Security update for wireshark SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:2125-1 Final 1 1 2021-07-10T08:56:57Z current 2021-07-10T08:56:57Z 2021-07-10T08:56:57Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for wireshark This update for wireshark, libvirt, sbc and libqt5-qtmultimedia fixes the following issues: Update wireshark to version 3.4.5 - New and updated support and bug fixes for multiple protocols - Asynchronous DNS resolution is always enabled - Protobuf fields can be dissected as Wireshark (header) fields - UI improvements Including security fixes for: - CVE-2021-22191: Wireshark could open unsafe URLs (bsc#1183353). - CVE-2021-22207: MS-WSP dissector excessive memory consumption (bsc#1185128) - CVE-2020-26422: QUIC dissector crash (bsc#1180232) - CVE-2020-26418: Kafka dissector memory leak (bsc#1179930) - CVE-2020-26419: Multiple dissector memory leaks (bsc#1179931) - CVE-2020-26420: RTPS dissector memory leak (bsc#1179932) - CVE-2020-26421: USB HID dissector crash (bsc#1179933) - CVE-2021-22173: Fix USB HID dissector memory leak (bsc#1181598) - CVE-2021-22174: Fix USB HID dissector crash (bsc#1181599) libqt5-qtmultimedia and sbc are necessary dependencies. libvirt is needed to rebuild wireshark-plugin-libvirt. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-SLE-15.3-2021-2125 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ E-Mail link for openSUSE-SU-2021:2125-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1179930 SUSE Bug 1179930 https://bugzilla.suse.com/1179931 SUSE Bug 1179931 https://bugzilla.suse.com/1179932 SUSE Bug 1179932 https://bugzilla.suse.com/1179933 SUSE Bug 1179933 https://bugzilla.suse.com/1180102 SUSE Bug 1180102 https://bugzilla.suse.com/1180232 SUSE Bug 1180232 https://bugzilla.suse.com/1181598 SUSE Bug 1181598 https://bugzilla.suse.com/1181599 SUSE Bug 1181599 https://bugzilla.suse.com/1183353 SUSE Bug 1183353 https://bugzilla.suse.com/1184110 SUSE Bug 1184110 https://bugzilla.suse.com/1185128 SUSE Bug 1185128 https://www.suse.com/security/cve/CVE-2020-26418/ SUSE CVE CVE-2020-26418 page https://www.suse.com/security/cve/CVE-2020-26419/ SUSE CVE CVE-2020-26419 page https://www.suse.com/security/cve/CVE-2020-26420/ SUSE CVE CVE-2020-26420 page https://www.suse.com/security/cve/CVE-2020-26421/ SUSE CVE CVE-2020-26421 page https://www.suse.com/security/cve/CVE-2020-26422/ SUSE CVE CVE-2020-26422 page https://www.suse.com/security/cve/CVE-2021-22173/ SUSE CVE CVE-2021-22173 page https://www.suse.com/security/cve/CVE-2021-22174/ SUSE CVE CVE-2021-22174 page https://www.suse.com/security/cve/CVE-2021-22191/ SUSE CVE CVE-2021-22191 page https://www.suse.com/security/cve/CVE-2021-22207/ SUSE CVE CVE-2021-22207 page openSUSE Leap 15.3 libsbc1-1.3-3.2.1 libsbc1-32bit-1.3-3.2.1 libwireshark14-3.4.5-3.53.1 libwiretap11-3.4.5-3.53.1 libwsutil12-3.4.5-3.53.1 sbc-1.3-3.2.1 sbc-devel-1.3-3.2.1 wireshark-3.4.5-3.53.1 wireshark-devel-3.4.5-3.53.1 wireshark-ui-qt-3.4.5-3.53.1 libsbc1-1.3-3.2.1 as a component of openSUSE Leap 15.3 libsbc1-32bit-1.3-3.2.1 as a component of openSUSE Leap 15.3 libwireshark14-3.4.5-3.53.1 as a component of openSUSE Leap 15.3 libwiretap11-3.4.5-3.53.1 as a component of openSUSE Leap 15.3 libwsutil12-3.4.5-3.53.1 as a component of openSUSE Leap 15.3 sbc-1.3-3.2.1 as a component of openSUSE Leap 15.3 sbc-devel-1.3-3.2.1 as a component of openSUSE Leap 15.3 wireshark-3.4.5-3.53.1 as a component of openSUSE Leap 15.3 wireshark-devel-3.4.5-3.53.1 as a component of openSUSE Leap 15.3 wireshark-ui-qt-3.4.5-3.53.1 as a component of openSUSE Leap 15.3 Memory leak in Kafka protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. CVE-2020-26418 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2020-26418.html CVE-2020-26418 https://bugzilla.suse.com/1179930 SUSE Bug 1179930 Memory leak in the dissection engine in Wireshark 3.4.0 allows denial of service via packet injection or crafted capture file. CVE-2020-26419 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2020-26419.html CVE-2020-26419 https://bugzilla.suse.com/1179931 SUSE Bug 1179931 Memory leak in RTPS protocol dissector in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. CVE-2020-26420 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 low 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2020-26420.html CVE-2020-26420 https://bugzilla.suse.com/1179932 SUSE Bug 1179932 Crash in USB HID protocol dissector and possibly other dissectors in Wireshark 3.4.0 and 3.2.0 to 3.2.8 allows denial of service via packet injection or crafted capture file. CVE-2020-26421 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2020-26421.html CVE-2020-26421 https://bugzilla.suse.com/1179933 SUSE Bug 1179933 Buffer overflow in QUIC dissector in Wireshark 3.4.0 to 3.4.1 allows denial of service via packet injection or crafted capture file CVE-2020-26422 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2020-26422.html CVE-2020-26422 https://bugzilla.suse.com/1180232 SUSE Bug 1180232 Memory leak in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file CVE-2021-22173 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2021-22173.html CVE-2021-22173 https://bugzilla.suse.com/1181598 SUSE Bug 1181598 Crash in USB HID dissector in Wireshark 3.4.0 to 3.4.2 allows denial of service via packet injection or crafted capture file CVE-2021-22174 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2021-22174.html CVE-2021-22174 https://bugzilla.suse.com/1181599 SUSE Bug 1181599 Improper URL handling in Wireshark 3.4.0 to 3.4.3 and 3.2.0 to 3.2.11 could allow remote code execution via via packet injection or crafted capture file. CVE-2021-22191 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2021-22191.html CVE-2021-22191 https://bugzilla.suse.com/1183353 SUSE Bug 1183353 Excessive memory consumption in MS-WSP dissector in Wireshark 3.4.0 to 3.4.4 and 3.2.0 to 3.2.12 allows denial of service via packet injection or crafted capture file CVE-2021-22207 openSUSE Leap 15.3:libsbc1-1.3-3.2.1 openSUSE Leap 15.3:libsbc1-32bit-1.3-3.2.1 openSUSE Leap 15.3:libwireshark14-3.4.5-3.53.1 openSUSE Leap 15.3:libwiretap11-3.4.5-3.53.1 openSUSE Leap 15.3:libwsutil12-3.4.5-3.53.1 openSUSE Leap 15.3:sbc-1.3-3.2.1 openSUSE Leap 15.3:sbc-devel-1.3-3.2.1 openSUSE Leap 15.3:wireshark-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-devel-3.4.5-3.53.1 openSUSE Leap 15.3:wireshark-ui-qt-3.4.5-3.53.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/EZGXWOFRVD3EFRZ6YDAJZEVPBP7IUHFI/ https://www.suse.com/security/cve/CVE-2021-22207.html CVE-2021-22207 https://bugzilla.suse.com/1185128 SUSE Bug 1185128