| laki | Hey, I have a question regarding Ubuntu CVE definitions and their affected versions. Do not-affected statuses for a particular distro version mean that no version was ever vulnerable released in that distro, or just that at the time of the CVE release the most recent version of the package on a particular distro version was not affected? For example, take `CVE-2010-4300` for wireshark; for | 13:11 |
|---|---|---|
| -ubottu:#ubuntu-security- Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark 1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an LDSS packet with a long digest line that triggers memory corruption. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4300> | 13:11 | |
| laki | `natty` it notes that the distro is not affected, with the note `1.4.2-1` (which I assume was the most recent version of the package), but `natty` also had versions 1.2.11-2 and 1.2.11-3 released. The 1.2.11-2 version was vulnerable on `maverick`, so I assume it was also vulnerable on `natty` as well? In that sense, I assume that the "not vulnerable" status does not imply that no version | 13:11 |
| laki | was ever vulnerable on that distro? | 13:11 |
| ebarretto | laki: natty started with wireshark 1.4.2-1 | 13:17 |
| ebarretto | the not-affected is the view from the user. If you jump from any previous releases to natty, you are not vulnerable because the first version there is already either patched or doesn't contain the vulnerable code on it anymore | 13:18 |
| laki | ebarretto: Thanks. Does that mean that even though a build does seem to exist in the "release" pocket in natty does not mean it was actually released in the repos? For example, looking at the following build, what am I missing? https://answers.launchpad.net/ubuntu/+source/wireshark/1.2.11-3/+build/2006485 | 13:19 |
| ebarretto | laki: what goes to the release pocket is the last version before the publishing date | 13:20 |
| ebarretto | which no one will have access unless they are using a release during development cycle, which already is not production nor supported | 13:21 |
| ebarretto | only for those that want to contribute, test and help improve it in general | 13:21 |
| laki | ebarretto: are you reffering to the development cycle and release date of the distro? Does that mean that every package released in the release pocket after say April 28, 2011 (when natty was released) actually ended up in the official, non testing/development repositories? | 13:24 |
| laki | So, in order to get all package versions released for the distro I would only have to filter out all packages in the "release" pocket after the release date of the distro? | 13:25 |
| laki | and since the build date for this version is 2010-10-17 it means that the versions was only on natty during the development/testing phase? | 13:26 |
| laki | sorry for the barrage of questions, i'm just trying to figure out how it all fits together. | 13:26 |
| ebarretto | not sure I understood your question or what you are trying to do | 13:28 |
| laki | in essence, I'm just trying to understand how to find all the versions for a given package which was released on a particular distro. For example, all wireshark versions which were released for natty. | 13:30 |
| laki | I thought I could only query the API and get all versions in the "release" pocket, but I guess that proved to be wrong? | 13:30 |
| ebarretto | laki: it depends on what you want to cover | 13:31 |
| ebarretto | for the release pocket, if you want to know what was supported, you must consider only the last version | 13:31 |
| ebarretto | if you want the complete package history for any other reason, then you should get all the versions as you seem to be doing | 13:31 |
| laki | i'm trying to get all versions which were released during the lifetime of the distro. | 13:32 |
| ebarretto | and do you consider development cycle part of the lifetime of the distro? | 13:33 |
| laki | if the distro was not yet released, no | 13:33 |
| ebarretto | then you can just use the latest version of packages in the release pocket :) | 13:34 |
| laki | meaning, every version of the package you could have installed from the moment the distro was officially released up until the support was dropped, from official non-testing/development repositories | 13:34 |
| ebarretto | because that's what ultimately went into the ISO and what people had installed in day 1 | 13:34 |
| laki | interesting, seems I got it all wrong then. So from day one, no other versions of the package ended up in the release pocket? as in, new non-security wireshark updates? | 13:36 |
| laki | would all future updates go in some other pockets, say update or security pockets? | 13:36 |
| ebarretto | laki: https://canonical-ubuntu-packaging-guide.readthedocs-hosted.com/en/latest/explanation/archive/#release | 13:37 |
| laki | i'll also have to get going now and will return in an hour or so, but I really appreciate the help! | 13:37 |
| laki | cool, I was just wondering where all that stuff is documented, so I'll read up on it | 13:38 |
| ebarretto | np | 13:38 |
| laki | ebarretto: hey, I just checked out the documentation and it seems I was dead wrong in my interpretation of the pockets. However, for wireshark in natty, I also found this release, which seems to be latest released version in natty, but it's not the 1.4.2-1 I was expecting, but rather 1.4.6-1: https://api.launchpad.net/devel/ubuntu/+archive/primary/+sourcepub/1674863. | 16:18 |
| ebarretto | laki: yeah, that seems to be the case | 16:22 |
| laki | ebarretto: i have become confusion - does that mean that the ISO shipped with 1.4.6-1 on day one? | 16:25 |
| ebarretto | laki: it seems so | 16:27 |
| laki | Do you perhaps know why the note at https://git.launchpad.net/ubuntu-cve-tracker/tree/retired/CVE-2010-4300 notes the 1.4.2-1 version for natty, in that case? Is it becase 1.4.2-1 was the last release version for development natty when the CVE was published? | 16:30 |
| -ubottu:#ubuntu-security- Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark 1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an LDSS packet with a long digest line that triggers memory corruption. <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4300> | 16:30 | |
| ebarretto | that was probably the version at the time during development cycle | 16:31 |
| ebarretto | if you check cves, there's always a devel line for each package | 16:31 |
| ebarretto | natty was probably the devel at the time and since them that was the status given | 16:32 |
| ebarretto | we wouldn't touch it anymore unless there was a mistake | 16:32 |
| laki | i guess that makes sense, thanks! | 16:32 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!