Bug#863380: unblock: wireshark/2.2.6+g32dac6a-2

2017-05-28 Thread Bálint Réczey 
Control: tags -1 moreinfo

Hi Ivo,

2017-05-27 22:42 GMT+02:00 Ivo De Decker :
> Control: tags -1 confirmed moreinfo
>
> Hi,
>
> On Fri, May 26, 2017 at 12:25:07AM +0200, Bálint Réczey wrote:
>> I have prepared wireshark 2.2.6+g32dac6a-1 in experimental which fixes
>> 10 vulnerabilities and other bugs which are not listed here, just on
>> the release notes link.
>>
>> Changes:
>>  wireshark (2.2.6+g32dac6a-1) experimental; urgency=medium
>>  .
>>* New upstream release
>>  - release notes:
>>https://www.wireshark.org/docs/relnotes/wireshark-2.2.6.html
>>  - security fixes:
>>- The IMAP dissector could crash (CVE-2017-7703)
>>- The WBXML dissector could enter an infinite loop (CVE-2017-7702)
>>- The NetScaler file parser could enter an infinite loop
>>  (CVE-2017-7700)
>>- The RPCoRDMA dissector enter an infinite loop (CVE-2017-7705)
>>- The BGP dissector could enter an infinite loop (CVE-2017-7701)
>>- The DOF dissector could enter an infinite loop (CVE-2017-7704)
>>- The PacketBB dissector could crash (CVE-2017-7747)
>>- The SLSK dissector could enter a long loop (CVE-2017-7746)
>>- The SIGCOMP dissector could enter an infinite loop
>>  (CVE-2017-7745)
>>- The WSP dissector could enter an infinite loop (CVE-2017-7748)
>>
>>
>> I believe wireshark point releases very rarely cause regressions due
>> to the heavy testing performed upstream and I think it would be safe
>> to upload this point release to unstable and let it migrate to
>> testing.
>>
>> If you wouldn't like to accept the full point release to Stretch I
>> will happily backport the security fixes to 2.2.5 and upload that to
>> unstable.
>>
>> Please share your preference regarding the next upload.
>
> Please go ahead with the upload to unstable and remove the moreinfo tag from
> this bug once the builds are done on all the relevant architectures.

Thank you, done.

>
> Also, please note that we are very close to the release date. More info about
> the deadlines in
> https://lists.debian.org/debian-devel-announce/2017/05/msg2.html

Thanks, I sent the unblock request shortly before the deadline and was already
prepare to update it and include only the targeted fixes.

Cheers,
Balint

>
> Cheers,
>
> Ivo
>

Bug#863380: unblock: wireshark/2.2.6+g32dac6a-2

2017-05-27 Thread Ivo De Decker 
Control: tags -1 confirmed moreinfo

Hi,

On Fri, May 26, 2017 at 12:25:07AM +0200, Bálint Réczey wrote:
> I have prepared wireshark 2.2.6+g32dac6a-1 in experimental which fixes
> 10 vulnerabilities and other bugs which are not listed here, just on
> the release notes link.
> 
> Changes:
>  wireshark (2.2.6+g32dac6a-1) experimental; urgency=medium
>  .
>* New upstream release
>  - release notes:
>https://www.wireshark.org/docs/relnotes/wireshark-2.2.6.html
>  - security fixes:
>- The IMAP dissector could crash (CVE-2017-7703)
>- The WBXML dissector could enter an infinite loop (CVE-2017-7702)
>- The NetScaler file parser could enter an infinite loop
>  (CVE-2017-7700)
>- The RPCoRDMA dissector enter an infinite loop (CVE-2017-7705)
>- The BGP dissector could enter an infinite loop (CVE-2017-7701)
>- The DOF dissector could enter an infinite loop (CVE-2017-7704)
>- The PacketBB dissector could crash (CVE-2017-7747)
>- The SLSK dissector could enter a long loop (CVE-2017-7746)
>- The SIGCOMP dissector could enter an infinite loop
>  (CVE-2017-7745)
>- The WSP dissector could enter an infinite loop (CVE-2017-7748)
> 
> 
> I believe wireshark point releases very rarely cause regressions due
> to the heavy testing performed upstream and I think it would be safe
> to upload this point release to unstable and let it migrate to
> testing.
> 
> If you wouldn't like to accept the full point release to Stretch I
> will happily backport the security fixes to 2.2.5 and upload that to
> unstable.
> 
> Please share your preference regarding the next upload.

Please go ahead with the upload to unstable and remove the moreinfo tag from
this bug once the builds are done on all the relevant architectures.

Also, please note that we are very close to the release date. More info about
the deadlines in
https://lists.debian.org/debian-devel-announce/2017/05/msg2.html

Cheers,

Ivo