tcpdump mailing list archives
Re: Research on tcpdump
From: Guy Harris <guy () alum mit edu>
Date: Mon, 18 Mar 2013 11:33:03 -0700
On Mar 18, 2013, at 11:13 AM, Michael Richardson <mcr () sandelman ca> wrote:
"Raymond" == Raymond Borges <borgesraymond () gmail com> writes:Raymond> Specifically we are studying how versions fixed Raymond> vulnerabilities by diffing the code functions where the CVE Raymond> states the vulnerability was. We're also wondering why Raymond> there are no listed CVEs after 2007 for tcpdump. Raymond> http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=tcpdump There would be no CVEs prior to 3.5, because CVEs didn't exist.
Actually, CVE-1999-1024 is against "3.4a": http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1024 (What happened with 3.4? Did the LBL people not say "hey, we've released the final 3.4 version, no need to keep using the 3.4a alpha version" loudly enough, or did nobody notice? I've seen places where people though "3.4a" was the final 3.4 version....)
I am unaware of a CVE against tcpdump since 2007. That's good, right?
I.e., perhaps there are no listed CVEs after 2007 because there aren't any serious vulnerabilities in tcpdump any more. I'm not naive enough to *assume* all the problems have been fixed and no new ones have been introduced, but perhaps, either because they haven't looked hard enough or because they're not there, nobody's found any vulnerabilities since 2007. (Michael, have you gotten Coverity Scan set up to do either nightly or post-commit runs on libpcap and tcpdump? http://scan.coverity.com That's one way of getting the code checked. I also did a Clang Static Humiliator run on both of them a while ago, and fixed some issues it found.) _______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- Re: Research on tcpdump Michael Richardson (Mar 15)
- Re: Research on tcpdump Guy Harris (Mar 15)
- Re: Research on tcpdump Raymond Borges (Mar 19)
- Re: Research on tcpdump Michael Richardson (Mar 18)
- Re: Research on tcpdump Guy Harris (Mar 18)
- Re: Research on tcpdump Michael Richardson (Mar 18)
- Re: Research on tcpdump Raymond Borges (Mar 19)
- Re: Research on tcpdump Michael Richardson (Mar 18)