Den mån 9 dec. 2019 19:42 <bugzilla-dae...@wireshark.org> skrev: > *Comment # 5 > <https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16265#c5> on bug 16265 > <https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16265> from > Christopher Maynard <christopher.mayn...@igt.com> * > > (In reply to Pascal Quantin from comment #2 > <https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16265#c2>)> If you are > aware of security issues with the packages we bundle, please let > > us know and we will see what we can do. Otherwise we generally do not update > > the libraries in the stable version. > > Here's what I've found: > ======================= > The Gtk+ 2-24 release notes can be found > here:https://gitlab.gnome.org/GNOME/gtk/blob/gtk-2-24/NEWS. There is 1 CVE > listed, > although there are numerous bug fixes including for crashes. > > The Glib release notes can be found > here:https://gitlab.gnome.org/GNOME/glib/blob/master/NEWS. There are 4 CVE's > listed, 1 of which is fixed in the 2.61.2 release, which is after the 2.52 > release. Obviously, there have been numerous bug fixes including for crashes > as well. > > The latest Kerberos for Windows (https://web.mit.edu/kerberos/dist/) version > is > 4.1 based on MIT krb5 1.13, whereas 3.2.2 was based on 1.6.3. Historical > releases can be found here: https://web.mit.edu/kerberos/dist/historic.html. > It isn't quite as easy to review the changes for this project, but there are > CVE's listed for this project too. (NOTE: I only looked at the CHANGES for > 1.13.0, but I count a total of 39 releases after 1.6.3 up to and including > 1.13.0.) > > The libxml2 changelog is > here:https://gitlab.gnome.org/GNOME/libxml2/blob/master/ChangeLog. I believe > version 2.9.10 was released a month ago; it's unclear to me if there were any > CVE's fixed in this release. > > The Lua Binaries can be found > at:http://luabinaries.sourceforge.net/download.html. There's 1 release newer > than > 5.2.4, namely 5.3.5. I didn't look for security vulnerabilities. > > The latest available release of nasm is 2.14.02 (with 2.14.03 in rc2 status), > but that's 30 releases since 2.09.08: https://nasm.us/doc/nasmdocc.html. I > don't see any CVE's mentioned, but there are numerous bug fixes, including for > 4 mentioned crashes post-2.09.08. > > It would appear that there have been no updates to Portaudio since v19, so > Wireshark 2.6 likely has the latest version: > http://portaudio.com/download.html > > And finally, it would also appear that zlib 1.2.11 is the latest version > available as well: http://www.zlib.net/ > ======================= > > It isn't for me to judge the severity of these bugs and the impact (or > non-impact) to Wireshark, but to try to bring it to the attention of the > Wireshark community to decide what to do, if anything, regarding upgrading > these packages (or not). > > (In reply to Pascal Quantin from comment #4 > <https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=16265#c4>)> When > upgrading third party packages, you take the risk of introducing new > > bug (and yes it happened to us with Npcap for example). So it should be > > handled on a case by case basis IMHO, and not done systematically. > > Any help is welcome to mantain the packages up to date of course. > > True, but by not upgrading, you end up deploying packages with known bugs and > vulnerabilities. > > But upgrading to our latest package is probably better :-)
> ------------------------------ > You are receiving this mail because: > > - You are watching all bug changes. > > ___________________________________________________________________________ > Sent via: Wireshark-bugs mailing list <wireshark-b...@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-bugs > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-bugs > mailto:wireshark-bugs-requ...@wireshark.org > ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
