+++ This bug was initially created as a clone of Bug #189906 +++ Ethereal 0.99.0 has been released which fixes multiple issues. The release information can be found here: http://www.ethereal.com/appnotes/enpa-sa-00023.html These issues should also affect RHEL2 and RHEL3 -- Additional comment from bugzilla on 2006-05-03 12:28 EST -- An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0420.html
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA. afa6f2afd499f28c84a58ce4ee2f430dd02351a5 7.3/ethereal-0.99.0-0.73.1.legacy.src.rpm bc8193f9c0b8a25230e3550a83690e329d82168c 9/ethereal-0.99.0-0.90.1.legacy.src.rpm 57bc4f26640447d891e80d86e99198bd45546176 1/ethereal-0.99.0-1.FC1.1.legacy.src.rpm 57eb0b6890f0cf4906a1bd774b72bf666d7c6bec 2/ethereal-0.99.0-1.FC2.1.legacy.src.rpm 15a68c9ebe8304d0a639d24837814d1828b817a6 3/ethereal-0.99.0-1.FC3.1.legacy.src.rpm Downloads: http://www.infostrategique.com/linuxrpms/legacy/7.3/ethereal-0.99.0-0.73.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/ethereal-0.99.0-0.90.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/ethereal-0.99.0-1.FC1.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/2/ethereal-0.99.0-1.FC2.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/3/ethereal-0.99.0-1.FC3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEZTEpLMAs/0C4zNoRAuZxAKDAbMe9WanWs3SEsferE4siey+wTACfUXVE E0caHMj0dZncz4GoA3yv9bo= =0rkj -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA w/ rpm-build-compare.sh: - source integrity good - spec file changes minimal - patches (where applicable) verified to come from RHEL +PUBLISH RHL73, RHL9, FC1, FC2, FC3 afa6f2afd499f28c84a58ce4ee2f430dd02351a5 ethereal-0.99.0-0.73.1.legacy.src.rpm bc8193f9c0b8a25230e3550a83690e329d82168c ethereal-0.99.0-0.90.1.legacy.src.rpm 57bc4f26640447d891e80d86e99198bd45546176 ethereal-0.99.0-1.FC1.1.legacy.src.rpm 57eb0b6890f0cf4906a1bd774b72bf666d7c6bec ethereal-0.99.0-1.FC2.1.legacy.src.rpm 15a68c9ebe8304d0a639d24837814d1828b817a6 ethereal-0.99.0-1.FC3.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFEaBOOGHbTkzxSL7QRApoyAKCQ7eeOoiRaMN6XaJ4yMEckmw5CmgCcD4ko K9RdtaP8Rmn7Gy3M2HYheh4= =Dvwr -----END PGP SIGNATURE-----
Building on build server... Sorry it has taken so long to start building these packages...
Peeking into the build log for RedHats 7.3, 9, and FC1 (FC2 and FC3 haven't finished building yet), <http://turbosphere.fedoralegacy.org/logs/redhat-7.3-core/145-ethereal-0.99.0-0.73.1.legacy/i386/build.log> <http://turbosphere.fedoralegacy.org/logs/redhat-9-core/146-ethereal-0.99.0-0.90.1.legacy/i386/build.log> <http://turbosphere.fedoralegacy.org/logs/fedora-1-core/147-ethereal-0.99.0-1.FC1.1.legacy/i386/build.log>, am noticing that during the ./configure phase, this comes up: checking for libgnutls-config... no checking for libgnutls - version >= 1.0.0... no *** The libgnutls-config script installed by LIBGNUTLS could not be found *** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in *** your path, or set the LIBGNUTLS_CONFIG environment variable to the *** full path to libgnutls-config. echo gnuTLS not found, disabling ssl decryption Might we be missing some buildrequires here? Or is this something that has always been disabled in ethereal packages?
Oh. Just answered my own question: Author: karsten Update of /cvs/dist/rpms/ethereal/devel In directory cvs.devel.redhat.com:/tmp/cvs-serv4649 Modified Files: ethereal.spec Log Message: - add buildrequires gnutls-devel, mock builds loose gnutls support otherwise: checking for libgnutls-config... no checking for libgnutls - version >= 1.0.0... no *** The libgnutls-config script installed by LIBGNUTLS could not be found *** If LIBGNUTLS was installed in PREFIX, make sure PREFIX/bin is in *** your path, or set the LIBGNUTLS_CONFIG environment variable to the *** full path to libgnutls-config. echo gnuTLS not found, disabling ssl decryption ... %changelog +* Wed May 17 2006 Karsten Hopp <karsten redhat de> 0.99.0-2 +- add buildrequires gnutls-devel + From <http://www.redhat.com/archives/fedora-cvs-commits/2006-May/msg00941.html>, (from googling [ethereal GNUtls]). Looking at that CVS commit entry, it mentions "rpmdiff." Is that a tool we can use? I use a hacked "rpm-build-compare.sh", which may do something similar, but I was wondering if "rpmdiff" is better?
Here's the deal. Before ethereal version 0.99.0, the ability to decrypt SSL packets was not an option. From file "/usr/share/doc/ethereal-0.99.0/NEWS": o The source distribution of Ethereal now supports SSL, IPsec ESP, and ISAKMP decryption. (This feature has not yet been enabled in the Windows installer.) So it's a new feature. This new feature evidently requires the GNUtls library. However, RHL7.3, RHL9, FC1 and FC2 do not supply a GNUtls library. (Hence that diagnostic message in the ./configure phase in comment #4 & #5.) However, FC3 appears to have GNUtls available. So my proposed solution to this is that we will not support the new SSL decryption feature in RHL7.3, RHL9, FC1 and FC2. These four distros seemed to compile just fine in mock without it. For FC3, if merely adding buildrequires: gnutls-devel allows it to build with this new feature, then we can push packages with this new feature and let FC3 users play with it. We might mention in our release notes that although ethereal 0.99.0 source now has the capability to do SSL decryption, the lack of required libraries in RHL7.3, RHL9, FC1 and FC2 prevents that feature from being enabled in Legacy's builds of ethereal for those distros. We're not taking away any features users have been used to having in ethereal in these distros. We're just not enabling a new feature. Please let me know what you think. Thanks. -David
We need to migrate this to wireshark as a bunch of new issues came up.
I agree that moving to wireshark and keeping up with current versions is the only hope here. Backporting ethereal patches could be a full-time job.
OK, let's add some more issues to this while we're at it :) Several flaws were found in Wireshark's HTTP, WBXML, LDAP, and XOT protocol dissectors. Wireshark could crash or stop responding if it read a malformed packet off the network. (CVE-2006-4805, CVE-2006-5468, CVE-2006-5469, CVE-2006-5740) A single NULL byte heap based buffer overflow was found in Wireshark's MIME Multipart dissector. Wireshark could crash or possibly execute arbitrary arbitrary code as the user running Wireshark. (CVE-2006-4574) RHEL update announcement here: https://rhn.redhat.com/errata/RHSA-2006-0726.html Can someone update the summary please? Also, we'll need to add wireshark to legacy's bugzilla - I didn't see it just now.
I guess we should remove FC1 and FC2 from the list of releases to be fixed, since they are no longer supported. Are we going to support WireShark for RHL 7.3 and RHL 9?
We should try to fix it RHL as it was opened before the deadline of October. If it was a new report after October than it would not be accepted. But this ticket shows the RHL problem existed before the deadline, and hence should remain. If nothing gets resolved regarding by the December deadline then the RHL versions can be dropped at that point.
Agreed. We create new packages for RHL 7.3 and RHL 9, FC3 and FC4. Changing package name to 'wireshark', which Jesse just added to the Bugzilla database for FedoraLegacy. Thanks, Jesse! :)
Uh. Only one problem. If wireshark requires GNUtls to build, then we would need to create *new* GNUtls packages for those Red Hat and Fedora Core releases that don't already have them. To quote myself from comment #6: "Here's the deal. Before ethereal version 0.99.0, the ability to decrypt SSL packets was not an option. From file "/usr/share/doc/ethereal-0.99.0/NEWS": o The source distribution of Ethereal [ I suppose it's now wireshark??] now supports SSL, IPsec ESP, and ISAKMP decryption. (This feature has not yet been enabled in the Windows installer.) So it's a new feature. This new feature evidently requires the GNUtls library. However, RHL7.3, RHL9, ... do not supply a GNUtls library. (Hence that diagnostic message in the ./configure phase in comment #4 & #5.) However, FC3 appears to have GNUtls available. So my proposed solution to this is that we will not support the new SSL decryption feature in RHL7.3, RHL9. These releases seemed to compile just fine in mock without it. For FC3, if merely adding buildrequires: gnutls-devel allows it to build with this new feature, then we can push packages with this new feature and let FC3 users play with it. We might mention in our release notes that although ethereal 0.99.0 source now has the capability to do SSL decryption, the lack of required libraries in RHL7.3 and RHL9 prevents that feature from being enabled in Legacy's builds of ethereal for those distros. We're not taking away any features users have been used to having in ethereal in these distros. We're just not enabling a new feature." What do you think? Jeff? Eric? Marc? Matt? Anyone?
s/FC3/FC3 and FC4/ in above comment... (sorry about bugzilla-spam)
(In reply to comment #13) > So my proposed solution to this is that we will not support the new SSL > decryption feature in RHL7.3, RHL9. These releases seemed to compile just > fine in mock without it. For FC3, if merely adding > buildrequires: gnutls-devel > allows it to build with this new feature, then we can push packages with this > new feature and let FC3 users play with it. > > We might mention in our release notes that although ethereal 0.99.0 source > now has the capability to do SSL decryption, the lack of required libraries > in RHL7.3 and RHL9 prevents that feature from being enabled in Legacy's > builds of ethereal for those distros. We're not taking away any features > users have been used to having in ethereal in these distros. We're just not > enabling a new feature." > > What do you think? Jeff? Eric? Marc? Matt? Anyone? This seems pretty sane to me. I vote go for it.
That's the way I did it in all the previous Ethereal releases for rhl. I never mentioned it in the release notes though.
Sounds good to me. Mention in the release notes would be nice, but not absolutely required...
Fedora Legacy project has ended. These will not be fixed by Fedora Legacy.