On Fri, 23 Oct 2009 19:46:24 +0200, Bálint Réczey wrote: > Hi, > > Moritz proposed to upload fixes for DoS only security problems to > stable and handle onnly more serious problems via stable-security: > > On Monday 06 July 2009 20:42:21 Moritz Muehlenhoff wrote: > >> On Wed, Jul 01, 2009 at 03:36:44PM -0700, Bálint Réczey wrote: > >> > Hi, > >> > > >> > Wireshark 1.0.8 fixes CVE-2009-1829 and contain other changes fixing > >> > crashes and one fix for a memory leak. > >> > > ... > >> Traditionally we've been treating Wireshark crashes triggerable by > >> network traffic as security issues, since someone could use tshark > >> as a networking monitoring/intrusion detection tool. OTOH, both > >> Wireshark's security record and the mere concept (analysing network > >> traffic in a flaky implementation language like C) make this an > >> impractical approach. I would like to propose to document in a file > >> like README.Debian or README.Debian.security that Wireshark is > >> great tool to analyse traffic patterns, but that crashes cannot be > >> ruled out due to the complex nature of the task. Thus, it should > >> not be deployed in scenarios where used for live network monitoring > >> and live pure crash bugs unfixed. Of course all bugs which could > >> trigger code injection will still be fixed in regular DSAs. > >> Additionally we could talk to the stable release managers to allow > >> the latest Wireshark point updates for each stable point update > >> (since the QA done by upstream is quite good). There are similar > >> exceptions already done for some packages, e.g. PostgreSQL. > > > > I support this approach. > > > > Joost > > > > The original suggestion was to upload full Wireshark releases from the > stable and old stable Wireshark maintenance branches, but later we > chose to extract the security related fixes and add only those to the > Debian package. > > According to that plan I would like to upload the package to "stable" > and I corrected the attached patch to reflect this.
please submit a bug (including debdiff) to release.debian.org requesting acceptance of the new version for the next lenny point release. mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
