Comment # 5
on bug 16265
from Christopher Maynard
(In reply to Pascal Quantin from comment #2)
> If you are aware of security issues with the packages we bundle, please let
> us know and we will see what we can do. Otherwise we generally do not update
> the libraries in the stable version.
Here's what I've found:
=======================
The Gtk+ 2-24 release notes can be found here:
https://gitlab.gnome.org/GNOME/gtk/blob/gtk-2-24/NEWS. There is 1 CVE listed,
although there are numerous bug fixes including for crashes.
The Glib release notes can be found here:
https://gitlab.gnome.org/GNOME/glib/blob/master/NEWS. There are 4 CVE's
listed, 1 of which is fixed in the 2.61.2 release, which is after the 2.52
release. Obviously, there have been numerous bug fixes including for crashes
as well.
The latest Kerberos for Windows (https://web.mit.edu/kerberos/dist/) version is
4.1 based on MIT krb5 1.13, whereas 3.2.2 was based on 1.6.3. Historical
releases can be found here: https://web.mit.edu/kerberos/dist/historic.html.
It isn't quite as easy to review the changes for this project, but there are
CVE's listed for this project too. (NOTE: I only looked at the CHANGES for
1.13.0, but I count a total of 39 releases after 1.6.3 up to and including
1.13.0.)
The libxml2 changelog is here:
https://gitlab.gnome.org/GNOME/libxml2/blob/master/ChangeLog. I believe
version 2.9.10 was released a month ago; it's unclear to me if there were any
CVE's fixed in this release.
The Lua Binaries can be found at:
http://luabinaries.sourceforge.net/download.html. There's 1 release newer than
5.2.4, namely 5.3.5. I didn't look for security vulnerabilities.
The latest available release of nasm is 2.14.02 (with 2.14.03 in rc2 status),
but that's 30 releases since 2.09.08: https://nasm.us/doc/nasmdocc.html. I
don't see any CVE's mentioned, but there are numerous bug fixes, including for
4 mentioned crashes post-2.09.08.
It would appear that there have been no updates to Portaudio since v19, so
Wireshark 2.6 likely has the latest version: http://portaudio.com/download.html
And finally, it would also appear that zlib 1.2.11 is the latest version
available as well: http://www.zlib.net/
=======================
It isn't for me to judge the severity of these bugs and the impact (or
non-impact) to Wireshark, but to try to bring it to the attention of the
Wireshark community to decide what to do, if anything, regarding upgrading
these packages (or not).
(In reply to Pascal Quantin from comment #4)
> When upgrading third party packages, you take the risk of introducing new
> bug (and yes it happened to us with Npcap for example). So it should be
> handled on a case by case basis IMHO, and not done systematically.
> Any help is welcome to mantain the packages up to date of course.
True, but by not upgrading, you end up deploying packages with known bugs and
vulnerabilities.
