[tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?
Hi, I'm looking for the official patches for CVE-2014-8767, CVE-2014-8768 and CVE-2014-8769 but they don't seem to be in the Github repository. The advisories also mention a 4.7.0 version with the fixes, but it's not there either. More info: http://seclists.org/bugtraq/2014/Nov/88 http://seclists.org/bugtraq/2014/Nov/89 http://seclists.org/bugtraq/2014/Nov/90 Thanks, -- Romain Francoise http://people.debian.org/~rfrancoise/ ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?
On Nov 21, 2014, at 1:00 AM, Romain Francoise wrote: > I'm looking for the official patches for CVE-2014-8767, CVE-2014-8768 > and CVE-2014-8769 but they don't seem to be in the Github repository. Michael, are changes made to the bpf.tcpdump.org repository still getting pushed to the Github repository? There was a time when they were. > The advisories also mention a 4.7.0 version with the fixes, but it's not > there either. I don't think it's out yet - Michael? ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?
Guy Harris wrote: >> I'm looking for the official patches for CVE-2014-8767, CVE-2014-8768 >> and CVE-2014-8769 but they don't seem to be in the Github repository. > Michael, are changes made to the bpf.tcpdump.org repository still > getting pushed to the Github repository? There was a time when they > were. It's supposed to happen, but I'm checking. Should be there now. Is cron failing to do it's thing? >> The advisories also mention a 4.7.0 version with the fixes, but it's not >> there either. > I don't think it's out yet - Michael? It's in the tcpdump.org/beta/ directory, but I didn't want to release until the distros had a chance to patch. ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?
On Fri, Nov 21, 2014 at 03:47:06PM -0500, Michael Richardson wrote: > It's supposed to happen, but I'm checking. > Should be there now. Is cron failing to do it's thing? Ok, the fixes still aren't on master, but now there's a tcpdump-4.7 branch with the commits I need. So I apparently need all of these? 3f5693a 10 days ago Guy Harris Report a too-long unreachable destination list. 54d2912 10 days ago Guy Harris Not using offsetof() any more, so no need for . e302ff0 10 days ago Guy Harris Further cleanups. 3e8a443 10 days ago Guy Harris Clean up error message printing. ab4e52b 10 days ago Guy Harris Add initial bounds check, get rid of union aodv. 4038f83 10 days ago Guy Harris Do more bounds checking and length checking. 9255c9b 10 days ago Guy Harris Do bounds checking and length checking. print-aodv.c | 481 ++--- print-geonet.c | 270 ++-- print-olsr.c | 56 +-- 3 files changed, 417 insertions(+), 390 deletions(-) That's a lot bigger than typical security patches. :( > It's in the tcpdump.org/beta/ directory, but I didn't want to release > until the distros had a chance to patch. But did you notify the distros? Because I didn't get advance notice, and the others haven't released security updates yet either. Thanks, -- Romain Francoise http://people.debian.org/~rfrancoise/ ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Re: [tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?
On Fri, Nov 21, 2014 at 11:01:15PM +0100, Romain Francoise wrote: > But did you notify the distros? Because I didn't get advance notice, and > the others haven't released security updates yet either. Oh, actually I'm wrong: Fedora has updated packages. -- Romain Francoise http://people.debian.org/~rfrancoise/ ___ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
