[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE requests: Poppler, Quassel, Pyfribidi,
From:       Vincent Danen <vdanen () redhat ! com>
Date:       2010-10-12 15:15:04
Message-ID: 20101012151504.GT1955 () redhat ! com
[Download RAW message or body]

* [2010-10-11 16:42:27 -0700] Gerald Combs wrote:

>Vincent Danen wrote:
>> * [2010-10-01 13:33:47 -0700] Gerald Combs wrote:
>>
>>> Vincent Danen wrote:
>>>> * [2010-09-29 15:06:31 -0400] Josh Bressers wrote:
>>>>
>>>>>> 7. Wireshark BER dissector
>>>>>> http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html
>>>>>>
>>>>>
>>>>> This one looks like a stack overflow, the advisory isn't very clear,
>>>>> but
>>>>> claims there are two possible outcomes. We can always split later if
>>>>> needed.
>>>>> CVE-2010-3445
>>>>
>>>> Gerald, are you aware of this issue?  Do you have further details
>>>> regarding it?  I poked around in bugzilla a bit but couldn't find
>>>> anything.
>>>>
>>>> It claims 1.4.0, but is not clear as to whether or not older versions
>>>> are affected.
>>>
>>> It's been fixed in the trunk (r34111) and is scheduled for inclusion in
>>> 1.4.1 and 1.2.12. We're tracking it in bug 5230:
>>>
>>>  https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5230
>>>
>>> The bug affects all BER dissectors and not just SNMP.
>>
>> Great.  Thank you for the information, Gerald.  That is very helpful.
>
>FYI, 1.4.1 and 1.2.12 have been released.

Thanks for the heads up, Gerald.  On the 1.2.12 release notes page at
least you have noted CVE-2010-????; the CVE name for that issue is
CVE-2010-3445 so you may want to update that.

Thanks again.

-- 
Vincent Danen / Red Hat Security Response Team 
[prev in list] [next in list] [prev in thread] [next in thread]