Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 11 Oct 2010 16:42:27 -0700
From: Gerald Combs <gerald@...eshark.org>
To: Vincent Danen <vdanen@...hat.com>
CC: oss-security@...ts.openwall.com
Subject: Re: CVE requests: Poppler, Quassel, Pyfribidi, Overkill,
 DocUtils, FireGPG, Wireshark

Vincent Danen wrote:
> * [2010-10-01 13:33:47 -0700] Gerald Combs wrote:
> 
>> Vincent Danen wrote:
>>> * [2010-09-29 15:06:31 -0400] Josh Bressers wrote:
>>>
>>>>> 7. Wireshark BER dissector
>>>>> http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html
>>>>>
>>>>
>>>> This one looks like a stack overflow, the advisory isn't very clear,
>>>> but
>>>> claims there are two possible outcomes. We can always split later if
>>>> needed.
>>>> CVE-2010-3445
>>>
>>> Gerald, are you aware of this issue?  Do you have further details
>>> regarding it?  I poked around in bugzilla a bit but couldn't find
>>> anything.
>>>
>>> It claims 1.4.0, but is not clear as to whether or not older versions
>>> are affected.
>>
>> It's been fixed in the trunk (r34111) and is scheduled for inclusion in
>> 1.4.1 and 1.2.12. We're tracking it in bug 5230:
>>
>>  https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230
>>
>> The bug affects all BER dissectors and not just SNMP.
> 
> Great.  Thank you for the information, Gerald.  That is very helpful.

FYI, 1.4.1 and 1.2.12 have been released.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ