Hi Balint - Thanks for the updates. I happened to notice that these are security updates. Security updates that are to be sponsored should follow this process:
https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors I'll update the bug tasks and subscribe ubuntu-security-sponsors this time. In the future, I strongly encourage you to do these steps as the Ubuntu Security Team may not notice your contributions. @ubuntu-security-sponsors I haven't looked at Balint's updates other than a quick glance at the changelog entry to verify that they were to fix security issues ** Changed in: wireshark (Ubuntu Precise) Status: Confirmed => Won't Fix ** Also affects: wireshark (Ubuntu Yakkety) Importance: Undecided Status: New ** Also affects: wireshark (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: wireshark (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: wireshark (Ubuntu Xenial) Status: New => Confirmed ** Changed in: wireshark (Ubuntu Yakkety) Status: New => Confirmed ** Changed in: wireshark (Ubuntu Zesty) Status: New => Confirmed -- You received this bug notification because you are a member of नेपाली भाषा समायोजकहरुको समूह, which is subscribed to Xenial. Matching subscriptions: Ubuntu 16.04 Bugs https://bugs.launchpad.net/bugs/1397091 Title: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches. Status in wireshark package in Ubuntu: Confirmed Status in wireshark source package in Precise: Won't Fix Status in wireshark source package in Trusty: Confirmed Status in wireshark source package in Utopic: Fix Released Status in wireshark source package in Xenial: Confirmed Status in wireshark source package in Yakkety: Confirmed Status in wireshark source package in Zesty: Confirmed Bug description: In further discussion with the security team and others, it's probably easier (and more acceptable all over at this time) to backport all the fixes for the bugs into the various affected Wireshark versions already present in the repositories. The original description for the bug is below, and is kept for historical reasons. Additional changes and actions on the bug will be in the comments. ================== [Original Description] In discussion with the Security team yesterday (November 26, 2014) in #ubuntu-hardened on IRC, I began digging through the list of Wireshark CVEs, attempting to correct the tracker and get the CVE statuses updated to reflect what actually does affect the versions in Trusty and later, rather than sit there with a ton of yellow and orange on the tracker. During the discussion while I was making the revisions in my own branch of the CVE tracker, it was proposed by Marc Deslauriers that we look into a full version bump in the Wireshark package for all stable releases. Further discussion with Seth Arnold after that with me settled on targeting this for Precise, Trusty, and Utopic. Unfortunately, security handling of this package is... tricky. There are so many CVEs that it becomes unwieldy to try and patch each individual CVE. Further discussion today (November 27, 2014) and input from Marc supports that conclusion. Therefore, it was suggested that we investigate updating the software to as close to latest as we can. Vivid already has the patches that are included in the upstream version 1.12.2, and therefore has CVE fixes for the ones which were fixed in 1.12.2. To that end, I propose that we do a security update for Wireshark and apply the package from Vivid (with changes as necessary for releases) to earlier releases in order to fix the numerous security updates that are pending for the package. ------ The attached debdiffs are based off of the Vivid package. The package in Vivid contains all the security fixes in 1.12.2. The update would bring the Precise, Trusty, and Utopic into relative sync with the Vivid package. The following is the details of the changes to the package that would need to be done for each release (and this will be outlined in debdiffs later) in order to build: Precise: * debian/control: - libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Precise - Remove qt build deps, to prevent the Qt builds from being done/attempted. - Remove the wireshark-qt package. * debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue. * debian/wireshark-qt.*: Remove the wireshark-qt package Trusty: * debian/control: program - libgnutls28-dev has a version specified in it. To build, this dependency needs its version specification to be adjusted to an earlier version number, with respect to what is in Trusty - Remove qt build deps, to prevent the Qt builds from being done/attempted. - Remove the wireshark-qt package. * debian/rules: There is a reference in the rules to the qtshark compiled executable. It needs to be removed in order for the builds to continue. * debian/wireshark-qt.*: Remove the wireshark-qt package Utopic: No changes need to be made to the package other than a new changelog entry targeting utopic-security. The Qt Wireshark package already exists in Utopic, therefore it did not need to be removed. ------ There should not be any major regressions by doing the version bump. There may be some UI changes, however the functionality of Wireshark will be improved, with most (if not all) of the current CVEs against the package being fixed. ------ Test builds for the attached debdiffs (targeted for the release specifically instead of the security pocket, because of it being in a PPA) can be found here: https://launchpad.net/~teward/+archive/ubuntu/wireshark- security/+packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~group.of.nepali.translators Post to : group.of.nepali.translators@lists.launchpad.net Unsubscribe : https://launchpad.net/~group.of.nepali.translators More help : https://help.launchpad.net/ListHelp