Hi Balint, On Sun, May 02, 2021 at 10:09:13PM +0200, Balint Reczey wrote: > Control: tags -1 pending confirmed > > Hi Salvatore, > > On Fri, Apr 30, 2021 at 10:57 PM Salvatore Bonaccorso <car...@debian.org> > wrote: > > > > Source: wireshark > > Version: 3.4.4-1 > > Severity: important > > Tags: security upstream > > Forwarded: https://gitlab.com/wireshark/wireshark/-/issues/17331 > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > > > Hi, > > > > The following vulnerability was published for wireshark. > > > > CVE-2021-22207[0]: > > | Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to > > | 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet > > | injection or crafted capture file > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > I've prepared the next upload including this fix at > https://salsa.debian.org/debian/wireshark/-/commits/debian/master but > have not uploaded it because I did not consider this vulnerability > important enough to ask an exception for the freeze. > > I will happily do the upload if it gets unblocked.
Thanks. I do agree, the issue itself might not be important enough, and in fact for buster we marked it postponed, which can be fixed in a future update. Advantage if it get's unblocked would be that we can start bullseye with a "fresh"/clean state (unless a next round appears between now and the actual bullseye release). Thanks for your work on wireshark! Regards, Salvatore