Salvatore, I have been creating and testing fixes. I also have updated CHANGELOG a suggested below. Currently my fixes are in Beta.
Can you tell me what "Please adjust the affected versions in the BTS as needed” means? Does that mean that I have to do something other than closing the bug in GitHub? Thanks, Fred Klassen (Tcpreplay maintainer). > On Oct 20, 2018, at 12:47 PM, Salvatore Bonaccorso <car...@debian.org> wrote: > > Source: tcpreplay > Version: 4.2.6-1 > Severity: important > Tags: security upstream > Forwarded: https://github.com/appneta/tcpreplay/issues/489 > > Hi, > > The following vulnerability was published for tcpreplay. > > CVE-2018-18408[0]: > | A use-after-free was discovered in the tcpbridge binary of Tcpreplay > | 4.3.0 beta1. The issue gets triggered in the function post_args() at > | tcpbridge.c, causing a denial of service or possibly unspecified other > | impact. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2018-18408 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18408 > [1] https://github.com/appneta/tcpreplay/issues/489 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore >
