Source: wireshark Version: 1.12.1+g01b65bf-1 Severity: important Tags: security patch upstream
Hi, the following vulnerabilities were published for wireshark. Rationale for filling one bug for the three CVEs, checked back to 1.12.1+g01b65bf based version and the CVEs should affect wireshark back in jessie (thus wheezy as well with same version) up to current unstable. CVE-2017-11406[0]: | In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the DOCSIS dissector | could go into an infinite loop. This was addressed in | plugins/docsis/packet-docsis.c by rejecting invalid Frame Control | parameter values. CVE-2017-11407[1]: | In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the MQ dissector could | crash. This was addressed in epan/dissectors/packet-mq.c by validating | the fragment length before a reassembly attempt. CVE-2017-11408[2]: | In Wireshark 2.2.0 to 2.2.7 and 2.0.0 to 2.0.13, the AMQP dissector | could crash. This was addressed in epan/dissectors/packet-amqp.c by | checking for successful list dissection. Note in the same set of applied CVEs there were CVE-2017-11409, which though only affect versions prior 2.1.x and CVE-2017-11410 and CVE-2017-11411 were assigned due to incomplete fixes for CVE-2017-7702 and CVE-2017-9350, which were not applied to older releases. But please check the notes on the security-tracker for details. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-11406 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11406 [1] https://security-tracker.debian.org/tracker/CVE-2017-11407 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11407 [2] https://security-tracker.debian.org/tracker/CVE-2017-11408 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11408 Please adjust the affected versions in the BTS as needed. Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
