tcpdump (4.9.2-0ubuntu0.14.04.1) trusty-security; urgency=medium
* SECURITY UPDATE: multiple security issues in tcpdump
- CVE-2017-13011: buffer overflow in util-print.c:
bittok2str_internal().
- CVE-2017-12989: RESP parser infinite loop in print-resp.c:
resp_get_length().
- CVE-2017-12990: ISAKMP parser infinite loops in print-isakmp.c,
several functions.
- CVE-2017-12995 DNS parser infinite loop in print-domain.c:
ns_print().
- CVE-2017-12997: LLDP parser infinite loop in print-lldp.c:
lldp_private_8021_print().
- CVE-2017-12893: buffer over-read in smbutil.c:name_len().
- CVE-2017-12894: buffer over-read in addrtoname.c:
lookup_bytestring().
- CVE-2017-12895: buffer over-read in print-icmp.c:icmp_print().
- CVE-2017-12896: buffer over-read in print-isakmp.c:
isakmp_rfc3948_print().
- CVE-2017-12897: buffer over-read in print-isoclns.c:
isoclns_print().
- CVE-2017-12898: buffer over-read in print-nfs.c:interp_reply().
- CVE-2017-12899: buffer over-read in print-decnet.c:
decnet_print().
- CVE-2017-12900: buffer over-read in util-print.c:tok2strbuf().
- CVE-2017-12901: buffer over-read in print-eigrp.c:eigrp_print().
- CVE-2017-12902: buffer over-read in print-zephyr.c, several
functions.
- CVE-2017-12985: buffer over-read in print-ip6.c:ip6_print().
- CVE-2017-12986: buffer over-read in print-rt6.c:rt6_print().
- CVE-2017-12987: buffer over-read in print-802_11.c:
parse_elements().
- CVE-2017-12988: buffer over-read in print-telnet.c:
telnet_parse().
- CVE-2017-12991: buffer over-read in print-bgp.c:bgp_attr_print().
- CVE-2017-12992: buffer over-read in print-ripng.c:ripng_print().
- CVE-2017-12993: buffer over-read in print-juniper.c, several
functions.
- CVE-2017-12994: buffer over-read in print-bgp.c:bgp_attr_print().
- CVE-2017-12996: buffer over-read in print-pim.c:pimv2_print().
- CVE-2017-12998: buffer over-read in print-isoclns.c:
isis_print_extd_ip_reach().
- CVE-2017-12999: buffer over-read in print-isoclns.c:isis_print().
- CVE-2017-13000: buffer over-read in print-802_15_4.c:
ieee802_15_4_if_print().
- CVE-2017-13001: buffer over-read in print-nfs.c:nfs_printfh().
- CVE-2017-13002: buffer over-read in print-aodv.c:
aodv_extension().
- CVE-2017-13003: buffer over-read in print-lmp.c:lmp_print().
- CVE-2017-13004: buffer over-read in print-juniper.c:
juniper_parse_header().
- CVE-2017-13005: buffer over-read in print-nfs.c:xid_map_enter().
- CVE-2017-13006: buffer over-read in print-l2tp.c, several
functions.
- CVE-2017-13007: buffer over-read in print-pktap.c:
pktap_if_print().
- CVE-2017-13008: buffer over-read in print-802_11.c:
parse_elements().
- CVE-2017-13009: buffer over-read in print-mobility.c:
mobility_print().
- CVE-2017-13010: buffer over-read in print-beep.c:l_strnstart().
- CVE-2017-13012: buffer over-read in print-icmp.c:icmp_print().
- CVE-2017-13013: buffer over-read in print-arp.c, several
functions.
- CVE-2017-13014: buffer over-read in print-wb.c:wb_prep(), several
functions.
- CVE-2017-13015: buffer over-read in print-eap.c:eap_print().
- CVE-2017-13016: buffer over-read in print-isoclns.c:esis_print().
- CVE-2017-13017: buffer over-read in print-dhcp6.c:
dhcp6opt_print().
- CVE-2017-13018: buffer over-read in print-pgm.c:pgm_print().
- CVE-2017-13019: buffer over-read in print-pgm.c:pgm_print().
- CVE-2017-13020: buffer over-read in print-vtp.c:vtp_print().
- CVE-2017-13021: buffer over-read in print-icmp6.c:icmp6_print().
- CVE-2017-13022: buffer over-read in print-ip.c:ip_printroute().
- CVE-2017-13023, CVE-2017-13024, CVE-2017-13025: multiple buffer
over-reads in print-mobility.c:mobility_opt_print().
- CVE-2017-13026: buffer over-read in print-isoclns.c, several functions.
- CVE-2017-13027: buffer over-read in print-lldp.c:
lldp_mgmt_addr_tlv_print().
- CVE-2017-13028: buffer over-read in print-bootp.c:bootp_print().
- CVE-2017-13029: buffer over-read in print-ppp.c:
print_ccp_config_options().
- CVE-2017-13030: buffer over-read in print-pim.c, several functions.
- CVE-2017-13031: buffer over-read in print-frag6.c:frag6_print().
- CVE-2017-13032: buffer over-read in print-radius.c:print_attr_string().
- CVE-2017-13033: buffer over-read in print-vtp.c:vtp_print().
- CVE-2017-13034: buffer over-read in print-pgm.c:pgm_print().
- CVE-2017-13035: buffer over-read in print-isoclns.c:isis_print_id().
- CVE-2017-13036: buffer over-read in print-ospf6.c:ospf6_decode_v3().
- CVE-2017-13037: buffer over-read in print-ip.c:ip_printts().
- CVE-2017-13038: buffer over-read in print-ppp.c:handle_mlppp().
- CVE-2017-13039: buffer over-read in print-isakmp.c, several
functions.
- CVE-2017-13040: buffer over-read in print-mptcp.c, several
functions.
- CVE-2017-13041: buffer over-read in print-icmp6.c:
icmp6_nodeinfo_print().
- CVE-2017-13042: buffer over-read in print-hncp.c:dhcpv6_print().
- CVE-2017-13043: buffer over-read in print-bgp.c:
decode_multicast_vpn().
- CVE-2017-13044: buffer over-read in print-hncp.c:dhcpv4_print().
- CVE-2017-13045: buffer over-read in print-vqp.c:vqp_print().
- CVE-2017-13046: buffer over-read in print-bgp.c:bgp_attr_print().
- CVE-2017-13047: buffer over-read in print-isoclns.c:esis_print().
- CVE-2017-13048: buffer over-read in print-rsvp.c:
rsvp_obj_print().
- CVE-2017-13049: buffer over-read in print-rx.c:ubik_print().
- CVE-2017-13050: buffer over-read in print-rpki-rtr.c:
rpki_rtr_pdu_print().
- CVE-2017-13051: buffer over-read in print-rsvp.c:
rsvp_obj_print().
- CVE-2017-13052: buffer over-read in print-cfm.c:cfm_print().
- CVE-2017-13053: buffer over-read in print-bgp.c:
decode_rt_routing_info().
- CVE-2017-13054: buffer over-read in print-lldp.c:
lldp_private_8023_print().
- CVE-2017-13055: buffer over-read in print-isoclns.c:
isis_print_is_reach_subtlv().
- CVE-2017-13687: buffer over-read in print-chdlc.c:chdlc_print().
- CVE-2017-13688: buffer over-read in print-olsr.c:olsr_print().
- CVE-2017-13689: buffer over-read in print-isakmp.c:
ikev1_id_print().
- CVE-2017-13690: buffer over-read in print-isakmp.c, several
functions.
- CVE-2017-13725: buffer over-read in print-rt6.c:rt6_print().
* Merge from Debian unstable. Remaining changes:
- debian/control:
+ keep older libpcap0.8-dev dependency
+ don't add breaks/replaces on apparmor-profiles-extras, as
tcpdump profile is already dropped from there in xenial.
+ drop multi-arch: foreign
- debian/patches/disable_tests.diff: disable additional tests
failing with older pcap versions
- debian/patches/90_man_apparmor.diff: mention apparmor profile
- debian/tcpdump.dirs: for apparmor force-complain dir
tcpdump (4.9.2-1) unstable; urgency=high
* New upstream release:
+ Fixes 86 new CVEs, see the upstream changelog for the full list.
+ Now supports OpenSSL 1.1, so move back to libssl-dev (closes: #859740).
* Urgency high due to security fixes.
tcpdump (4.9.1-3) unstable; urgency=high
* Cherry-pick three upstream commits to fix the following:
+ CVE-2017-11541: buffer over-read in safeputs() (closes: #873804)
+ CVE-2017-11542: buffer over-read in pimv1_print() (closes: #873805)
+ CVE-2017-11543: buffer overflow in sliplink_print() (closes: #873806)
* Urgency high due to security fixes.
tcpdump (4.9.1-2) unstable; urgency=medium
* Disable IKEv2 test which mysteriously fails on ppc64el (closes: #873377).
tcpdump (4.9.1-1) unstable; urgency=medium
* New upstream release, fixes CVE-2017-11108 (closes: #867718).
* Bump Standards-Version to 4.1.0.
* debian/watch: add pgpsigurlmangle option.
* Add upstream signing key in debian/upstream.
tcpdump (4.9.0-3) unstable; urgency=medium
[ intrigeri ]
* Include AppArmor profile from Ubuntu (closes: #866682).
[ Romain Francoise ]
* Bump Standards-Version to 4.0.0.
tcpdump (4.9.0-2) unstable; urgency=medium
* Re-enable crypto support, targeting OpenSSL 1.0 as upstream still
doesn't support OpenSSL 1.1.
* Drop --enable-ipv6 from configure line, it has been the default for
years now.
-- Steve Beattie <email address hidden> Wed, 13 Sep 2017 03:26:05 -0700
tcpdump (4.9.0-1ubuntu1~ubuntu14.04.1) trusty-security; urgency=medium
* Backport to trusty to fix CVEs (LP: #1662177).
* Reset libpcap dependency to trusty version
* Enable crypto support, dropped in zesty because of openssl.
* Disable some tests failing with older pcap versions
tcpdump (4.9.0-1ubuntu1) zesty; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump,
install, rules, patches/patches/90_man_apparmor.diff}:
+ Add AppArmor profile.
- debian/usr.sbin.tcpdump:
+ Allow capability net_admin to support '-j'.
tcpdump (4.9.0-1) unstable; urgency=high
* New upstream security release, fixing the following:
+ CVE-2016-7922: buffer overflow in print-ah.c:ah_print().
+ CVE-2016-7923: buffer overflow in print-arp.c:arp_print().
+ CVE-2016-7924: buffer overflow in print-atm.c:oam_print().
+ CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print().
+ CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print().
+ CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print().
+ CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print().
+ CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header().
+ CVE-2016-7930: buffer overflow in print-llc.c:llc_print().
+ CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print().
+ CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum().
+ CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print().
+ CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print().
+ CVE-2016-7935: buffer overflow in print-udp.c:rtp_print().
+ CVE-2016-7936: buffer overflow in print-udp.c:udp_print().
+ CVE-2016-7937: buffer overflow in print-udp.c:vat_print().
+ CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame().
+ CVE-2016-7939: buffer overflow in print-gre.c, multiple functions.
+ CVE-2016-7940: buffer overflow in print-stp.c, multiple functions.
+ CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions.
+ CVE-2016-7974: buffer overflow in print-ip.c, multiple functions.
+ CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print().
+ CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print().
+ CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print().
+ CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print().
+ CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions.
+ CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print().
+ CVE-2016-7993: a bug in util-print.c:relts_print() could cause a
buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP,
lightweight resolver protocol, PIM).
+ CVE-2016-8574: buffer overflow in print-fr.c:frf15_print().
+ CVE-2016-8575: buffer overflow in print-fr.c:q933_print().
+ CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print().
+ CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print().
+ CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print().
+ CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print().
+ CVE-2017-5341: buffer overflow in print-otv.c:otv_print().
+ CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH,
OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in
print-ether.c:ether_print().
+ CVE-2017-5482: buffer overflow in print-fr.c:q933_print().
+ CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse().
+ CVE-2017-5484: buffer overflow in print-atm.c:sig_print().
+ CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap().
+ CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print().
* Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8
accordingly.
* Switch Vcs-Git URL to the https one.
* Adjust lintian override name about dh 9.
tcpdump (4.8.1-2ubuntu1) zesty; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump,
install, rules, patches/patches/90_man_apparmor.diff}:
+ Add AppArmor profile.
- debian/usr.sbin.tcpdump:
+ Allow capability net_admin to support '-j'.
tcpdump (4.8.1-2) unstable; urgency=medium
* Disable new HNCP test, which fails on some buildds for some
as-of-yet unexplained reason.
tcpdump (4.8.1-1) unstable; urgency=medium
* New upstream release.
* Re-enable Geneve tests (disabled in 4.7.4-1) and bump build-dep on
libpcap0.8-dev to >= 1.7 accordingly.
* Disable new pcap version tests which require libpcap 1.8+.
tcpdump (4.7.4-3ubuntu1) zesty; urgency=medium
* Merge from Debian unstable. (LP: #1624633) Remaining changes:
- debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump,
install, rules, patches/patches/90_man_apparmor.diff}:
+ Add AppArmor profile.
- debian/usr.sbin.tcpdump:
+ Allow capability net_admin to support '-j'.
- fix 2015-0261 test with upstream e32088572e960f7d5e1baac2f530793ed7f42e4d
tcpdump (4.7.4-3) unstable; urgency=medium
* Use dh-autoreconf instead of calling autoconf directly and patching
config.{guess,sub}.
* Call dh_auto_configure instead of configure in override target, patch
by Helmut Grohne (closes: #837951).
tcpdump (4.7.4-2) unstable; urgency=medium
* Disable crypto support as it causes FTBFS with OpenSSL 1.1.x and we
don't have a working fix upstream yet (closes: #828569).
* Bump Standards-Version to 3.9.8.
* Use cgit URL for Vcs-Browser.
tcpdump (4.7.4-1ubuntu1.16.10.1) yakkety; urgency=medium
* debian/usr.sbin.tcpdump: Allow the tcpdump binary to be mapped as required
by version 4.8 and newer kernels. tcpdump was immediately segfaulting when
used inside of LXD containers before this AppArmor profile change.
(LP: #1632399)
tcpdump (4.7.4-1ubuntu1) wily; urgency=low
* Merge from Debian unstable. (LP: #1460170) Remaining changes:
- debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump,
install, rules, patches/patches/90_man_apparmor.diff}:
+ Add AppArmor profile.
- debian/usr.sbin.tcpdump:
+ Allow capability net_admin to support '-j'.
- Drop 60_cve-2015-2153-fix-regression.diff: upstream
tcpdump (4.7.4-1) unstable; urgency=medium
* New upstream release.
* Disable two geneve tests that require libpcap 1.7+.
* Bump Standards-Version to 3.9.6.
tcpdump (4.6.2-5) unstable; urgency=high
* Cherry-pick commit fb6e5377f3 from upstream Git to fix regressions in the
RPKI/RTR printer after the CVE-2015-2153 changes. Thanks to Artur Rona
from Ubuntu for the heads-up (closes: #781362).
tcpdump (4.6.2-4ubuntu1) vivid; urgency=low
* Merge from Debian unstable. (LP: #1433815) Remaining changes:
- debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump,
install, rules, patches/patches/90_man_apparmor.diff}:
+ Add AppArmor profile.
- debian/usr.sbin.tcpdump:
+ Allow capability net_admin to support '-j'.
* debian/patches/60_cve-2015-2153-fix-regression.diff:
- Fix regression due to 60_cve-2015-2153.diff
tcpdump (4.6.2-4) unstable; urgency=high
* Cherry-pick changes from upstream Git to fix the following security
issues:
+ CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
+ CVE-2015-2153: missing bounds checks in RPKI/RTR printer.
+ CVE-2015-2154: missing bounds checks in ISOCLNS printer.
+ CVE-2015-2155: missing bounds checks in ForCES printer.
tcpdump (4.6.2-3ubuntu1) vivid; urgency=low
* Merge from Debian unstable (LP: #1397558). Remaining changes:
* debian/control:
- Build-Depends on dh-apparmor.
- Suggests apparmor
* debian/README.Debian, debian/tcpdump.dirs, debian/usr.sbin.tcpdump,
debian/patches/patches/90_man_apparmor.diff,
debian/install, debian/rules:
- Install enforcing AppArmor profile.
* debian/usr.sbin.tcpdump: allow capability net_admin to support '-j'. Patch
thanks to Graeme Hewson. (LP: #1229664)
tcpdump (4.6.2-3) unstable; urgency=high
* Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow
in the PPP dissector (CVE-2014-9140).
tcpdump (4.6.2-2) unstable; urgency=high
* Urgency high due to security fixes.
* Add three patches extracted from various upstream commits fixing
vulnerabilities in three dissectors:
+ CVE-2014-8767: missing bounds checks in OLSR dissector (closes: #770434).
+ CVE-2014-8768: missing bounds checks in Geonet dissector
(closes: #770415).
+ CVE-2014-8769: missing bounds checks in AOVD dissector (closes: #770424).
tcpdump (4.6.2-1ubuntu1) utopic; urgency=low
* Merge from Debian unstable (LP; #1367260). Remaining changes:
* debian/control:
- Build-Depends on dh-apparmor.
- Suggests apparmor
* debian/README.Debian, debian/tcpdump.dirs, debian/usr.sbin.tcpdump,
debian/patches/patches/90_man_apparmor.diff,
debian/install, debian/rules:
- Install enforcing AppArmor profile.
* debian/usr.sbin.tcpdump: allow capability net_admin to support '-j'. Patch
thanks to Graeme Hewson. (LP: #1229664)
tcpdump (4.6.2-1) unstable; urgency=medium
* New upstream release.
tcpdump (4.6.1-3) unstable; urgency=medium
* Bump build-dep on libpcap0.8-dev to >= 1.5 as the pppoes_id test case
requires a pcap version that supports PPPoE session ID filtering.
tcpdump (4.6.1-2ubuntu1) utopic; urgency=low
* Merge from Debian unstable (LP: #1352750). Remaining changes:
* debian/control:
- Build-Depends on dh-apparmor.
- Suggests apparmor
* debian/README.Debian, debian/tcpdump.dirs, debian/usr.sbin.tcpdump,
debian/patches/patches/90_man_apparmor.diff,
debian/install, debian/rules:
- Install enforcing AppArmor profile.
* debian/usr.sbin.tcpdump: allow capability net_admin to support '-j'. Patch
thanks to Graeme Hewson. (LP: #1229664)
tcpdump (4.6.1-2) unstable; urgency=medium
* Expand configure check for net/pfvar.h to also check for existence of
net/if_pflog.h to fix build on GNU/kFreeBSD, which ships the former
but not the latter, see #756553 (closes: #756790).
tcpdump (4.6.1-1) unstable; urgency=medium
* New upstream release.
* debian/control: Mark tcpdump 'Multi-Arch: foreign' (closes: #700727).
tcpdump (4.5.1-2ubuntu2) utopic; urgency=medium
* debian/usr.sbin.tcpdump: allow capability net_admin to support '-j'. Patch
thanks to Graeme Hewson. (LP: #1229664)
-- Gianfranco Costamagna <email address hidden> Sun, 05 Feb 2017 20:39:58 +0100