* Tcpdump security update
@ 2017-01-30 20:03 Leo Famulari
2017-01-30 20:11 ` Marius Bakke
2017-01-30 20:16 ` Marius Bakke
0 siblings, 2 replies; 4+ messages in thread
From: Leo Famulari @ 2017-01-30 20:03 UTC (permalink / raw)
To: guix-devel
[-- Attachment #1.1: Type: text/plain, Size: 343 bytes --]
I communicated with the tcpdump team and verified that the Debian
tarball provides the same data (same SHA256 hash) as what's provided
directly by upstream. But the upstream link is still considered private
so I'm using the Debian source URL as a courtesy.
The Debian security advisory is here:
https://www.debian.org/security/2017/dsa-3775
[-- Attachment #1.2: 0001-gnu-tcpdump-Update-to-4.9.0-security-fixes.patch --]
[-- Type: text/plain, Size: 1887 bytes --]
From 06b23b7747dedf6fc2386b3fc86bc459999ffa88 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 30 Jan 2017 14:50:23 -0500
Subject: [PATCH] gnu: tcpdump: Update to 4.9.0 [security fixes].
Fixes CVE-2016-{7922,7923,7924,7925,7926,7927,7928,7929,7930,7931,7932,7933
7934,7935,7936,7937,7938,7939,7940,7973,7974,7975,7983,7984,7985,7986,7992,7993,
8574,8575} and CVE-2017-{5202,5203,5204,5205,5341,5342,5482,5483,5484,5485,
5486}.
* gnu/packages/admin.scm (tcpdump): Update to 4.9.0.
[source]: Add alternate URL.
---
gnu/packages/admin.scm | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/gnu/packages/admin.scm b/gnu/packages/admin.scm
index 12aa9e70a..cf229f1d3 100644
--- a/gnu/packages/admin.scm
+++ b/gnu/packages/admin.scm
@@ -633,14 +633,18 @@ network statistics collection, security monitoring, network debugging, etc.")
(define-public tcpdump
(package
(name "tcpdump")
- (version "4.7.4")
+ (version "4.9.0")
(source (origin
(method url-fetch)
- (uri (string-append "http://www.tcpdump.org/release/tcpdump-"
- version ".tar.gz"))
+ (uri
+ (list
+ (string-append "http://http.debian.net/debian/pool/main/t/"
+ name "/" name "_" version ".orig.tar.gz")
+ (string-append "http://www.tcpdump.org/release/tcpdump-"
+ version ".tar.gz")))
(sha256
(base32
- "1byr8w6grk08fsq0444jmcz9ar89lq9nf4mjq2cny0w9k8k21rbb"))))
+ "0pjsxsy8l71i813sa934cwf1ryp9xbr7nxwsvnzavjdirchq3sga"))))
(build-system gnu-build-system)
(inputs `(("libpcap" ,libpcap)
("openssl" ,openssl)))
--
2.11.0
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: Tcpdump security update
2017-01-30 20:03 Tcpdump security update Leo Famulari
@ 2017-01-30 20:11 ` Marius Bakke
2017-01-30 20:16 ` Marius Bakke
1 sibling, 0 replies; 4+ messages in thread
From: Marius Bakke @ 2017-01-30 20:11 UTC (permalink / raw)
To: Leo Famulari, guix-devel
[-- Attachment #1: Type: text/plain, Size: 1004 bytes --]
Leo Famulari <leo@famulari.name> writes:
> I communicated with the tcpdump team and verified that the Debian
> tarball provides the same data (same SHA256 hash) as what's provided
> directly by upstream. But the upstream link is still considered private
> so I'm using the Debian source URL as a courtesy.
Thanks for doing that! Please add a comment with the Debian URL
specifying that it's temporary due to this fix. Otherwise LGTM.
> The Debian security advisory is here:
>
> https://www.debian.org/security/2017/dsa-3775
> From 06b23b7747dedf6fc2386b3fc86bc459999ffa88 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 30 Jan 2017 14:50:23 -0500
> Subject: [PATCH] gnu: tcpdump: Update to 4.9.0 [security fixes].
>
> Fixes CVE-2016-{7922,7923,7924,7925,7926,7927,7928,7929,7930,7931,7932,7933
> 7934,7935,7936,7937,7938,7939,7940,7973,7974,7975,7983,7984,7985,7986,7992,7993,
> 8574,8575} and CVE-2017-{5202,5203,5204,5205,5341,5342,5482,5483,5484,5485,
> 5486}.
Wow!
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Tcpdump security update
2017-01-30 20:03 Tcpdump security update Leo Famulari
2017-01-30 20:11 ` Marius Bakke
@ 2017-01-30 20:16 ` Marius Bakke
2017-01-30 20:51 ` Leo Famulari
1 sibling, 1 reply; 4+ messages in thread
From: Marius Bakke @ 2017-01-30 20:16 UTC (permalink / raw)
To: Leo Famulari, guix-devel
[-- Attachment #1: Type: text/plain, Size: 722 bytes --]
Oops, missed a little detail:
Leo Famulari <leo@famulari.name> writes:
> (source (origin
> (method url-fetch)
> - (uri (string-append "http://www.tcpdump.org/release/tcpdump-"
> - version ".tar.gz"))
> + (uri
> + (list
> + (string-append "http://http.debian.net/debian/pool/main/t/"
> + name "/" name "_" version ".orig.tar.gz")
> + (string-append "http://www.tcpdump.org/release/tcpdump-"
> + version ".tar.gz")))
Perhaps a (file-name) field should be added here, since the two URLs
provide different file names?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Tcpdump security update
2017-01-30 20:16 ` Marius Bakke
@ 2017-01-30 20:51 ` Leo Famulari
0 siblings, 0 replies; 4+ messages in thread
From: Leo Famulari @ 2017-01-30 20:51 UTC (permalink / raw)
To: Marius Bakke; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 950 bytes --]
On Mon, Jan 30, 2017 at 09:16:08PM +0100, Marius Bakke wrote:
>
> Oops, missed a little detail:
>
> Leo Famulari <leo@famulari.name> writes:
> > (source (origin
> > (method url-fetch)
> > - (uri (string-append "http://www.tcpdump.org/release/tcpdump-"
> > - version ".tar.gz"))
> > + (uri
> > + (list
> > + (string-append "http://http.debian.net/debian/pool/main/t/"
> > + name "/" name "_" version ".orig.tar.gz")
> > + (string-append "http://www.tcpdump.org/release/tcpdump-"
> > + version ".tar.gz")))
>
> Perhaps a (file-name) field should be added here, since the two URLs
> provide different file names?
Thank you for the good suggestions and the quick review!
Pushed as af7d72b16c7652e9ddc3c441017de5c9bb9205f2
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-30 20:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-01-30 20:03 Tcpdump security update Leo Famulari
2017-01-30 20:11 ` Marius Bakke
2017-01-30 20:16 ` Marius Bakke
2017-01-30 20:51 ` Leo Famulari
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).