Synopsis: Moderate: wireshark security, bug fix, and enhancement update Issue Date: 2013-01-08 CVE Numbers: CVE-2011-1959 CVE-2011-2175 CVE-2011-1958 CVE-2011-2698 CVE-2011-4102 CVE-2012-0041 CVE-2012-0042 CVE-2012-0066 CVE-2012-0067 CVE-2012-4285 CVE-2012-4289 CVE-2012-4291 CVE-2012-4290 -- A heap-based buffer overflow flaw was found in the way Wireshark handled Endace ERF (Extensible Record Format) capture files. If Wireshark opened a specially- crafted ERF capture file, it could crash or, possibly, execute arbitrary code as the user running Wireshark. (CVE-2011-4102) Several denial of service flaws were found in Wireshark. Wireshark could crash or stop responding if it read a malformed packet off a network, or opened a malicious dump file. (CVE-2011-1958, CVE-2011-1959, CVE-2011-2175, CVE-2011-2698, CVE-2012-0041, CVE-2012-0042, CVE-2012-0066, CVE-2012-0067, CVE-2012-4285, CVE-2012-4289, CVE-2012-4290, CVE-2012-4291) This update also fixes the following bugs: * When Wireshark starts with the X11 protocol being tunneled through an SSH connection, it automatically prepares its capture filter to omit the SSH packets. If the SSH connection was to a link-local IPv6 address including an interface name (for example ssh -X [ipv6addr]%eth0), Wireshark parsed this address erroneously, constructed an incorrect capture filter and refused to capture packets. The "Invalid capture filter" message was displayed. With this update, parsing of link-local IPv6 addresses is fixed and Wireshark correctly prepares a capture filter to omit SSH packets over a link-local IPv6 connection. * Previously, Wireshark's column editing dialog malformed column names when they were selected. With this update, the dialog is fixed and no longer breaks column names. * Previously, TShark, the console packet analyzer, did not properly analyze the exit code of Dumpcap, Wireshark's packet capturing back end. As a result, TShark returned exit code 0 when Dumpcap failed to parse its command-line arguments. In this update, TShark correctly propagates the Dumpcap exit code and returns a non-zero exit code when Dumpcap fails. * Previously, the TShark "-s" (snapshot length) option worked only for a value greater than 68 bytes. If a lower value was specified, TShark captured just 68 bytes of incoming packets. With this update, the "-s" option is fixed and sizes lower than 68 bytes work as expected. This update also adds the following enhancement: * In this update, support for the "NetDump" protocol was added. All running instances of Wireshark must be restarted for the update to take effect. -- SL5 x86_64 wireshark-1.0.15-5.el5.x86_64.rpm wireshark-debuginfo-1.0.15-5.el5.x86_64.rpm wireshark-gnome-1.0.15-5.el5.x86_64.rpm i386 wireshark-1.0.15-5.el5.i386.rpm wireshark-debuginfo-1.0.15-5.el5.i386.rpm wireshark-gnome-1.0.15-5.el5.i386.rpm - Scientific Linux Development Team