|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0507: ethereal: missed patches for security problems in ethereal | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Ludwig Nussel <lnussel> |
| Component: | Incidents | Assignee: | Thomas Biege <thomas> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | postadal, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0507: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Ludwig Nussel
2004-10-13 16:34:45 UTC
I looking in others distributions and all make version update from ethereal-0.10.3 to ethereal-0.10.4. I try find problematic code in CVS, but it will take a lot of time, because the changes doesn't describe any security problem ;( and it is hard to detect what is normal bug, new feature or security bug. Can I make version update for old distributions (in all we have ethereal-0.10.3) ? We'd need to ask the project managers. 94000 lines of diff between the versions is quite large so this is not just a bugfix release. Those dissectors are all in separate files right? Maybe it's possible to upgrade only the affected files. Does the cvs log on them help (or cvsps)? We did version upgrades for ethereal in former updates too apparently, even for SLES 8. ethereal is a leafpackage, so it is mostly harmless to do so. I think we can do the same here. Fedora upgraded "affected files" (patch has 6844 lines), but is hard to say (and cvs log doesn't help much) if all affected files was included. Hi Petr, do you have news for this issue? Sorry, I haven't seen any decision of project managers and mail from kukuk you read. ok, thought there were some communication in the background... as you read in the email... the gods have spoken. ;), yes I trying prepare patch... Ralf Flaxa wrote:
On Thu, Nov 18, 2004 at 01:04:48PM +0100, Thomas Biege wrote:
> > > >
> > > > I see possible problems with updates if we make a version update,
> > > > ethereal has a long list of requirements...
>
> Is this an official decission or will we get any feedback from the
> project managers too?
Nobody did object, so this is the decision.
Rationale:
Rule 1: We do not do any version updates during maintenance
Rule 2: We may do exceptions if backporting is impossible
or an unreasonable effort
Rule 3: We will definitely NOT do a version update if this will
likely cause additional dependency trouble in the future
So Rule 3 hits here.
Feel free to apply these rules in similar cases.
Ralf
I fixed and submited ethereal for following affected distributions: sles8, 8.2, 9.0, 9.1 . Thank you. I'll submit the patchinfo files ASAP. Petr, sles9 is not affected? Sles9 is affected too (9.1 and sles9 used same sources). ok! submitted patchinfo files: /work/src/done/PATCHINFO/patchinfo-box.ethereal /work/src/done/PATCHINFO/patchinfo.ethereal If 9.2 is not affected why is it listed in the patchinfo file? my mistake. it's removed now. packages were approved CVE-2004-0507: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |