[tcpdump-workers] Official patches for CVE-2014-8767/CVE-2014-8768/CVE-2014-8769?

Romain Francoise rfrancoise at debian.org
Fri Nov 21 17:01:15 EST 2014


On Fri, Nov 21, 2014 at 03:47:06PM -0500, Michael Richardson wrote:
> It's supposed to happen, but I'm checking.
> Should be there now.  Is cron failing to do it's thing?

Ok, the fixes still aren't on master, but now there's a tcpdump-4.7
branch with the commits I need.

So I apparently need all of these?

3f5693a 10 days ago Guy Harris Report a too-long unreachable destination list.
54d2912 10 days ago Guy Harris Not using offsetof() any more, so no need for <stddef.h>.
e302ff0 10 days ago Guy Harris Further cleanups.
3e8a443 10 days ago Guy Harris Clean up error message printing.
ab4e52b 10 days ago Guy Harris Add initial bounds check, get rid of union aodv.
4038f83 10 days ago Guy Harris Do more bounds checking and length checking.
9255c9b 10 days ago Guy Harris Do bounds checking and length checking.

 print-aodv.c   | 481 ++++++++++++++++++++++++++-------------------------------
 print-geonet.c | 270 ++++++++++++++++++--------------
 print-olsr.c   |  56 +++++--
 3 files changed, 417 insertions(+), 390 deletions(-)

That's a lot bigger than typical security patches. :(

> It's in the tcpdump.org/beta/ directory, but I didn't want to release
> until the distros had a chance to patch.

But did you notify the distros? Because I didn't get advance notice, and
the others haven't released security updates yet either.

Thanks,
-- 
Romain Francoise <rfrancoise at debian.org>
http://people.debian.org/~rfrancoise/


More information about the tcpdump-workers mailing list