Wireshark-users: Re: [Wireshark-users] CVE-2011-2597

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 18 Jul 2011 16:35:15 -0700
On Jul 18, 2011, at 2:34 PM, Code Six wrote:

> The vulnerability CVE-2011-2597 states that 1.6.0 is also affected by this.
> But there is no "fixed" release.
> In looking at the website, I'm seeing on page
>  
> https://www.wireshark.org/security/wnpa-sec-2011-09.html
>  
> That it also states 1.6.0 is vulnerable to this and to install 1.2.18?
>  
> Please tell me this is a typo?

It's a misreading of a page that's probably written in a way that makes it too easy to misread.

The underlying vulnerability affects "Wireshark 1.2.x before 1.2.18, 1.4.x through 1.4.7, and 1.6.0".

The Wireshark Web site has *three* pages for that vulnerability:

	https://www.wireshark.org/security/wnpa-sec-2011-09.html, for "Lucent/Ascend file parser vulnerability in Wireshark® version 1.2.0 to 1.2.17";

	https://www.wireshark.org/security/wnpa-sec-2011-10.html, for "Lucent/Ascend file parser and ANSI MAP vulnerabilities in Wireshark® version 1.4.0 to 1.4.7";

	https://www.wireshark.org/security/wnpa-sec-2011-11.html, for "Lucent/Ascend file parser and ANSI MAP vulnerabilities in Wireshark® version 1.6.0 to 1.6.0" (sic).

The first of those pages says "Upgrade to Wireshark 1.2.18 or later. It is not possible to work around this bug."

The second of those pages says "Upgrade to Wireshark 1.4.8 or later. Although you can disable the ANSI MAP dissector it is not possible to work around the Lucent/Ascend parser bug."

The third of those pages says "Upgrade to Wireshark 1.6.1 or later. Although you can disable the ANSI MAP dissector it is not possible to work around the Lucent/Ascend parser bug."

Wireshark 1.4.8 and 1.6.1 were just released a few minutes ago, so the CVE page might not yet show a "fixed" release.