Bugzilla – Bug 848738
VUL-0: CVE-2013-6337: wireshark: security updates to 1.8.11 and 1.10.3
Last modified: 2013-12-27 12:19:30 UTC
Via http://www.wireshark.org/docs/relnotes/wireshark-1.10.3.html The following vulnerabilities have been fixed. wnpa-sec-2013-61 The IEEE 802.15.4 dissector could crash. (Bug 9139) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6336 wnpa-sec-2013-62 The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9168) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6337 wnpa-sec-2013-63 The SIP dissector could crash. (Bug 9228) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6338 wnpa-sec-2013-64 The OpenWire dissector could go into a large loop. Discovered by Murali. (Bug 9248) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6339 wnpa-sec-2013-65 The TCP dissector could crash. (Bug 9263) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6340 http://www.wireshark.org/docs/relnotes/wireshark-1.8.11.html The following vulnerabilities have been fixed. wnpa-sec-2013-61 The IEEE 802.15.4 dissector could crash. (Bug 9139) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6336 wnpa-sec-2013-62 The NBAP dissector could crash. Discovered by Laurent Butti. (Bug 9168) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6337 wnpa-sec-2013-63 The SIP dissector could crash. (Bug 9228) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6338 wnpa-sec-2013-64 The OpenWire dissector could go into a large loop. Discovered by Murali. (Bug 9248) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6339 wnpa-sec-2013-65 The TCP dissector could crash. (Bug 9263) Versions affected: 1.10.0 to 1.10.2, 1.8.0 to 1.8.10 CVE-2013-6340
This is an autogenerated message for OBS integration: This bug (848738) was mentioned in https://build.opensuse.org/request/show/205585 Factory / wireshark
Maintenance request for openSUSE 12.2, 12.3 and 13.1: https://build.opensuse.org/request/show/205585
(In reply to comment #2) > Maintenance request for openSUSE 12.2, 12.3 and 13.1: https://build.opensuse.org/request/show/205587
(In reply to comment #3) > (In reply to comment #2) > > Maintenance request for openSUSE 12.2, 12.3 and 13.1: > > https://build.opensuse.org/request/show/205587 1.10.3 was copied to 13.1. maintenance request for 12.2 and 12.3 only: https://build.opensuse.org/request/show/205665
are we, SLE, affected as well?
(In reply to comment #5) > are we, SLE, affected as well? SLE-11 yes, last update there should be 1.8.10 or so, see Bug 839607 SLE-10 1.6.16 .. 1.6.x is discontinued upstream. Upstream makes no statement about whether discontinued releases are affected. Since all of the items above show from "from 1.8.0" that may very well be the case. Maybe update to 1.8.x as openSUSE did? SLE-9 1.0.16 ancient....
The SWAMPID for this issue is 54917. This issue was rated as moderate. Please submit fixed packages until 2013-11-18. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
(In reply to comment #6) > (In reply to comment #5) > > are we, SLE, affected as well? > > SLE-11 yes, last update there should be 1.8.10 or so, see Bug 839607 I'll update SLE-11. > SLE-10 1.6.16 .. 1.6.x is discontinued upstream. Upstream makes no statement > about whether discontinued releases are affected. Since all of the items above > show from "from 1.8.0" that may very well be the case. Maybe update to 1.8.x as > openSUSE did? As mentioned in Bug#792005: wireshark-1.8.x requires gtk+ >= 2.12 and glib >= 2.14, but SLE-10 only has gtk+ 2.8 and glib 2.8, update to 1.8.x failed. So, for a long time, SLE-10 only updates to 1.6.x.
This is an autogenerated message for OBS integration: This bug (848738) was mentioned in https://build.opensuse.org/request/show/206406 Evergreen:11.2:Test / wireshark
openSUSE-SU-2013:1671-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 848738 CVE References: CVE-2013-6336,CVE-2013-6337,CVE-2013-6338,CVE-2013-6339,CVE-2013-6340 Sources used: openSUSE 12.3 (src): wireshark-1.8.11-1.24.1 openSUSE 12.2 (src): wireshark-1.8.11-1.43.1
openSUSE-SU-2013:1675-1: An update that fixes 5 vulnerabilities is now available. Category: security (moderate) Bug References: 848738 CVE References: CVE-2013-6336,CVE-2013-6337,CVE-2013-6338,CVE-2013-6339,CVE-2013-6340 Sources used: openSUSE 11.4 (src): wireshark-1.8.11-61.1
This is an autogenerated message for OBS integration: This bug (848738) was mentioned in https://build.opensuse.org/request/show/206968 Evergreen:11.2 / wireshark
Updates already released for openSUSE. SLE status unknown. cc security team to be picked up for SLE if required. Assigning to assignee of dependent bug 839607
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: wireshark, wireshark-debuginfo, wireshark-debugsource, wireshark-devel Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
I guess that's all updates?