tcpdump mailing list archives
CVE-2020-8037: memory allocation in ppp decapsulator
From: Bill Fenner via tcpdump-workers <tcpdump-workers () lists tcpdump org>
Date: Mon, 30 Nov 2020 09:47:39 -0500
--- Begin Message --- From: Bill Fenner <fenner () gmail com>
Date: Mon, 30 Nov 2020 09:47:39 -0500
I see that Red Hat/Fedora have released new packages to address CVE-2020-8037 in tcpdump. Does the tcpdump group have any message about this CVE? Is there a release from tcpdump.org with this CVE fixed? See https://bugzilla.redhat.com/show_bug.cgi?id=1895080 for details (pointing to a commit to the 4.9 branch from April). Are there other CVEs that affect tcpdump-4.9.3 that vendors should be aware of? It looks like http://www.tcpdump.org/public-cve-list.txt hasn't been updated since the 4.9.3 release (even though CVE-2020-8037 is a public cve). I realize that http://www.tcpdump.org/security.html says there is no commitment from the tcpdump group to release security fixes on any timeframe whatsoever. However, is there a way for someone who ships tcpdump with their product to be made aware of unreleased security fixes, or should we rely on Red Hat and others for that? Thanks, Bill
--- End Message ---
_______________________________________________ tcpdump-workers mailing list tcpdump-workers () lists tcpdump org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
Current thread:
- CVE-2020-8037: memory allocation in ppp decapsulator Bill Fenner via tcpdump-workers (Nov 30)
- Re: CVE-2020-8037: memory allocation in ppp decapsulator Michael Richardson via tcpdump-workers (Nov 30)
- Message not available
- Re: CVE-2020-8037: memory allocation in ppp decapsulator Bill Fenner via tcpdump-workers (Nov 30)