On Mar 18, 2013, at 11:13 AM, Michael Richardson <m...@sandelman.ca> wrote:
> >>>>>> "Raymond" == Raymond Borges <borgesraym...@gmail.com> writes: > Raymond> Specifically we are studying how versions fixed > Raymond> vulnerabilities by diffing the code functions where the CVE > Raymond> states the vulnerability was. We're also wondering why > Raymond> there are no listed CVEs after 2007 for tcpdump. > Raymond> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump > > There would be no CVEs prior to 3.5, because CVEs didn't exist. Actually, CVE-1999-1024 is against "3.4a": http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1024 (What happened with 3.4? Did the LBL people not say "hey, we've released the final 3.4 version, no need to keep using the 3.4a alpha version" loudly enough, or did nobody notice? I've seen places where people though "3.4a" was the final 3.4 version....) > I am unaware of a CVE against tcpdump since 2007. That's good, right? I.e., perhaps there are no listed CVEs after 2007 because there aren't any serious vulnerabilities in tcpdump any more. I'm not naive enough to *assume* all the problems have been fixed and no new ones have been introduced, but perhaps, either because they haven't looked hard enough or because they're not there, nobody's found any vulnerabilities since 2007. (Michael, have you gotten Coverity Scan set up to do either nightly or post-commit runs on libpcap and tcpdump? http://scan.coverity.com That's one way of getting the code checked. I also did a Clang Static Humiliator run on both of them a while ago, and fixed some issues it found.) _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
