On Tue, 29 Mar 2022 at 00:10, Peter J. Holzer <[email protected]> wrote:
> They are are about a year apart, so they will usually contain different
> versions of most packages right from the start. So the Ubuntu and Debian
> security teams probably can't benefit much from each other.
Well, this is what my updater on Lubuntu says to me today:
Changes for tcpdump versions:
Installed version: 4.9.3-0ubuntu0.18.04.1
Available version: 4.9.3-0ubuntu0.18.04.2
Version 4.9.3-0ubuntu0.18.04.2:
* SECURITY UPDATE: buffer overflow in read_infile
- debian/patches/CVE-2018-16301.patch: Add check of
file size before allocating and reading content in
tcpdump.c and netdissect-stdinc.h.
- CVE-2018-16301
* SECURITY UPDATE: resource exhaustion with big packets
- debian/patches/CVE-2020-8037.patch: Add a limit to the
amount of space that can be allocated when reading the
packet.
- CVE-2020-8037
I use an LTS version. So it seems that Ubuntu benefits from Debian
security patches. Not sure about the contrary.
--
https://mail.python.org/mailman/listinfo/python-list
