[SECURITY] [DLA 2444-1] tcpdump security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2444-1] tcpdump security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Tue, 10 Nov 2020 20:41:58 +0530
Message-id: <[🔎] CAPP0f94SRfoTMQVLzcL6cX9NSh92PE+nOn-DxneaWx0RwiRYfw@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-2444-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
November 10, 2020                           https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : tcpdump
Version        : 4.9.3-1~deb9u2
CVE ID         : CVE-2020-8037
Debian Bug     : 973877

The ppp de-capsulator in tcpdump 4.9.3 can be convinced to allocate
a large amount of memory.

The buffer should be big enough to hold the captured data, but it
doesn’t need to be big enough to hold the entire on-the-network
packet, if we haven’t captured all of it.

For Debian 9 stretch, this problem has been fixed in version
4.9.3-1~deb9u2.

We recommend that you upgrade your tcpdump packages.

For the detailed security status of tcpdump please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/tcpdump

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl+qq9wACgkQgj6WdgbD
S5ab6xAA6YGCXh0bjWynxopOgyHSVTGKOOLyjm5TZmeD56SHu2QV3cwmtuU1gHRE
dZXqGKYBn4TDLifoEqxmzJfYcTTYc7RD+/kfAF1AuhyZjp4PutP7z4LnsD3fCXpd
xroJGSwMIPTZu8vJhFzbeD+KJsgBmLllLAZDN44kg21pEdFb7hTLFhy0JXAGMEnd
9BSygQgG3qY8YDVqsIhqT/ONr2HHui9ZNaEJeHsaO95ZeQkURK0Z563K+/DO7bQI
OVt6QYdOIg6HQbgBCCzNkIK8pog/pP2CEb8ztOAlRtQLIa55JNxcpSW7agTc/mkH
pO86WQJo4mLz1fQCy97rJsTpVTti6tAJyAtU4qpH7Yhyg9PPj12cD5g2ol56VH8K
aSSepgHKg4UdIagwIhw372kQE7VMNHvPy1/eKJKpj2/l4ARwWpXEn1fjhQvdReXv
kcKfcJ00XaEA00W0zqZZAmvIf5oJ4149j42pkSV5eHqNYHJKIcV46ORAU9xuJClB
ldRwJ3hiR7lb85ejQxwx+msgBMSaKN66quWyeLtGtO450YxC4xzLaVlqKn2LIGjk
bsFPSp0nhqAR83aHSE8Kq4Q8u8A4kPOWPy5MaDmevzRlP7SE1baj9vFnDdYpx7d+
0lI43Nyc89uqlXD8tNSQ7CFGQtVeKHdFxKvNswhr4c7aIyHzrRs=
=810P
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2443-1] zeromq3 security update
Next by Date: [SECURITY] [DLA 2445-1] libmaxminddb security update
Previous by thread: [SECURITY] [DLA 2443-1] zeromq3 security update
Next by thread: [SECURITY] [DLA 2445-1] libmaxminddb security update
Index(es):
- Date
- Thread