TCPDump Version
J Fernyhough
j.fernyhough at gmail.com
Sat Feb 4 10:29:52 UTC 2017
On 04/02/17 10:16, Robie Basak wrote:
> Therefore you
> cannot use the upstream version number as an indicator of whether
> security vulnerabilities exist or not in any distribution package.
>
To expand again for this particular instance, the package can be checked
at (e.g.): http://packages.ubuntu.com/xenial/tcpdump
The changelog is linked in the right-hand menu, for which the latest
entry is:
> tcpdump (4.7.4-1ubuntu1) wily; urgency=low
>
> * Merge from Debian unstable. (LP: #1460170) Remaining changes:
> - debian/{control, README.Debian, tcpdump.dirs, usr.sbin.tcpdump,
> install, rules, patches/patches/90_man_apparmor.diff}:
> + Add AppArmor profile.
> - debian/usr.sbin.tcpdump:
> + Allow capability net_admin to support '-j'.
> - Drop 60_cve-2015-2153-fix-regression.diff: upstream
>
> -- Gianfranco Costamagna <costamagnagianfranco at yahoo.it> Fri, 29 May 2015 20:13:33 +0200
Hence the repo version is vulnerable to various CVEs (e.g.
https://www.debian.org/security/2017/dsa-3775, and one example
specifically for < 4.9.0:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7936).
J
More information about the Ubuntu-devel-discuss
mailing list