On Fri, Nov 21, 2014 at 11:01:15PM +0100, Romain Francoise wrote: > On Fri, Nov 21, 2014 at 03:47:06PM -0500, Michael Richardson wrote: > > It's supposed to happen, but I'm checking. > > Should be there now. Is cron failing to do it's thing? > > Ok, the fixes still aren't on master, but now there's a tcpdump-4.7 > branch with the commits I need.
Please, can somebody with push access fix this. Also it would be nice if we agree on single place where development happens and stick to that. Because bpf.tcpdump.org has a bad track-record (IIRC multiple power, network failures in the past) I am for sticking with GitHub. > > So I apparently need all of these? > > 3f5693a 10 days ago Guy Harris Report a too-long unreachable destination list. > 54d2912 10 days ago Guy Harris Not using offsetof() any more, so no need for > <stddef.h>. > e302ff0 10 days ago Guy Harris Further cleanups. > 3e8a443 10 days ago Guy Harris Clean up error message printing. > ab4e52b 10 days ago Guy Harris Add initial bounds check, get rid of union > aodv. > 4038f83 10 days ago Guy Harris Do more bounds checking and length checking. > 9255c9b 10 days ago Guy Harris Do bounds checking and length checking. > > print-aodv.c | 481 > ++++++++++++++++++++++++++------------------------------- > print-geonet.c | 270 ++++++++++++++++++-------------- > print-olsr.c | 56 +++++-- > 3 files changed, 417 insertions(+), 390 deletions(-) > > That's a lot bigger than typical security patches. :( Yes, I spent good couple hours backporting those to older versions we have in Fedora 19 and 20. > > > It's in the tcpdump.org/beta/ directory, but I didn't want to release > > until the distros had a chance to patch. > > But did you notify the distros? Because I didn't get advance notice, and > the others haven't released security updates yet either. I was notified by Red Hat Security Response Team once CVEs where public. In the disclosure report there was a mention of existing patches therefore I checked GitHub because that is place where most of the development happens these days, and found no fixes. I started to work on the patches ASAP and after submitting the first one as Pull Request #413 I was told that patches actually do exist but the legacy place where tcpdump/libpcap code lives was not synced to GitHub for days. Michal > > Thanks, > -- > Romain Francoise <rfranco...@debian.org> > http://people.debian.org/~rfrancoise/ > _______________________________________________ > tcpdump-workers mailing list > tcpdump-workers@lists.tcpdump.org > https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers