Arch Linux 804 Published by

The following updates has been released for Arch Linux:

ASA-201805-22: wireshark-gtk: multiple issues
ASA-201805-23: wireshark-qt: multiple issues
ASA-201805-24: wireshark-common: multiple issues
ASA-201805-25: wireshark-cli: multiple issues
ASA-201805-26: strongswan: denial of service



ASA-201805-22: wireshark-gtk: multiple issues


Arch Linux Security Advisory ASA-201805-22
==========================================

Severity: Critical
Date : 2018-05-25
CVE-ID : CVE-2018-11354 CVE-2018-11355 CVE-2018-11356 CVE-2018-11357
CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11361
CVE-2018-11362
Package : wireshark-gtk
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-708

Summary
=======

The package wireshark-gtk before version 2.6.1-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution
==========

Upgrade to 2.6.1-1.

# pacman -Syu "wireshark-gtk>=2.6.1-1"

The problems have been fixed upstream in version 2.6.1.

Workaround
==========

None.

Description
===========

- CVE-2018-11354 (information disclosure)

An out-of-bounds read has been found in the IEEE 1905.1a dissector of
Wireshark

ASA-201805-23: wireshark-qt: multiple issues


Arch Linux Security Advisory ASA-201805-23
==========================================

Severity: Critical
Date : 2018-05-25
CVE-ID : CVE-2018-11354 CVE-2018-11355 CVE-2018-11356 CVE-2018-11357
CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11361
CVE-2018-11362
Package : wireshark-qt
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-708

Summary
=======

The package wireshark-qt before version 2.6.1-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution
==========

Upgrade to 2.6.1-1.

# pacman -Syu "wireshark-qt>=2.6.1-1"

The problems have been fixed upstream in version 2.6.1.

Workaround
==========

None.

Description
===========

- CVE-2018-11354 (information disclosure)

An out-of-bounds read has been found in the IEEE 1905.1a dissector of
Wireshark

ASA-201805-24: wireshark-common: multiple issues


Arch Linux Security Advisory ASA-201805-24
==========================================

Severity: Critical
Date : 2018-05-25
CVE-ID : CVE-2018-11354 CVE-2018-11355 CVE-2018-11356 CVE-2018-11357
CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11361
CVE-2018-11362
Package : wireshark-common
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-708

Summary
=======

The package wireshark-common before version 2.6.1-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution
==========

Upgrade to 2.6.1-1.

# pacman -Syu "wireshark-common>=2.6.1-1"

The problems have been fixed upstream in version 2.6.1.

Workaround
==========

None.

Description
===========

- CVE-2018-11354 (information disclosure)

An out-of-bounds read has been found in the IEEE 1905.1a dissector of
Wireshark

ASA-201805-25: wireshark-cli: multiple issues


Arch Linux Security Advisory ASA-201805-25
==========================================

Severity: Critical
Date : 2018-05-25
CVE-ID : CVE-2018-11354 CVE-2018-11355 CVE-2018-11356 CVE-2018-11357
CVE-2018-11358 CVE-2018-11359 CVE-2018-11360 CVE-2018-11361
CVE-2018-11362
Package : wireshark-cli
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-708

Summary
=======

The package wireshark-cli before version 2.6.1-1 is vulnerable to
multiple issues including arbitrary code execution, information
disclosure and denial of service.

Resolution
==========

Upgrade to 2.6.1-1.

# pacman -Syu "wireshark-cli>=2.6.1-1"

The problems have been fixed upstream in version 2.6.1.

Workaround
==========

None.

Description
===========

- CVE-2018-11354 (information disclosure)

An out-of-bounds read has been found in the IEEE 1905.1a dissector of
Wireshark

ASA-201805-26: strongswan: denial of service

Arch Linux Security Advisory ASA-201805-26
==========================================

Severity: Low
Date : 2018-05-26
CVE-ID : CVE-2018-5388
Package : strongswan
Type : denial of service
Remote : No
Link : https://security.archlinux.org/AVG-710

Summary
=======

The package strongswan before version 5.6.2-2 is vulnerable to denial
of service.

Resolution
==========

Upgrade to 5.6.2-2.

# pacman -Syu "strongswan>=5.6.2-2"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

strongSwan VPN's charon server prior to version 5.6.3 is missing a
packet length check in stroke_socket.c, allowing a buffer overflow
which may lead to resource exhaustion and denial of service while
reading from the socket.
According to the vendor, an attacker must typically have local root
permissions to access the socket. However, other accounts and groups
such as the vpn group (if capability dropping in enabled, for example)
may also have sufficient permissions, but this configuration does not
appear to be the default behavior.

Impact
======

A local attacker with access to the VPN socket is able to crash the
service.

References
==========

https://bugs.archlinux.org/task/58719
https://www.kb.cert.org/vuls/id/338343
https://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=0acd1ab4
https://security.archlinux.org/CVE-2018-5388