.9-1 today following the usual process we agreed
on with the Security Team and I believe fixing this bug after 4 days
it was opened is not an excessive amount of delay especially since two
days were on a weekend.
Thanks,
Balint
On Mon, May 27, 2019 at 4:45 PM Debian Bug Tracking System
<owner@bugs.debian.org> wrote:
>
> Your message dated Mon, 27 May 2019 14:42:22 +0000
> with message-id <E1hVGpS-0009Xj-Fo@fasolo.debian.org>
> and subject line Bug#929446: fixed in wireshark 2.6.8-1.1
> has caused the Debian Bug report #929446,
> regarding wireshark: CVE-2019-12295
> to be marked as done.
>
> This means that you claim that the problem has been dealt with.
> If this is not the case it is now your responsibility to reopen the
> Bug report if necessary, and/or fix the problem forthwith.
>
> (NB: If you are a system administrator and have no idea what this
> message is talking about, this may indicate a serious mail system
> misconfiguration somewhere. Please contact owner@bugs.debian.org
> immediately.)
>
>
> --
> 929446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929446
> Debian Bug Tracking System
> Contact owner@bugs.debian.org with problems
>
>
>
> ---------- Forwarded message ----------
> From: Salvatore Bonaccorso <carnil@debian.org>
> To: Debian Bug Tracking System <submit@bugs.debian.org>
> Cc:
> Bcc:
> Date: Thu, 23 May 2019 19:56:24 +0200
> Subject: wireshark: CVE-2019-12295
> Source: wireshark
> Version: 2.6.8-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778
> Control: found -1 2.6.7-1~deb9u1
>
> Hi,
>
> The following vulnerability was published for wireshark.
>
> CVE-2019-12295[0]:
> | In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14, the
> | dissection engine could crash. This was addressed in epan/packet.c by
> | restricting the number of layers and consequently limiting recursion.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-12295
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12295
> [1] https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15778
> [2] https://www.wireshark.org/security/wnpa-sec-2019-19.html
>
> Regards,
> Salvatore
>
>
>
> ---------- Forwarded message ----------
> From: "Dr. Tobias Quathamer" <toddy@debian.org>
> To: 929446-close@bugs.debian.org
> Cc:
> Bcc:
> Date: Mon, 27 May 2019 14:42:22 +0000
> Subject: Bug#929446: fixed in wireshark 2.6.8-1.1
> Source: wireshark
> Source-Version: 2.6.8-1.1
>
> We believe that the bug you reported is fixed in the latest version of
> wireshark, which is due to be installed in the Debian FTP archive.
>
> A summary of the changes between this version and the previous one is
> attached.
>
> Thank you for reporting the bug, which will now be closed. If you
> have further comments please address them to 929446@bugs.debian.org,
> and the maintainer will reopen the bug report if appropriate.
>
> Debian distribution maintenance software
> pp.
> Dr. Tobias Quathamer <toddy@debian.org> (supplier of updated wireshark package)
>
> (This message was generated automatically at their request; if you
> believe that there is a problem with it please contact the archive
> administrators by mailing ftpmaster@ftp-master.debian.org)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Format: 1.8
> Date: Mon, 27 May 2019 16:08:44 +0200
> Source: wireshark
> Architecture: source
> Version: 2.6.8-1.1
> Distribution: unstable
> Urgency: medium
> Maintainer: Balint Reczey <rbalint@ubuntu.com>
> Changed-By: Dr. Tobias Quathamer <toddy@debian.org>
> Closes: 929446
> Changes:
> wireshark (2.6.8-1.1) unstable; urgency=medium
> .
> * Non-maintainer upload.
> * CVE-2019-12295
> In Wireshark 3.0.0 to 3.0.1, 2.6.0 to 2.6.8, and 2.4.0 to 2.4.14,
> the dissection engine could crash. This was addressed in
> epan/packet.c by restricting the number of layers and
> consequently limiting recursion. (Closes: #929446)
> Checksums-Sha1:
> 638a99183f0251eae3adcddc57e683e3b925ec84 3531 wireshark_2.6.8-1.1.dsc
> 55c82bbb3e02077378a512f69f6ff8e0f4dcc5cf 71716 wireshark_2.6.8-1.1.debian.tar.xz
> e4ea88d8c0ddfbc1e510b9c76d088d2229e2eebc 25763 wireshark_2.6.8-1.1_amd64.buildinfo
> Checksums-Sha256:
> 71f0a3be5a1360c0b2e60eda3f71fc9d771254099e2296ed0839679c61f41b5a 3531 wireshark_2.6.8-1.1.dsc
> 4161d9c12abceb7ffce74e581b5762f4ee49f947b06fb690b408a95be1c8bd2c 71716 wireshark_2.6.8-1.1.debian.tar.xz
> 8f16585bc19d4455fcd4ae73c811e8494d7211a1dada520252db807480b54941 25763 wireshark_2.6.8-1.1_amd64.buildinfo
> Files:
> 00b410721d6db832f99b54d345fe28ae 3531 net optional wireshark_2.6.8-1.1.dsc
> 6c5f09f829283d29f4d3211f40839c5d 71716 net optional wireshark_2.6.8-1.1.debian.tar.xz
> 821834ae84ee480417346744f29fe2aa 25763 net optional wireshark_2.6.8-1.1_amd64.buildinfo
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCAAdFiEE0cuPObxd7STF0seMEwLx8Dbr6xkFAlzr8vwACgkQEwLx8Dbr
> 6xk4Ag/+JpqEK+LFiT40ZkBPOobmDZlGSdNcimDcdKQJQ49HBzo/im11w9w/Udxf
> ZCy8bVGqZWLvKuzE0zsY6uCMG0uZxRAX8W8xyKGKNHxiInyNM2NkabZvkifBRg+V
> WcY8BsjHRS5kpP7grlDA4wkoG1y8StVLhNXmt45bmySaylpw7Fc7VVPKKd8gStSJ
> nT82ifOaTqsdV2YcJaoLlWl7+Z5N/O8xVuT9uB76zzC10pPyXQq461Mcf+GYvNLm
> CIQo1mLG2DQzxM8TDDKfk2UMWjutK21IIvCM1BGPPOTiESmapIVhmX2vX3pRrLoR
> /0dr2p2tJwiEsQ7iKD7CwJmtQ3kgQBojCbillRbSyKvHCL1pWImIKAlGQouxid53
> 0VAa07lyzFeLsHDcACRX/hVG7TZt86H6fw5wmHTKKD4hsP/3klIkKymsXaKu3bGi
> hbnsjhCnNG+DZLoxNv/cH5KMTpWdBneuT80wGqmpcsKBdlmp5U7HlJM/4fcxXAqn
> sRRauNxvgSWMIQMYmIj3fferJfjBbwYNWj3p82ED+evAueHFkHdN7Sv0qrbwc2dO
> 0yM+Ez/L1ocqsLA98DgxLq4jPKHBV+RAsthPvy6mYRJplcyW07KYMzwR6zNgIwN2
> cdw8XND8PBf5FjaFCHIP3F/6kZ/1DVuyyuecdQ91OYfczyoy5Rk=
> =Glfy
> -----END PGP SIGNATURE-----
--
Balint Reczey
Ubuntu & Debian Developer
Information forwarded
to debian-bugs-dist@lists.debian.org, Balint Reczey <rbalint@ubuntu.com>:
Bug#929446; Package src:wireshark.
(Mon, 27 May 2019 19:09:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Dr. Tobias Quathamer" <toddy@debian.org>:
Extra info received and forwarded to list. Copy sent to Balint Reczey <rbalint@ubuntu.com>.
(Mon, 27 May 2019 19:09:03 GMT) (full text, mbox, link).
Message #22 received at 929446@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Am 27.05.19 um 19:04 schrieb Balint Reczey:
> Hi Tobias,
>
> Thank you for taking care of packages with open security issues, but
> I'm wondering why you chose to do an immediate NMU.
> I planed uploading 2.6.9-1 today following the usual process we agreed
> on with the Security Team and I believe fixing this bug after 4 days
> it was opened is not an excessive amount of delay especially since two
> days were on a weekend.
>
> Thanks,
> Balint
Hi Balint,
you're right, four days is really not a long time. I took this bug from
the RC bug list on udd.d.o and somehow saw a date from beginning of
April, so I assumed wrongly that this bug is nearly two months old
without any reaction from you. Probably I've mixed up a line on the UDD
page, I don't know where I got the wrong bug report date.
Shortly after I did the upload, I noticed that the bug is in fact only
four days old -- so I'm sorry about the upload, but I hope that it won't
interfere too much with your work.
Regards,
Tobias
[signature.asc (application/pgp-signature, attachment)]
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:12:48 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon