Re: How to deal with wireshark CVE affecting Squeeze
Hi Raphael, 2015-04-10 23:59 GMT+02:00 Raphael Hertzog : > Hello Balint, > > I would like to clarify the situation of wireshark in squeeze. > In https://bugs.debian.org/774312 you requested to mark the > package as "not-supported" and this has now been done. > > So in theory I should tag all CVE as "end-of-life" and they > will be hidden from our main view (and I will never again add "wireshark" > to dla-needed.txt): > https://security-tracker.debian.org/tracker/status/release/oldstable > > But at the same time you said that you would continue to backport > the relevant fixes and you are still listed in dla-needed.txt as preparing > an update fixing the CVE currently open in Squeeze (all of which are fixed > in Wheezy): > https://security-tracker.debian.org/tracker/source-package/wireshark > > So what's the correct status that I should put on all those CVE? > And should we keep or drop the entry in dla-needed.txt? > > Maybe the package should have been added to the "limited support" list > instead of the "not-supported" one? In which case, CVE are handled like > usual, trying to take into account the restrictions defined by the "limited > support". Let me copy the content of #/774312 here before my answer: > As the maintainer of wireshark I still plan continuing back-porting > security fixes for Squeeze's wireshark package, but I can't honestly > say that it is safe to run even the fixed versions. Squeeze had been > released with Wireshark 1.2.11 but upstream stopped providing official > security updates for that branch years ago. > > Currently security fixes are provided for 1.10.x and 1.12.x versions > which I back-port to Wheezy and Squeeze when their version is > affected, but there can be many hidden issues, especially in Squeeze. > > I will still fix all issues in dumpcap from the wireshark-common > package, thus Debian LTS users can still capture traffic safely, but > analysis should be performed using a later Wireshark version. Probably I should have asked for limited support instead of endings support, but at that time I was not aware of the distinction but let me extend my explanation. I could keep up with back-porting security fixes to stable's 1.8.x from 1.10.x releases, but back-porting to oldstable's 1.2.x needs more work and while preparing back-ports for Squeeze I found several issues which would still be open even after back-porting related CVE fixes. Those issues are fixed in commits not related to the CVE-s, but for example in general code quality improvements like more rigorous error condition checking. Back-porting all those fixes would not make a lot of senss but not backporting them would leave vulnerabilities open which are easy to discover and which are not tracked publicly. This is why I think people should not run Wireshark 1.2.x for analyzing potentially harmful files, but should use newer versions instead. I have several back-ported patches here prepared for a new upload but I could not find time to prepare the rest of the fixes: https://code.wireshark.org/review/gitweb?p=wireshark.git;a=shortlog;h=refs/heads/lts-1.2.11 I can upload them, but I need more time to work on the rest and I'm not sure if it would worth it due to the other issues which would still stay unpatched. I assume this situation is not unique to Wireshark. What do you think, what would be the best for the LTS project in Wireshark's case and what is the general LTS strategy in similar cases? Cheers, Balint > > Cheers, > -- > Raphaël Hertzog ◈ Debian Developer > > Support Debian LTS: http://www.freexian.com/services/debian-lts.html > Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAK0OdpxFv+4dX4eC1ZrBQnVr+nwpBjsXFUTreTp+HZBvC+OK=q...@mail.gmail.com
Re: How to deal with wireshark CVE affecting Squeeze
On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote: [...] > I assume this situation is not unique to Wireshark. What do you think, > what would be the best for the LTS project in Wireshark's case and > what is the general LTS strategy in similar cases? I think the best approach would be either: a. remove it from support and upload wireshark 1.8 to squeeze-backports if possible, or b. upload the backported wireshark 1.8 package to squeeze-lts Ben. -- Ben Hutchings compatible: Gracefully accepts erroneous data from any source signature.asc Description: This is a digitally signed message part
Re: How to deal with wireshark CVE affecting Squeeze
Hi Ben, 2015-04-12 1:38 GMT+02:00 Ben Hutchings : > On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote: > [...] >> I assume this situation is not unique to Wireshark. What do you think, >> what would be the best for the LTS project in Wireshark's case and >> what is the general LTS strategy in similar cases? > > I think the best approach would be either: > a. remove it from support and upload wireshark 1.8 to squeeze-backports >if possible, or > b. upload the backported wireshark 1.8 package to squeeze-lts I would be happy to go either of those options. Undoing the multiarch-related changes would make 1.8.x build fine on squeeze. Who should make the call? Cheers, Balint -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpyukqyyzbaiw4om652iyctawcbebbhn66rrh8myafn...@mail.gmail.com
Re: How to deal with wireshark CVE affecting Squeeze
On Sun, Apr 12, 2015 at 01:20:37PM +0200, Bálint Réczey wrote: > Hi Ben, > > 2015-04-12 1:38 GMT+02:00 Ben Hutchings : > > On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote: > > [...] > >> I assume this situation is not unique to Wireshark. What do you think, > >> what would be the best for the LTS project in Wireshark's case and > >> what is the general LTS strategy in similar cases? > > > > I think the best approach would be either: > > a. remove it from support and upload wireshark 1.8 to squeeze-backports > >if possible, or > > b. upload the backported wireshark 1.8 package to squeeze-lts > I would be happy to go either of those options. Undoing the multiarch-related > changes would make 1.8.x build fine on squeeze. > Who should make the call? I'd say it's your call. Package maintainer can maintain their own packages in LTS and if you consider it the best solution (and I agree since wireshark is a leaf package), go ahead. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150412114907.ga6...@inutil.org
Re: How to deal with wireshark CVE affecting Squeeze
Hi, On Sun, 12 Apr 2015, Ben Hutchings wrote: > On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote: > [...] > > I assume this situation is not unique to Wireshark. What do you think, > > what would be the best for the LTS project in Wireshark's case and > > what is the general LTS strategy in similar cases? > > I think the best approach would be either: > a. remove it from support and upload wireshark 1.8 to squeeze-backports >if possible, or > b. upload the backported wireshark 1.8 package to squeeze-lts I agree with Ben and I actually favor (b) when it doesn't introduce backwards incompatibilities (ie few risks to break a working setup just with the upgrade). And you are right Balint, there are more packages in similar situations. We should have some discussion on the topic but this list has been rather quiet when we had concrete questions (like yours), for example about what to do with mysql 5.1 that is no longer supported upstream and where CVE details are hard to find. That's why I expect to have some discussion about this during Debconf (and possibly also today in the minidebconf in Lyon where I give a talk about Debian). Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150412071430.gb8...@home.ouaza.com
Re: How to deal with wireshark CVE affecting Squeeze
Hi, 2015-04-12 9:14 GMT+02:00 Raphael Hertzog : > Hi, > > On Sun, 12 Apr 2015, Ben Hutchings wrote: >> On Sun, 2015-04-12 at 01:05 +0200, Bálint Réczey wrote: >> [...] >> > I assume this situation is not unique to Wireshark. What do you think, >> > what would be the best for the LTS project in Wireshark's case and >> > what is the general LTS strategy in similar cases? >> >> I think the best approach would be either: >> a. remove it from support and upload wireshark 1.8 to squeeze-backports >>if possible, or >> b. upload the backported wireshark 1.8 package to squeeze-lts > > I agree with Ben and I actually favor (b) when it doesn't introduce > backwards incompatibilities (ie few risks to break a working setup > just with the upgrade). I have prepared the attached patch implementing b.). If no one opposes I will upload it on Tuesday. The change is not backwards-compatible in a sense that custom software may break, but those who build systems using wireshark should have upgraded to more recent versions already. > > And you are right Balint, there are more packages in similar situations. > We should have some discussion on the topic but this list has been rather > quiet when we had concrete questions (like yours), for example about what > to do with mysql 5.1 that is no longer supported upstream and where CVE > details are hard to find. That's why I expect to have some discussion > about this during Debconf (and possibly also today in the minidebconf in > Lyon where I give a talk about Debian). Good, lets discuss that during Debconf. Cheers, Balint diff -Nru wireshark-1.8.2/debian/changelog wireshark-1.8.2/debian/changelog --- wireshark-1.8.2/debian/changelog 2015-03-26 21:06:26.0 +0100 +++ wireshark-1.8.2/debian/changelog 2015-04-12 16:08:00.0 +0200 @@ -1,3 +1,9 @@ +wireshark (1.8.2-5wheezy15~deb6u1) squeeze-lts; urgency=high + + * Rebuild for Squeeze LTS + + -- Balint Reczey Sun, 12 Apr 2015 16:08:00 +0200 + wireshark (1.8.2-5wheezy15) wheezy-security; urgency=high * security fixes from Wireshark 1.12.4 (Closes: #780372): diff -Nru wireshark-1.8.2/debian/compat wireshark-1.8.2/debian/compat --- wireshark-1.8.2/debian/compat 2012-05-23 14:16:09.0 +0200 +++ wireshark-1.8.2/debian/compat 2015-04-12 16:08:00.0 +0200 @@ -1 +1 @@ -9 +8 diff -Nru wireshark-1.8.2/debian/control wireshark-1.8.2/debian/control --- wireshark-1.8.2/debian/control 2013-04-03 03:23:35.0 +0200 +++ wireshark-1.8.2/debian/control 2015-04-12 16:08:00.0 +0200 @@ -4,7 +4,7 @@ Maintainer: Balint Reczey DM-Upload-Allowed: yes Standards-Version: 3.9.3 -Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 9), po-debconf, libtool, python (>= 2.6.6-3~), python-ply, automake, autoconf, autotools-dev, libc-ares-dev, xsltproc, docbook-xsl (>= 1.64.1.0-0), libxml2-utils, libpcre3-dev, libcap2-dev [linux-any] | libcap-dev (>= 2.17) [linux-any], bison, libgnutls-dev, portaudio19-dev, libkrb5-dev, liblua5.1-0-dev, libsmi2-dev, libgeoip-dev, dpkg-dev (>= 1.16.1~) +Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 8), po-debconf, libtool, python (>= 2.6.6-3~), python-ply, automake, autoconf, autotools-dev, libc-ares-dev, xsltproc, docbook-xsl (>= 1.64.1.0-0), libxml2-utils, libpcre3-dev, libcap2-dev [linux-any] | libcap-dev (>= 2.17) [linux-any], bison, libgnutls-dev, portaudio19-dev, libkrb5-dev, liblua5.1-0-dev, libsmi2-dev, libgeoip-dev, hardening-wrapper Build-Conflicts: libsnmp4.2-dev, libsnmp-dev Vcs-Svn: svn://svn.debian.org/svn/collab-maint/ext-maint/wireshark/trunk Vcs-Browser: http://svn.debian.org/wsvn/collab-maint/ext-maint/wireshark/trunk/ diff -Nru wireshark-1.8.2/debian/patches/backport-to-squeeze.patch wireshark-1.8.2/debian/patches/backport-to-squeeze.patch --- wireshark-1.8.2/debian/patches/backport-to-squeeze.patch 1970-01-01 01:00:00.0 +0100 +++ wireshark-1.8.2/debian/patches/backport-to-squeeze.patch 2015-04-12 16:07:40.0 +0200 @@ -0,0 +1,34 @@ +Author: Balint Reczey +Description: Change d/control and d/rules to use build on Squeeze + This is useful for back-porting. + +--- ./debian/compat (revision 26101) ./debian/compat (working copy) +@@ -1 +1 @@ +-9 ++8 +--- ./debian/control (revision 26101) ./debian/control (working copy) +@@ -4,7 +4,7 @@ + Maintainer: Balint Reczey + DM-Upload-Allowed: yes + Standards-Version: 3.9.3 +-Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 9), po-debconf, libtool, python (>= 2.6.6-3~), python-ply, automake, autoconf, autotools-dev, libc-ares-dev, xsltproc, docbook-xsl (>= 1.64.1.0-0), libxml2-utils, libpcre3-dev, libcap2-dev [linux-any] | libcap-dev (>= 2.17) [linux-any], bison, libgnutls-dev, portaudio19-dev, libkrb5-dev, liblua5.1-0-dev, libsmi2-dev, libgeoip-dev, dpkg-dev (>= 1.16.1~) ++Build-Depends: libgtk2.0-dev (>=2.4.0-0), libpcap0.8-dev, flex, libz-dev, debhelper (>= 8), po-debconf, libto
Re: How to deal with wireshark CVE affecting Squeeze
On Sun, 12 Apr 2015, Bálint Réczey wrote: > I have prepared the attached patch implementing b.). If no one opposes > I will upload it on Tuesday. > The change is not backwards-compatible in a sense that custom software > may break, but those > who build systems using wireshark should have upgraded to more recent > versions already. Great, thanks! Please make sure to write a more detailed DLA with information about the major changes that admins need to be aware of... And open another bug against debian-security-support to delist wireshark since it's again supported :) Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150412183605.ga8...@home.ouaza.com
Re: How to deal with wireshark CVE affecting Squeeze
Hi, 2015-04-12 20:36 GMT+02:00 Raphael Hertzog : > On Sun, 12 Apr 2015, Bálint Réczey wrote: >> I have prepared the attached patch implementing b.). If no one opposes >> I will upload it on Tuesday. >> The change is not backwards-compatible in a sense that custom software >> may break, but those >> who build systems using wireshark should have upgraded to more recent >> versions already. > > Great, thanks! Please make sure to write a more detailed DLA with > information about the major changes that admins need to be aware of... I have prepared the DLA and uploaded the fixed package but it ended up in NEW. Dear FTP Masters, please accept it. > > And open another bug against debian-security-support to delist wireshark > since it's again supported :) I would like to wait with that, since there was a lot of back and forth changes already. :-) Cheers, Balint -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpzs3gobyezheqv1nyn57sb_64pbx+hl+cag2bruszj...@mail.gmail.com
Re: How to deal with wireshark CVE affecting Squeeze
Hi Balint, On Dienstag, 14. April 2015, Bálint Réczey wrote: > I have prepared the DLA and uploaded the fixed package but it ended up in > NEW. Dear FTP Masters, please accept it. what distribution did you use in debian/changelog? cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: How to deal with wireshark CVE affecting Squeeze
2015-04-14 14:47 GMT+02:00 Holger Levsen : > Hi Balint, > > On Dienstag, 14. April 2015, Bálint Réczey wrote: >> I have prepared the DLA and uploaded the fixed package but it ended up in >> NEW. Dear FTP Masters, please accept it. > > what distribution did you use in debian/changelog? squeeze-lts, both in *.changes and *.changelog. The binary package names changed quite a lot so I think entering NEW was reasonable. Cheers, Balint -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cak0odpwzghpjp7cevxd4zea3uyxmkd5y8mvy5fys6h39wyf...@mail.gmail.com
Re: How to deal with wireshark CVE affecting Squeeze
On Dienstag, 14. April 2015, Bálint Réczey wrote: > squeeze-lts, both in *.changes and *.changelog. > The binary package names changed quite a lot so I think entering NEW > was reasonable. ah. makes sense :) signature.asc Description: This is a digitally signed message part.
Re: How to deal with wireshark CVE affecting Squeeze
Hi Balint, On Tue, 14 Apr 2015, Bálint Réczey wrote: > I have prepared the DLA and uploaded the fixed package but it ended up in NEW. > Dear FTP Masters, please accept it. FTR the package has been accepted on the same day. However I have not seen DLA-198-1 on debian-lts-announce@l.d.o (did your forget to sign it?). I just noticed that the DLA data had two small mistakes: - it said version 1.2.11-6+squeeze15 instead of 1.8.2-5wheezy15~deb6u1 - CVE-2015-0562 was missing from the list of fixed CVE I fixed both of those in the security tracker, you might want to fix them in your announce before sending it to debian-lts-announce@l.d.o. > I would like to wait with that, since there was a lot of back and > forth changes already. :-) Sure, as long as you don't forget about it. :) Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150421135802.ga6...@home.ouaza.com
Re: How to deal with wireshark CVE affecting Squeeze
Hi Raphael, 2015-04-21 15:58 GMT+02:00 Raphael Hertzog : > Hi Balint, > > On Tue, 14 Apr 2015, Bálint Réczey wrote: >> I have prepared the DLA and uploaded the fixed package but it ended up in >> NEW. >> Dear FTP Masters, please accept it. > > FTR the package has been accepted on the same day. However I have not seen > DLA-198-1 on debian-lts-announce@l.d.o (did your forget to sign it?). I tried sending it several times even after subscirbing the list but they did not go throught. I have sent you now the DLA privately, please tell me if there is something wrong with it. > > I just noticed that the DLA data had two small mistakes: > - it said version 1.2.11-6+squeeze15 instead of 1.8.2-5wheezy15~deb6u1 > - CVE-2015-0562 was missing from the list of fixed CVE Thanks! > > I fixed both of those in the security tracker, you might want > to fix them in your announce before sending it to > debian-lts-announce@l.d.o. > >> I would like to wait with that, since there was a lot of back and >> forth changes already. :-) > > Sure, as long as you don't forget about it. :) No, I kept it on my TODO list. Cheers, Balint -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/CAK0OdpwJrhbRq=axa295hvwnkmbpwskdiahsgenb0+0zagu...@mail.gmail.com
Re: How to deal with wireshark CVE affecting Squeeze
On Tue, 21 Apr 2015, Bálint Réczey wrote: > > FTR the package has been accepted on the same day. However I have not seen > > DLA-198-1 on debian-lts-announce@l.d.o (did your forget to sign it?). > I tried sending it several times even after subscirbing the list but > they did not go throught. > I have sent you now the DLA privately, please tell me if there is > something wrong with it. I did not see anything wrong, I forwarded your mail to the listmasters. Let's see if they have more data. If you want me to send it on your behalf, let me know. Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-lts-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150422080755.gc18...@home.ouaza.com
