[Need fake sync] a lot vulnerabilities buffer overflow crash ddos

The update that corrects this was added to unstable http://metadata.ftp-master.debian.org/changelogs//main/w/wireshark/wireshark_1.10.6-1_changelog . Maybe when migrate to testing, ubuntu copy it from there to trusty. I do not think to update this package in previous versions of ubuntu.

I could not taste the binary debian unstable, because I use precise and some dependencies are not met. https://packages.debian.org/source/sid/wireshark

I downloaded the sources of the current version of the package and the new 1.10.6-1 and make a patch with debdiff. Maybe help.

The attachment "wireshark_1.10.6-1_security_fix_trusty-proposed" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

I see that vulnerabilities are already corrected in all or almost all versions of debian but not yet synchronized packages.

It should change the links repository, see bug #1282805

Debian has the new release, so for trusty, we can sync that. It would be really useful if you could prepare debdiffs for precise and saucy.

This bug was fixed in the package wireshark - 1.10.6-1
Sponsored for Alberto Jovito (thedemon007)

---------------
wireshark (1.10.6-1) unstable; urgency=high

  * New upstream release 1.10.6
    - release notes:
      https://wireshark.org/docs/relnotes/wireshark-1.10.6.html
    - security fixes:
      - The NFS dissector could crash. Discovered by Moshe Kaplan
        (CVE-2014-2281)
      - The M3UA dissector could crash. Discovered by Laurent Butti.
        (CVE-2014-2282)
      - The RLC dissector could crash. (CVE-2014-2283)
      - The MPEG file parser could overflow a buffer.
        Discovered by Wesley Neelen. (CVE-2014-2299)
  * Drop 10_allow-deprecated-gtk-functions.patch and
    11_fix-g_memmove-ftbfs-issues.patch since they are integrated upstream.
  * Generate symbols files
  * Ship wireshark.pc for pkg-config (Closes: #740716)

 -- Balint Reczey <email address hidden> Sat, 08 Mar 2014 18:26:41 +0100

(ubuntu-security-sponsors should probably be unsubscribed since there is no nothing to sponsor at the moment there)

@Sebastien They should not of unsubscribed, not yet fixed in previous versions of ubuntu.

@Scott To saucy can make a fake sync debian Jessie? https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue

Regarding "precise" would have to also update the libraries. I think it is also feasible to make a fake sync from debian wheezy. I'll try to make a debdiff, and test from my ppa as soon as i can.

Unsubscribing sponsors; trusty is done, there's nothing else to sponsor. ubuntu-sponsors cannot do security updates for stables.

Nevermind, this is already only subscribed by security-sponsors.

Synchronize the wireshark package from debian wheezy to my ppa for precise with syncpackage https://launchpad.net/~thedemon007/+archive/thedemon007 tried it and it works well. This is the debdiff he gave me. You can see in the changelog that a lot of vulnerabilities are corrected. https://launchpadlibrarian.net/169322272/wireshark_1.8.2-5wheezy10_source.changes

Alberto, thank you for the diff.gz, but it is not in a form that can be sponsored. Wireshark in precise is at version 1.6.7 so either all the patches need to be backported or you can pursue a one time exception for an SRU.

If backporting, can you prepare debdiffs as per https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging for each release you want to update?

If pursuing an SRU, I suggest first discussing it on IRC in #ubuntu-release on Freenode to make sure this is something that they would accept. If so, please follow https://wiki.ubuntu.com/StableReleaseUpdates#Procedure.

Thanks! Unsubscribing ubuntu-security-sponsors since there is nothing to sponsor at this time.

FYI-- this may help with justifying an SRU, etc: http://people.canonical.com/~ubuntu-security/cve/pkg/wireshark.html

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release