Wireshark-dev: Re: [Wireshark-dev] Security issue resolution in 1.0.x series.
On Jan 2, 2010, at 1:34 PM, Gerald Combs wrote:
>> I also see that 1.0.11 is being planned to be released.So will it
>> contain the fix for all the current open bugs/security issues ?
>
> That's the plan.
More precisely, it will contain the fixes for all the current open bugs/security issues *that are present in the 1.0.x series*; obviously, it won't fix bugs/security issues *not* present in the 1.0.x series. That's why, for example, it will *not* fix
>> 1) A boundary error in the Daintree SNA file parser can be exploited
>> to cause a buffer overflow via a specially crafted capture file.
>>
>> Successful exploitation may allow execution of arbitrary code.
>>
>> 2) An error in the IPMI dissector on Windows can be exploited to cause a crash.
>>
>> The vulnerabilities are reported in versions 1.2.0 through 1.2.4.
because, as Gerald noted:
> No. Daintree SNA parser doesn't exist in the 1.0.x branch so there's no
> "there" there to patch. Similarly, the affected IPMI code doesn't exist
> in the 1.0.x branch.
which is why those vulnerabilities are reported in 1.2.0 through 1.2.4 but not in any 1.0.x releases, unlike the SMB and SMB2 vulnerabilities:
> 3) An error in the SMB and SMB2 dissectors can be exploited to cause a crash.
>
> The vulnerability is reported in versions 0.9.0 through 1.2.4.
which are also reported in all 1.0.x versions, as well as several pre-1.0.0 versions, in addition to 1.2.0 through 1.2.4.
