Further discussion with mdeslaur on IRC and messages on https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1401314 from Evan have come up with a potential course of action, as follows: (Note the other bug there will be duped to this one).
(1) For Precise, we will work off of 1.6.16 as a base to fix 1.6.x targeted CVEs. Additional work will need to be done before that is accepted in Precise to specifically address whether all the later CVEs also affect 1.6.16, in which case they will need to be backported. (2) For Trusty, we will work off of 1.10.11 as a base to fix all 1.10.x targeted CVEs. Additional work will need to be done before that is accepted in Trusty to specifically address whether all the later CVEs also affect 1.10.x, in which case they will need to be backported. (3) For Utopic, we are going to take the 1.12.1 tarball from Vivid and use the Utopic packaging. We are also going to be nitpicking the patches from the Vivid packaging in 1.12.1+g01b65bf-2 which address CVEs which were fixed in 1.12.2. For (1) and (2), this will be a somewhat longer process of poking at the version and identifying what other CVEs also need patching (and were perhaps ignored at the time of the CVE for 1.6.x as that was end-of- life). For (3), I'll work on the packaging and get a debdiff available within a reasonable amount of time, my schedule permitting. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1397091 Title: [Security] Update Wireshark in Precise, Trusty, and Utopic to include relevant security patches. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireshark/+bug/1397091/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
