On Wed, Jul 26, 2017 at 01:17:47PM +0200, Moritz Muehlenhoff wrote: > That particular CVE ID is no-dsa by itself, but there's been > new issues reported (not yet in the BTS, also not sure whether upstream > has acted on those): > > https://security-tracker.debian.org/tracker/CVE-2017-11541 > https://security-tracker.debian.org/tracker/CVE-2017-11542 > https://security-tracker.debian.org/tracker/CVE-2017-11543 > https://security-tracker.debian.org/tracker/CVE-2017-11544 > https://security-tracker.debian.org/tracker/CVE-2017-11545
This is also in upstream issue tracker: https://github.com/the-tcpdump-group/tcpdump/issues/619 These are only issues when using older versions of libpcap. This has been verified by me and ack'd by the researcher. For example this setup was not affected: tcpdump version 4.10.0-PRE-GIT_2017_07_24 libpcap version 1.8.1 OpenSSL 1.0.1t 3 May 2016 Compiled with AddressSanitizer/GCC. Tcpdump is clearly asking people to test with the latest releases or SCM code so I don't think they will start analyzing these cases any further. I can reproduce these issues in Debian if needed? I'm unable to start making patches or backports though. > Next point updates are quite some time afar, so let's wait a bit until > those new ones have been investigated further. Tcpdump is planning to publish new release soon, which fixes security issues. -- Henri Salo
