Hi Raphael, >Thanks for the info! So the only remaining CVE would be >https://security-tracker.debian.org/tracker/CVE-2014-9380 and >https://security-tracker.debian.org/tracker/CVE-2014-9381 for the CVS >dissector.
yes, I think yes. >BTW, https://security-tracker.debian.org/tracker/CVE-2014-9376 mentions >also ec_dhcp.c which is present in the squeeze version. Do you confirm >that it is also unaffected? I don't see the (opt = get_dhcp_option(DHCP_OPT_FQDN, options, end)) != NULL) in the 0.7.3, so I presume the code wasn't yet implemented (0.7.3 doesn't look for option 81 in dhcp answer) https://github.com/Ettercap/ettercap/commit/8cda3a8cf00b9d40c50c8b3408782b43d3bea062 (introduced support on 0.7.6, may 2013) >And also https://security-tracker.debian.org/tracker/CVE-2014-9378 >mentions ec_imap.c which is present in the squeeze version. Do you also >confirm that it is unaffected? it shouldn't be, since the "if (!strcmp(s->data, "PLAIN")) {" method seems to be not implemented yet in 0.7.3 https://github.com/Ettercap/ettercap/commit/35289f8789e6c31644954cbdfbe1bdda101e97b3introduced around 29 Sep 2011 and v0.7.5 introduced around 29 Sep 2011 HTH cheers, Gianfranco -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
