Wireshark-dev: Re: [Wireshark-dev] [Wireshark-bugs] [Bug 16265] Some Windows packages need upda
From: Anders Broman <a.broman58@xxxxxxxxx>
Date: Mon, 9 Dec 2019 20:53:06 +0100
Den mån 9 dec. 2019 19:42 <bugzilla-daemon@xxxxxxxxxxxxx> skrev:
Comment # 5 on bug 16265 from Christopher Maynard(In reply to Pascal Quantin from comment #2) > If you are aware of security issues with the packages we bundle, please let > us know and we will see what we can do. Otherwise we generally do not update > the libraries in the stable version. Here's what I've found: ======================= The Gtk+ 2-24 release notes can be found here: https://gitlab.gnome.org/GNOME/gtk/blob/gtk-2-24/NEWS. There is 1 CVE listed, although there are numerous bug fixes including for crashes. The Glib release notes can be found here: https://gitlab.gnome.org/GNOME/glib/blob/master/NEWS. There are 4 CVE's listed, 1 of which is fixed in the 2.61.2 release, which is after the 2.52 release. Obviously, there have been numerous bug fixes including for crashes as well. The latest Kerberos for Windows (https://web.mit.edu/kerberos/dist/) version is 4.1 based on MIT krb5 1.13, whereas 3.2.2 was based on 1.6.3. Historical releases can be found here: https://web.mit.edu/kerberos/dist/historic.html. It isn't quite as easy to review the changes for this project, but there are CVE's listed for this project too. (NOTE: I only looked at the CHANGES for 1.13.0, but I count a total of 39 releases after 1.6.3 up to and including 1.13.0.) The libxml2 changelog is here: https://gitlab.gnome.org/GNOME/libxml2/blob/master/ChangeLog. I believe version 2.9.10 was released a month ago; it's unclear to me if there were any CVE's fixed in this release. The Lua Binaries can be found at: http://luabinaries.sourceforge.net/download.html. There's 1 release newer than 5.2.4, namely 5.3.5. I didn't look for security vulnerabilities. The latest available release of nasm is 2.14.02 (with 2.14.03 in rc2 status), but that's 30 releases since 2.09.08: https://nasm.us/doc/nasmdocc.html. I don't see any CVE's mentioned, but there are numerous bug fixes, including for 4 mentioned crashes post-2.09.08. It would appear that there have been no updates to Portaudio since v19, so Wireshark 2.6 likely has the latest version: http://portaudio.com/download.html And finally, it would also appear that zlib 1.2.11 is the latest version available as well: http://www.zlib.net/ ======================= It isn't for me to judge the severity of these bugs and the impact (or non-impact) to Wireshark, but to try to bring it to the attention of the Wireshark community to decide what to do, if anything, regarding upgrading these packages (or not). (In reply to Pascal Quantin from comment #4) > When upgrading third party packages, you take the risk of introducing new > bug (and yes it happened to us with Npcap for example). So it should be > handled on a case by case basis IMHO, and not done systematically. > Any help is welcome to mantain the packages up to date of course. True, but by not upgrading, you end up deploying packages with known bugs and vulnerabilities.
But upgrading to our latest package is probably better :-)
___________________________________________________________________________
You are receiving this mail because:
- You are watching all bug changes.
Sent via: Wireshark-bugs mailing list <wireshark-bugs@xxxxxxxxxxxxx>
Archives: https://www.wireshark.org/lists/wireshark-bugs
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs
mailto:wireshark-bugs-request@xxxxxxxxxxxxx?subject=unsubscribe
- Prev by Date: Re: [Wireshark-dev] wiki edition request
- Next by Date: [Wireshark-dev] c-ares version not updated
- Previous by thread: Re: [Wireshark-dev] wiki edition request
- Next by thread: [Wireshark-dev] c-ares version not updated
- Index(es):