tcpdump missing some CVEs
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| tcpdump (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Lucid |
Won't Fix
|
Medium
|
Unassigned | ||
| Precise |
Fix Released
|
Medium
|
Unassigned | ||
| Trusty |
Fix Released
|
Medium
|
Unassigned | ||
| Utopic |
Fix Released
|
Medium
|
Unassigned | ||
Bug Description
Seeing:
http://
"before 4.7.2 [..] denial of service (crash) and possibly execute arbitrary code"
it seems the fix has not been applied.
There is also CVE-2015-2153 and more (possibly):
https:/
I was looking into this tcpdump out of curiosity as I have this:
Changes for tcpdump versions:
Installed version: 4.5.1-2ubuntu1
Available version: 4.5.1-2ubuntu1.1
The CVE(s) I listed do not seem to be there. I guess I do not need to be very worried about those missing or the CVEs I get in the fix as/if I do not use tcpdump. My understanding is right that it is only a monitoring tool and *I* need to run it and then an attacker could attack me (the system would never have to start it?!)?
Anyway, others might be worried about these things or should. In 14.04, the version number 4.5.1, is that something to worry about? I *assume* "before 4.7.2" means all those upstream versions are not fixed, but Ubuntu backports/fixes them?
| description: | updated |
| information type: | Private Security → Public Security |
| Seth Arnold (seth-arnold) wrote | #1 |
| Changed in tcpdump (Ubuntu): | |
| status: | New → Fix Released |
| Changed in tcpdump (Ubuntu Lucid): | |
| status: | New → Confirmed |
| Changed in tcpdump (Ubuntu Precise): | |
| status: | New → Confirmed |
| Changed in tcpdump (Ubuntu Trusty): | |
| status: | New → Confirmed |
| Changed in tcpdump (Ubuntu Utopic): | |
| status: | New → Confirmed |
| Changed in tcpdump (Ubuntu Lucid): | |
| importance: | Undecided → Medium |
| Changed in tcpdump (Ubuntu Precise): | |
| importance: | Undecided → Medium |
| Changed in tcpdump (Ubuntu Trusty): | |
| importance: | Undecided → Medium |
| Changed in tcpdump (Ubuntu Utopic): | |
| importance: | Undecided → Medium |
| Launchpad Janitor (janitor) wrote | #2 |
| Changed in tcpdump (Ubuntu Utopic): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote | #3 |
| Changed in tcpdump (Ubuntu Trusty): | |
| status: | Confirmed → Fix Released |
| Launchpad Janitor (janitor) wrote | #4 |
| Changed in tcpdump (Ubuntu Precise): | |
| status: | Confirmed → Fix Released |
| Rolf Leggewie (r0lf) wrote | #5 |
| Changed in tcpdump (Ubuntu Lucid): | |
| status: | Confirmed → Won't Fix |
Hello,
Please note that Ubuntu, much like Debian, SuSE, and Red Hat, backport security fixes to the versions that we have shipped, so comparing version numbers alone isn't a reliable way to determine which vulnerabilities, if any, are still open for a given package. For more information, see our FAQ and Debian's FAQ entries (the Debian faq doesn't apply directly, but I like this specific entry.) https:/
You can see that this CVE is still not handled yet:
http://
and that tcpdump has several more known security issues that need to be fixed:
http://
Our CVE tracking database can be queried at http://
We can't fix every issue immediately, and we have to prioritize our work based on the severity of the issue and how common the tools are, how much user interaction might be necessary to make exploits work. etc.
Thanks