** Summary changed: - [Security] Update Wireshark in Precise, Trusty, and Utopic to 1.12.1+g01b65bf-2 (from Vivid) + [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches.
** Description changed: + In further discussion with the security team and others, it's probably + easier (and more acceptable all over at this time) to backport all the + fixes for the bugs into the various affected Wireshark versions already + present in the repositories. + + The original description for the bug is below, and is kept for + historical reasons. Additional changes and actions on the bug will be + in the comments. + + ================== + + [Original Description] + In discussion with the Security team yesterday (November 26, 2014) in #ubuntu-hardened on IRC, I began digging through the list of Wireshark CVEs, attempting to correct the tracker and get the CVE statuses updated to reflect what actually does affect the versions in Trusty and later, rather than sit there with a ton of yellow and orange on the tracker. During the discussion while I was making the revisions in my own branch of the CVE tracker, it was proposed by Marc Deslauriers that we look into a full version bump in the Wireshark package for all stable releases. Further discussion with Seth Arnold after that with me settled on targeting this for Precise, Trusty, and Utopic. Unfortunately, security handling of this package is... tricky. There are so many CVEs that it becomes unwieldy to try and patch each individual CVE. Further discussion today (November 27, 2014) and input from Marc supports that conclusion. Therefore, it was suggested that we investigate updating the software to as close to latest as we can. Vivid already has the patches that are included in the upstream version 1.12.2, and therefore has CVE fixes for the ones which were fixed in 1.12.2. To that end, I propose that we do a security update for Wireshark and apply the package from Vivid (with changes as necessary for releases) to earlier releases in order to fix the numerous security updates that are pending for the package. ------ The attached debdiffs are based off of the Vivid package. The package in Vivid contains all the security fixes in 1.12.2. The update would bring the Precise, Trusty, and Utopic into relative sync with the Vivid package. The following is the details of the changes to the package that would need to be done for each release (and this will be outlined in debdiffs later) in order to build: Precise: * debian/control: - libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise - Remove qt build deps, to prevent the Qt builds from being done/attempted. - Remove the wireshark-qt package. * debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue. * debian/wireshark-qt.*: Remove the wireshark-qt package Trusty: * debian/control: program - libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty - Remove qt build deps, to prevent the Qt builds from being done/attempted. - Remove the wireshark-qt package. * debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue. * debian/wireshark-qt.*: Remove the wireshark-qt package Utopic: No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed. ------ There should not be any major regressions by doing the version bump. There may be some UI changes, however the functionality of Wireshark will be improved, with most (if not all) of the current CVEs against the package being fixed. ------ Test builds for the attached debdiffs (targeted for the release specifically instead of the security pocket, because of it being in a PPA) can be found here: https://launchpad.net/~teward/+archive/ubuntu/wireshark- security/+packages -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1397091 Title: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
