summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 17:13:05 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-15 17:13:05 +0000
commitd89fede3849004be87494c62f2e5b8140c7d69c5 (patch)
tree5e000e46fe2807586a9ae25d96e7ab043323d91e
parentAdding upstream version 4.99.4. (diff)
downloadtcpdump-d89fede3849004be87494c62f2e5b8140c7d69c5.tar.xz
tcpdump-d89fede3849004be87494c62f2e5b8140c7d69c5.zip
Adding debian version 4.99.4-3.debian/4.99.4-3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/NEWS13
-rw-r--r--debian/README.Debian11
-rw-r--r--debian/changelog1048
-rw-r--r--debian/control34
-rw-r--r--debian/copyright149
-rw-r--r--debian/patches/drop-privs-after-opening-savefile.diff91
-rw-r--r--debian/patches/drop-privs-only-if-non-root.diff41
-rw-r--r--debian/patches/drop-privs-silently.diff29
-rw-r--r--debian/patches/install.diff26
-rw-r--r--debian/patches/man-section.diff15
-rw-r--r--debian/patches/series5
-rwxr-xr-xdebian/rules14
-rw-r--r--debian/salsa-ci.yml7
-rw-r--r--debian/source/format1
-rw-r--r--debian/tcpdump.docs1
-rw-r--r--debian/tcpdump.examples4
-rw-r--r--debian/tcpdump.install1
-rw-r--r--debian/tcpdump.lintian-overrides1
-rw-r--r--debian/tcpdump.maintscript1
-rwxr-xr-xdebian/tcpdump.postinst28
-rwxr-xr-xdebian/tcpdump.postrm12
-rw-r--r--debian/tests/control2
-rw-r--r--debian/upstream/metadata4
-rw-r--r--debian/upstream/signing-key.asc24
-rw-r--r--debian/usr.bin.tcpdump71
-rw-r--r--debian/watch2
26 files changed, 1635 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000..3bc5325
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,13 @@
+tcpdump (4.99.0-1) unstable; urgency=medium
+
+ tcpdump is now installed to /usr/bin, not /usr/sbin.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 03 Jan 2021 21:23:34 +0100
+
+tcpdump (4.9.3~git20190901-1) unstable; urgency=low
+
+ tcpdump now drops root privileges by default and runs as user 'tcpdump'.
+ To have tcpdump run as root as before, use `tcpdump -Z root'.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Sep 2019 12:54:02 +0200
+
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..7b18ed7
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,11 @@
+Apparmor Profile
+----------------
+
+If your system uses AppArmor, note that the shipped enforcing profile
+works with the default installation, and changes in your configuration may
+require changes to the installed AppArmor profile. Before filing a bug against
+this package, please see:
+
+ * https://wiki.debian.org/AppArmor/Debug
+ * https://wiki.ubuntu.com/DebuggingApparmor
+
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..a1bfe78
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,1048 @@
+tcpdump (4.99.4-3) unstable; urgency=medium
+
+ * Allow *.pcapng in AppArmor policy, thanks to Chris Kuethe for the
+ patch (closes: #1039993).
+ * Pick up patch from upstream PR#812 to avoid the call to droproot()
+ altogether if called with `-Z root', thanks to Tj (closes: #1035842).
+ * Override 'spelling-error-in-binary' and move 'set -e' inside maintscripts.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 22 Jul 2023 17:23:56 +0200
+
+tcpdump (4.99.4-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 17 Jun 2023 17:29:12 +0200
+
+tcpdump (4.99.4-1) experimental; urgency=medium
+
+ * New upstream release.
+ * Mark Debian-specific patches as "Forwarded: not-needed" in metadata.
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 10 Apr 2023 16:57:18 +0200
+
+tcpdump (4.99.3-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Drop Hurd build patch, which doesn't seem to be right anymore.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 14 Jan 2023 18:23:25 +0100
+
+tcpdump (4.99.2-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Re-enable all tests.
+ * Bump Standards-Version to 4.6.2.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Jan 2023 18:19:40 +0100
+
+tcpdump (4.99.1-4) unstable; urgency=medium
+
+ * debian/usr.bin.tcpdump: account for numerical suffix in filenames
+ added by -W (closes: #1010688).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 08 May 2022 18:25:45 +0200
+
+tcpdump (4.99.1-3) unstable; urgency=medium
+
+ * Clean up AppArmor local profile for /usr/sbin/tcpdump, if it's still
+ empty (closes: #990554).
+ * Switch to debhelper compat level 13.
+ * Set `Rules-Requires-Root' to "no".
+ * Bump Standards-Version to 4.6.0.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 12 Sep 2021 18:55:44 +0200
+
+tcpdump (4.99.1-2) unstable; urgency=medium
+
+ * Upload to unstable.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 15 Aug 2021 17:29:54 +0200
+
+tcpdump (4.99.1-1) experimental; urgency=medium
+
+ * New upstream release.
+ * debian/usr.bin.tcpdump: grant access to *.cap (closes: #989433).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 20 Jun 2021 20:48:30 +0200
+
+tcpdump (4.99.0-2) unstable; urgency=medium
+
+ * Add autopkgtest support, running the upstream test suite.
+
+ -- Romain Francoise <rfrancoise@debian.org> Fri, 15 Jan 2021 23:41:47 +0100
+
+tcpdump (4.99.0-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Mention in debian/NEWS that tcpdump is now installed to /usr/bin
+ instead of /usr/sbin.
+ * Rename AppArmor profile to match new binary location and add
+ maintscript stanza to move the previous conffile if present.
+ * Temporarily disable tests that require the just-released libpcap 1.10,
+ we don't want to tie the migration of the two just before the bullseye
+ freeze.
+ * Drop unused lintian override.
+ * Bump Standards-Version to 4.5.1.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 03 Jan 2021 21:28:16 +0100
+
+tcpdump (4.9.3-7) unstable; urgency=high
+
+ * Cherry-pick commit 32027e1993 from the upstream tcpdump-4.9 branch to fix
+ untrusted input issue in the PPP printer (CVE-2020-8037, closes: #973877).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 07 Nov 2020 13:19:14 +0100
+
+tcpdump (4.9.3-6) unstable; urgency=medium
+
+ [ Simon Deziel ]
+ * debian/usr.sbin.tcpdump: use profile name specifier instead of
+ '/usr/sbin/tcpdump'.
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 28 May 2020 19:23:57 +0200
+
+tcpdump (4.9.3-5) unstable; urgency=medium
+
+ * Minor packaging fixes courtesy of the Janitor bot and lintian-brush:
+ + Set upstream metadata fields: Bug-Submit, Repository, Repository-
+ Browse.
+ * Bump Standards-Version to 4.5.0.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 09 May 2020 20:42:57 +0200
+
+tcpdump (4.9.3-4) unstable; urgency=medium
+
+ * Set upstream metadata fields: Bug-Database.
+
+ -- Romain Francoise <rfrancoise@debian.org> Tue, 31 Dec 2019 19:24:04 +0100
+
+tcpdump (4.9.3-3) unstable; urgency=medium
+
+ * Minor packaging fixes courtesy of the Janitor bot and lintian-brush:
+ + Use secure URI in debian/watch.
+ + Use secure URI in Homepage field.
+ + Bump debhelper from old 11 to 12.
+ + Set debhelper-compat version in Build-Depends.
+ + Re-export upstream signing key without extra signatures.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 08 Dec 2019 13:56:42 +0100
+
+tcpdump (4.9.3-2) unstable; urgency=medium
+
+ * Disable failing IKEv2 test yet again to fix build on ppc64el (again)
+ (closes: #942171).
+
+ -- Romain Francoise <rfrancoise@debian.org> Fri, 11 Oct 2019 20:48:04 +0200
+
+tcpdump (4.9.3-1) unstable; urgency=medium
+
+ * New upstream release, with fixes for 24 different CVEs (closes: #941698).
+ * Build-depend on libpcap >= 1.9.1 to make all build-time tests pass.
+ * Re-enable IKEv2 test.
+ * Bump Standards-Version to 4.4.1.
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 10 Oct 2019 21:31:38 +0200
+
+tcpdump (4.9.3~git20190901-2) unstable; urgency=medium
+
+ * Disable failing IKEv2 test again to fix build on ppc64el.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 07 Sep 2019 12:14:43 +0200
+
+tcpdump (4.9.3~git20190901-1) unstable; urgency=low
+
+ * New upstream snapshot from the tcpdump-4.9 branch:
+ + Includes fix for CVE-2017-16808 (closes: #881862).
+ + Fixes ESP decryption on ppc64el (and others), re-enable tests.
+ * Drop root privileges by default (closes: #935112):
+ + debian/rules: Configure --with-user=tcpdump.
+ + debian/tcpdump.post{inst,rm}: Create/delete a 'tcpdump' system group
+ and user.
+ + debian/control: Add dependency on adduser.
+ + debian/patches/drop-privs-after-opening-savefile.diff: New patch
+ (from Fedora) to drop root privileges *after* opening the savefile
+ when possible, to alleviate possible inconvenience if the target
+ directory is not writable by user tcpdump.
+ + debian/patches/drop-privs-silently.diff: New patch (from Fedora) to
+ drop root privileges silently.
+ + debian/usr.sbin.tcpdump: Add chown capability, and update rules
+ about device discovery.
+ + debian/NEWS: Mention how to run tcpdump as root.
+ * Bump Standards-Version to 4.4.0.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Sep 2019 13:05:24 +0200
+
+tcpdump (4.9.2-3) unstable; urgency=medium
+
+ [ Jamie Strandboge ]
+ * debian/usr.sbin.tcpdump: drop 'capability sys_module' since we already
+ have 'net_admin' and network module loading (which happens with -D) is
+ allowed with 'net_admin' (LP: #1759029) (closes: #894161)
+
+ [ Romain Francoise ]
+ * Switch to debhelper compatibility level 11.
+ * Bump Standards-Version to 4.1.3.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 31 Mar 2018 22:22:36 +0200
+
+tcpdump (4.9.2-2) unstable; urgency=medium
+
+ * Use new URLs on salsa.debian.org for Vcs-* fields.
+ * Bump Standards-Version to 4.1.2.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 31 Dec 2017 15:53:41 +0100
+
+tcpdump (4.9.2-1) unstable; urgency=high
+
+ * New upstream release:
+ + Fixes 86 new CVEs, see the upstream changelog for the full list.
+ + Now supports OpenSSL 1.1, so move back to libssl-dev (closes: #859740).
+ * Urgency high due to security fixes.
+
+ -- Romain Francoise <rfrancoise@debian.org> Fri, 08 Sep 2017 21:30:47 +0200
+
+tcpdump (4.9.1-3) unstable; urgency=high
+
+ * Cherry-pick three upstream commits to fix the following:
+ + CVE-2017-11541: buffer over-read in safeputs() (closes: #873804)
+ + CVE-2017-11542: buffer over-read in pimv1_print() (closes: #873805)
+ + CVE-2017-11543: buffer overflow in sliplink_print() (closes: #873806)
+ * Urgency high due to security fixes.
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 04 Sep 2017 19:45:45 +0200
+
+tcpdump (4.9.1-2) unstable; urgency=medium
+
+ * Disable IKEv2 test which mysteriously fails on ppc64el (closes: #873377).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 02 Sep 2017 11:01:30 +0200
+
+tcpdump (4.9.1-1) unstable; urgency=medium
+
+ * New upstream release, fixes CVE-2017-11108 (closes: #867718).
+ * Bump Standards-Version to 4.1.0.
+ * debian/watch: add pgpsigurlmangle option.
+ * Add upstream signing key in debian/upstream.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 26 Aug 2017 18:48:32 +0200
+
+tcpdump (4.9.0-3) unstable; urgency=medium
+
+ [ intrigeri ]
+ * Include AppArmor profile from Ubuntu (closes: #866682).
+
+ [ Romain Francoise ]
+ * Bump Standards-Version to 4.0.0.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 02 Jul 2017 12:13:53 +0200
+
+tcpdump (4.9.0-2) unstable; urgency=medium
+
+ * Re-enable crypto support, targeting OpenSSL 1.0 as upstream still
+ doesn't support OpenSSL 1.1.
+ * Drop --enable-ipv6 from configure line, it has been the default for
+ years now.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 11 Feb 2017 16:40:05 +0100
+
+tcpdump (4.9.0-1) unstable; urgency=high
+
+ * New upstream security release, fixing the following:
+ + CVE-2016-7922: buffer overflow in print-ah.c:ah_print().
+ + CVE-2016-7923: buffer overflow in print-arp.c:arp_print().
+ + CVE-2016-7924: buffer overflow in print-atm.c:oam_print().
+ + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print().
+ + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print().
+ + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print().
+ + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print().
+ + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header().
+ + CVE-2016-7930: buffer overflow in print-llc.c:llc_print().
+ + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print().
+ + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum().
+ + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print().
+ + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print().
+ + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print().
+ + CVE-2016-7936: buffer overflow in print-udp.c:udp_print().
+ + CVE-2016-7937: buffer overflow in print-udp.c:vat_print().
+ + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame().
+ + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions.
+ + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions.
+ + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions.
+ + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions.
+ + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print().
+ + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print().
+ + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print().
+ + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print().
+ + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions.
+ + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print().
+ + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a
+ buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP,
+ lightweight resolver protocol, PIM).
+ + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print().
+ + CVE-2016-8575: buffer overflow in print-fr.c:q933_print().
+ + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print().
+ + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print().
+ + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print().
+ + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print().
+ + CVE-2017-5341: buffer overflow in print-otv.c:otv_print().
+ + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH,
+ OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in
+ print-ether.c:ether_print().
+ + CVE-2017-5482: buffer overflow in print-fr.c:q933_print().
+ + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse().
+ + CVE-2017-5484: buffer overflow in print-atm.c:sig_print().
+ + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap().
+ + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print().
+ * Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8
+ accordingly.
+ * Switch Vcs-Git URL to the https one.
+ * Adjust lintian override name about dh 9.
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 26 Jan 2017 20:04:11 +0100
+
+tcpdump (4.8.1-2) unstable; urgency=medium
+
+ * Disable new HNCP test, which fails on some buildds for some
+ as-of-yet unexplained reason.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 29 Oct 2016 19:40:01 +0200
+
+tcpdump (4.8.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Re-enable Geneve tests (disabled in 4.7.4-1) and bump build-dep on
+ libpcap0.8-dev to >= 1.7 accordingly.
+ * Disable new pcap version tests which require libpcap 1.8+.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 29 Oct 2016 17:16:06 +0200
+
+tcpdump (4.7.4-3) unstable; urgency=medium
+
+ * Use dh-autoreconf instead of calling autoconf directly and patching
+ config.{guess,sub}.
+ * Call dh_auto_configure instead of configure in override target, patch
+ by Helmut Grohne (closes: #837951).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 17 Sep 2016 11:18:45 +0200
+
+tcpdump (4.7.4-2) unstable; urgency=medium
+
+ * Disable crypto support as it causes FTBFS with OpenSSL 1.1.x and we
+ don't have a working fix upstream yet (closes: #828569).
+ * Bump Standards-Version to 3.9.8.
+ * Use cgit URL for Vcs-Browser.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 28 Aug 2016 18:16:50 +0200
+
+tcpdump (4.7.4-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Disable two geneve tests that require libpcap 1.7+.
+ * Bump Standards-Version to 3.9.6.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 23 May 2015 18:25:01 +0200
+
+tcpdump (4.6.2-5) unstable; urgency=high
+
+ * Cherry-pick commit fb6e5377f3 from upstream Git to fix regressions in the
+ RPKI/RTR printer after the CVE-2015-2153 changes. Thanks to Artur Rona
+ from Ubuntu for the heads-up (closes: #781362).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 04 Apr 2015 19:10:27 +0200
+
+tcpdump (4.6.2-4) unstable; urgency=high
+
+ * Cherry-pick changes from upstream Git to fix the following security
+ issues:
+ + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer.
+ + CVE-2015-2153: missing bounds checks in RPKI/RTR printer.
+ + CVE-2015-2154: missing bounds checks in ISOCLNS printer.
+ + CVE-2015-2155: missing bounds checks in ForCES printer.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 14 Mar 2015 18:43:44 +0100
+
+tcpdump (4.6.2-3) unstable; urgency=high
+
+ * Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow
+ in the PPP dissector (CVE-2014-9140).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 29 Nov 2014 12:23:53 +0100
+
+tcpdump (4.6.2-2) unstable; urgency=high
+
+ * Urgency high due to security fixes.
+ * Add three patches extracted from various upstream commits fixing
+ vulnerabilities in three dissectors:
+ + CVE-2014-8767: missing bounds checks in OLSR dissector (closes: #770434).
+ + CVE-2014-8768: missing bounds checks in Geonet dissector
+ (closes: #770415).
+ + CVE-2014-8769: missing bounds checks in AOVD dissector (closes: #770424).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 22 Nov 2014 11:48:08 +0100
+
+tcpdump (4.6.2-1) unstable; urgency=medium
+
+ * New upstream release.
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 04 Sep 2014 18:53:34 +0200
+
+tcpdump (4.6.1-3) unstable; urgency=medium
+
+ * Bump build-dep on libpcap0.8-dev to >= 1.5 as the pppoes_id test case
+ requires a pcap version that supports PPPoE session ID filtering.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 16 Aug 2014 17:38:28 +0200
+
+tcpdump (4.6.1-2) unstable; urgency=medium
+
+ * Expand configure check for net/pfvar.h to also check for existence of
+ net/if_pflog.h to fix build on GNU/kFreeBSD, which ships the former
+ but not the latter, see #756553 (closes: #756790).
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 04 Aug 2014 22:37:24 +0200
+
+tcpdump (4.6.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * debian/control: Mark tcpdump 'Multi-Arch: foreign' (closes: #700727).
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 30 Jul 2014 19:16:49 +0200
+
+tcpdump (4.5.1-2) unstable; urgency=low
+
+ * Disable nflog-e testcase, the NFLOG header length is specified in host
+ byte order which makes capture files order-dependent (closes: #731031).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Dec 2013 12:13:16 +0100
+
+tcpdump (4.5.1-1) unstable; urgency=low
+
+ * New upstream release.
+ * Disable new pppoes testcase which uses a new pcap feature to avoid tying
+ the two upstream versions together.
+ * debian/control: Set Standards-Version to 3.9.5.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 30 Nov 2013 23:54:03 +0100
+
+tcpdump (4.4.0-1) unstable; urgency=low
+
+ * New upstream release:
+ + Fixes format error in NTP printer (closes: #686276).
+ + Rewords -e description (closes: #648768).
+ * debian/control: Set Standards-Version to 3.9.4.
+ * Use canonical locations in Vcs-* fields.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 25 May 2013 13:50:30 +0200
+
+tcpdump (4.3.0-1) unstable; urgency=low
+
+ * New upstream release.
+ * Re-enable test suite.
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 13 Jun 2012 22:55:54 +0200
+
+tcpdump (4.2.1-3) unstable; urgency=low
+
+ * Fix CPPFLAGS handling in upstream configure.in to avoid losing
+ hardening flags, patch by Simon Ruderich <simon@ruderich.org>
+ (closes: #662016).
+ * Fix some misspellings pointed out by lintian.
+ * debian/control: Set Standards-Version to 3.9.3.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 03 Mar 2012 17:11:48 +0100
+
+tcpdump (4.2.1-2) unstable; urgency=low
+
+ * Drop debian/patches/50_kfreebsd.diff (closes: #658848).
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 06 Feb 2012 19:01:12 +0100
+
+tcpdump (4.2.1-1) unstable; urgency=low
+
+ * New upstream release.
+ * Upload to unstable.
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 02 Jan 2012 20:19:22 +0100
+
+tcpdump (4.2.0~rc1-2) experimental; urgency=low
+
+ * Make sure OpenSSL support gets enabled: since it moved to multiarch
+ paths, the configure script doesn't find libcrypto.so and disables
+ crypto support. To fix this, simplify detection logic in configure.in
+ and run autoconf before configuring.
+ * Redo build flags handling:
+ + Enable hardening flags via dpkg-buildflags, not hardening-includes.
+ + Switch to debhelper compat level 9 to have build flags exported
+ automatically.
+ + Adjust build-depends accordingly.
+ * Enable parallel build in debhelper.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 06 Nov 2011 19:14:23 +0100
+
+tcpdump (4.2.0~rc1-1) experimental; urgency=low
+
+ * New upstream beta release (closes: #636806); now switches to the -Z
+ user before opening the first output file (closes: #434603).
+ * debian/control: Set Standards-Version to 3.9.2.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 14 Aug 2011 10:44:58 +0200
+
+tcpdump (4.1.1-2) unstable; urgency=low
+
+ * Fix FTBFS on GNU/Hurd; patch from Svante Signell (closes: #622287).
+ * debian/control: Tweak short and long descriptions, set
+ Standards-Version to 3.9.1.
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 11 Apr 2011 22:37:29 +0200
+
+tcpdump (4.1.1-1) unstable; urgency=low
+
+ * New upstream release (closes: #576001).
+ * debian/rules: Disable dh_auto_test (for now).
+ * debian/control: Set Standards-Version to 3.8.4.
+ * debian/patches/30_uflag_flushopen.diff: New patch: when saving to a
+ capture file with -U, flush the file immediately after opening it.
+ Suggested by Ferenc Wagner <wferi@niif.hu> (closes: #533625).
+ * debian/patches/20_man_fixes.diff: Fix TCP flags description, thanks to
+ Christophe Rhodes <csr21@cantab.net> (closes: #575724).
+
+ -- Romain Francoise <rfrancoise@debian.org> Tue, 06 Apr 2010 19:58:14 +0200
+
+tcpdump (4.0.0-6) unstable; urgency=low
+
+ * debian/control: Build-depend on hardening-includes.
+ * debian/rules: Use hardening.make.
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 24 Dec 2009 11:51:12 +0100
+
+tcpdump (4.0.0-5) unstable; urgency=low
+
+ * Switch to 3.0 (quilt) source format:
+ + Drop build-depends on quilt.
+ + Remove patch/unpatch logic from debian/rules.
+ + Remove README.source.
+ + Refresh debian/patches/30_tcp_seq.diff.
+ * Use dh(1):
+ + debian/compat: Bump to 7.
+ + debian/control: Build-depend on debhelper (>= 7.0.50~).
+ + debian/rules: Simplify.
+ + debian/tcpdump.dirs: Removed.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 08 Nov 2009 17:25:38 +0100
+
+tcpdump (4.0.0-4) unstable; urgency=low
+
+ * debian/control:
+ + Add ${misc:Depends} to Depends.
+ + Set Standards-Version to 3.8.3; no changes needed.
+ * debian/{watch,README.source}: New files.
+ * debian/copyright: Remove link to original file.
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 08 Oct 2009 19:00:23 +0200
+
+tcpdump (4.0.0-3) unstable; urgency=low
+
+ * debian/patches/20_man_fixes.diff: Update; pcap-filter is in section 7,
+ not 4 (closes: #527599).
+ * debian/control: Set Standards-Version to 3.8.1.
+
+ -- Romain Francoise <rfrancoise@debian.org> Tue, 16 Jun 2009 11:51:14 +0200
+
+tcpdump (4.0.0-2) unstable; urgency=low
+
+ * debian/patches/30_tcp_seq.diff: Patch from Ilpo Järvinen adding back
+ default display of sequence numbers in TCP printer (closes: #517661).
+ * debian/patches/series: Update.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Mar 2009 14:51:25 +0100
+
+tcpdump (4.0.0-1) unstable; urgency=low
+
+ * Upload to unstable.
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 18 Feb 2009 18:55:35 +0100
+
+tcpdump (4.0.0-1~exp1) experimental; urgency=low
+
+ * New upstream release.
+ * debian/control: Set Standards-Version to 3.8.0.
+ * debian/rules: Don't set DH_VERBOSE.
+ * debian/patches/15_install.diff: New patch, don't install two identical
+ tcpdump binaries.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 30 Nov 2008 22:55:39 +0100
+
+tcpdump (3.9.8-4) unstable; urgency=low
+
+ * debian/control: Build-Depend on libpcap0.8-dev (>= 0.9.3),
+ not (>= 0.9.3-1).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 08 Mar 2008 19:24:02 +0100
+
+tcpdump (3.9.8-3) unstable; urgency=low
+
+ * debian/copyright: Convert to UTF-8 encoding.
+ * debian/control: Set Standards-Version to 3.7.3, no changes needed.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 23 Dec 2007 14:32:17 +0100
+
+tcpdump (3.9.8-2) unstable; urgency=low
+
+ * debian/control: Add Vcs-Browser and Vcs-Git fields.
+ * debian/patches/50_kfreebsd.diff: New patch by Petr Salinger fixing
+ FTBFS on Debian GNU/kFreeBSD (closes: #448695).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 03 Nov 2007 11:12:53 +0100
+
+tcpdump (3.9.8-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 27 Sep 2007 22:41:53 +0200
+
+tcpdump (3.9.7-2) unstable; urgency=low
+
+ * debian/control: Move upstream URL to the Homepage header.
+
+ -- Romain Francoise <rfrancoise@debian.org> Fri, 21 Sep 2007 19:48:05 +0200
+
+tcpdump (3.9.7-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/patches/41_cve-2007-3798.diff: Deleted.
+ * debian/patches/40_cve-2007-1218.diff: Deleted.
+ * debian/patches/series: Update.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 12 Aug 2007 12:45:31 +0200
+
+tcpdump (3.9.5-4) unstable; urgency=low
+
+ * debian/rules: Don't ignore errors in clean target.
+ * debian/patches/50_autotools-dev.diff: New patch, make config.{guess,sub}
+ exec newer versions of themselves if autotools-dev is installed.
+ * debian/patches/series: Update.
+ * debian/control: Add build-depends on autotools-dev.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 11 Aug 2007 20:18:34 +0200
+
+tcpdump (3.9.5-3) unstable; urgency=medium
+
+ * Convert to quilt for patch management:
+ + debian/control: Build-Depend on quilt (>= 0.40) instead of dpatch.
+ + debian/rules: Include /usr/share/quilt/quilt.make.
+ + Convert all dpatch patches to regular patches.
+
+ * debian/patches/41_cve-2007-3798.diff: New patch, fixes an integer
+ overflow in the BGP dissector (CVE-2007-3798), thanks to Daniel Leidert
+ (closes: #434030).
+ * debian/patches/series: Update.
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 01 Aug 2007 19:56:04 +0200
+
+tcpdump (3.9.5-2) unstable; urgency=medium
+
+ * debian/patches/40_cve-2007-1218.dpatch: New patch, fixes a potential
+ buffer overflow in the 802.11 printer (CVE-2007-1218), thanks to
+ Moritz Muehlenhoff <jmm@debian.org> (closes: #413430).
+ * debian/patches/00list: Update.
+
+ -- Romain Francoise <rfrancoise@debian.org> Mon, 5 Mar 2007 20:22:50 +0100
+
+tcpdump (3.9.5-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/patches/20_man_fixes.dpatch: Resync.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 23 Sep 2006 21:13:07 +0200
+
+tcpdump (3.9.4-4) unstable; urgency=low
+
+ * debian/compat: Switch to debhelper compatibility level 5.
+ * debian/control:
+ + Build-Depend on debhelper (>= 5).
+ + Remove Uploaders field.
+ + Bump Standards-Version to 3.7.2, no changes needed.
+ * debian/rules: Misc. cleanups.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 20 May 2006 13:07:45 +0200
+
+tcpdump (3.9.4-3) unstable; urgency=low
+
+ * debian/patches/20_man_fixes.dpatch: Merge patch from A Costa
+ <agcosta@gis.net> fixing a few typos (closes: #351014).
+
+ -- Romain Francoise <rfrancoise@debian.org> Thu, 2 Feb 2006 22:24:04 +0100
+
+tcpdump (3.9.4-2) unstable; urgency=low
+
+ * debian/patches/20_man_fixes.dpatch: Merge patch from A Costa
+ <agcosta@gis.net> fixing a few typos (closes: #342310).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 10 Dec 2005 14:26:20 +0100
+
+tcpdump (3.9.4-1) unstable; urgency=low
+
+ * New upstream release.
+
+ * debian/patches/40_spelling.dpatch: Dropped (included upstream).
+ * debian/patches/30_version.dpatch: Dropped.
+ * debian/patches/30_vlan_eflag: New patch, reverse test for eflag in
+ print-ether.c to match the intended effect (closes: #324706).
+
+ * This upload also transitions tcpdump to OpenSSL 0.9.8.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 9 Oct 2005 20:11:49 +0200
+
+tcpdump (3.9.3-2) unstable; urgency=low
+
+ * debian/patches/40_spelling.dpatch: New patch, fixes spelling errors
+ ("advertisment" vs. "advertisement"), thanks to Michael Shields
+ <shields@msrl.com> (closes: #318676).
+ * debian/patches/00list: Update.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 17 Jul 2005 12:28:22 +0200
+
+tcpdump (3.9.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * Build-Depend on libpcap0.8-dev (which is really libpcap 0.9.3).
+
+ * debian/patches/30_ascii-output.dpatch: Dropped (merged upstream).
+ * debian/patches/30_version: New patch, fixes upstream version (still at
+ 3.9.2 while this is version 3.9.3).
+ * debian/patches/00list: Update.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 16 Jul 2005 14:59:30 +0200
+
+tcpdump (3.9.1-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/patches/30_ascii-output.dpatch: New patch, fixes -x, -X and -A
+ priorities and removes extra newline and tab characters in the ascii
+ output (closes: #285764, #316908).
+ * debian/patches/00list: Update.
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 6 Jul 2005 20:17:19 +0200
+
+tcpdump (3.9.0.cvs.20050622-1) unstable; urgency=low
+
+ * New CVS snapshot.
+ * debian/control: Bump Standards-Version to 3.6.2.1, no changes needed.
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 22 Jun 2005 19:52:31 +0200
+
+tcpdump (3.9.0.cvs.20050614-1) unstable; urgency=low
+
+ * New CVS snapshot.
+ * Upload to unstable.
+
+ -- Romain Francoise <rfrancoise@debian.org> Tue, 14 Jun 2005 19:43:24 +0200
+
+tcpdump (3.9.0.cvs.20050529-1) experimental; urgency=low
+
+ * New upstream CVS snapshot for experimental.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 29 May 2005 12:55:31 +0200
+
+tcpdump (3.9.0.cvs.20050511-1) experimental; urgency=low
+
+ * Upstream CVS snapshot of tcpdump 3.9 for experimental.
+ * debian/patches/20_man_fixes.dpatch: Resynchronized.
+ * debian/patches/30_openssl_des.dpatch: Dropped (fixed upstream).
+ * debian/patches/40_ipv6cp.dpatch: Ditto.
+ * debian/patches/50_misc_dos.dpatch: Ditto.
+ * debian/patches/00list: Update.
+ * debian/control: Build with libpcap0.9, also in experimental.
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 11 May 2005 20:00:31 +0200
+
+tcpdump (3.8.3-5) unstable; urgency=low
+
+ * debian/copyright: Clarify license conditions, some files in the
+ distribution are still under the 4-clause BSD license (closes: #283008).
+ * debian/changelog: Revise 3.8.3-4 entry to add CAN numbers (which have
+ been assigned in the meantime).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 1 May 2005 17:23:45 +0200
+
+tcpdump (3.8.3-4) unstable; urgency=high
+
+ * Urgency set to high due to security fixes.
+ * debian/patches/50_misc_dos.dpatch: Security fixes stolen from the 3.8
+ branch fix infinite loops in the BGP, ISIS, LDP and RSVP dissectors
+ [CAN-2005-1278, CAN-2005-1279, CAN-2005-1280] (closes: #306529).
+ * debian/patches/00list: Add 50_misc_dos.
+
+ -- Romain Francoise <rfrancoise@debian.org> Wed, 27 Apr 2005 21:05:37 +0200
+
+tcpdump (3.8.3-3) unstable; urgency=low
+
+ * debian/patches/40_ipv6cp.dpatch: New patch, do not try to print IPV6CP
+ ppp packets, the dissector doesn't support it (closes: #255179).
+ * debian/patches/00list: Add 40_ipv6cp.
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 19 Jun 2004 15:01:27 +0200
+
+tcpdump (3.8.3-2) unstable; urgency=low
+
+ * debian/rules: Enable crypto support (closes: #82581, #93428).
+ * debian/control:
+ + Build-Depend on libssl-dev.
+ + Put back URL markers in description.
+ + Switch Maintainer and Uploaders fields to match reality.
+ * debian/patches/30_openssl_des.dpatch: Patch to make upstream's
+ configure script check for DES_cbc_encrypt instead of des_cbc_encrypt,
+ (the function got renamed in OpenSSL 0.9.7), which saves us the hassle
+ of re-running autoconf. Temporary hack since upstream has fixed this
+ in CVS already.
+ * debian/patches/00list: Add 30_openssl_des.
+
+ -- Romain Francoise <rfrancoise@debian.org> Fri, 14 May 2004 22:14:08 +0200
+
+tcpdump (3.8.3-1) unstable; urgency=low
+
+ * New upstream release.
+ * debian/rules:
+ + Add -D_FILE_OFFSET_BITS=64 to default CFLAGS to match libpcap
+ (closes: #154762).
+ + Use dpatch for patch management.
+ + Clean up CFLAGS handling.
+ + Support DEB_BUILD_OPTIONS.
+ * debian/control:
+ + Build-Depend on libpcap0.8-dev, dpatch.
+ + Add versioned Build-Depends on debhelper.
+ + Remove Emacs-style URL markers from description.
+ * debian/compat: New file.
+ * debian/copyright: Update.
+ * debian/tcpdump.docs: Do not install upstream INSTALL file.
+ * debian/patches: New directory.
+ * debian/patches/10_man_install.dpatch: Patch split off the Debian diff
+ to change man install paths in upstream Makefile.in.
+ * debian/patches/20_man_fixes.dpatch: Patch split off the Debian diff to
+ fix some inconsistencies in the upstream man page.
+ * debian/patches/00list: New file (patch list).
+
+ -- Romain Francoise <rfrancoise@debian.org> Tue, 11 May 2004 14:02:09 +0200
+
+tcpdump (3.7.2-4) unstable; urgency=high
+
+ * Urgency high due to security fixes.
+ * Backport changes from upstream CVS to fix ISAKMP payload handling
+ denial-of-service vulnerabilities (CAN-2004-0183, CAN-2004-0184).
+ Detailed changes (with corresponding upstream revisions):
+ + Add length checks in isakmp_id_print() (print-isakmp.c, rev. 1.47)
+ + Add data checks all over the place, change rawprint() prototype and
+ add corresponding return value checks (print-isakmp.c, rev. 1.46)
+ + Add missing ntohs() and change length initialization in
+ isakmp_id_print(), not porting prototype changes (print-isakmp.c,
+ rev. 1.45)
+
+ -- Romain Francoise <rfrancoise@debian.org> Tue, 6 Apr 2004 19:39:24 +0200
+
+tcpdump (3.7.2-3) unstable; urgency=low
+
+ * Backport changes from upstream CVS to fix several vulnerabilities in
+ ISAKMP, L2TP and Radius parsing (closes: #227844, #227845, #227846).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sat, 17 Jan 2004 14:12:30 +0100
+
+tcpdump (3.7.2-2) unstable; urgency=low
+
+ * Acknowledge NMU by Romain (closes: #208543).
+ * Apply man page fixes by Romain:
+ + networks(4) changed to networks(5) (closes: #194180).
+ + ethers(3N) changed to ethers(5) (closes: #197888).
+ * debian/control: Added Romain Francoise as co maintainer. Thanks for
+ your help, Romain!
+
+ -- Torsten Landschoff <torsten@debian.org> Sun, 19 Oct 2003 04:12:31 +0200
+
+tcpdump (3.7.2-1.1) unstable; urgency=low
+
+ * NMU
+ * Reverse order of #include directives in print-sctp.c so that
+ IPPROTO_SCTP is defined (closes: #208543).
+
+ -- Romain Francoise <rfrancoise@debian.org> Sun, 12 Oct 2003 17:06:01 +0200
+
+tcpdump (3.7.2-1) unstable; urgency=low
+
+ * New upstream release (closes: #195816).
+
+ -- Torsten Landschoff <torsten@debian.org> Sun, 8 Jun 2003 00:14:44 +0200
+
+tcpdump (3.7.1-1.2) unstable; urgency=high
+
+ * Non-maintainer upload
+ * Apply security fixes from 3.7.2
+ - Fixed infinite loop when parsing malformed isakmp packets.
+ (CAN-2003-0108)
+ - Fixed infinite loop when parsing malformed BGP packets.
+ - Fixed buffer overflow with certain malformed NFS packets.
+
+ -- Matt Zimmerman <mdz@debian.org> Thu, 27 Feb 2003 11:00:32 -0500
+
+tcpdump (3.7.1-1.1) unstable; urgency=low
+
+ * NMU
+ * Simple rebuild to deal with libpcap0->libpcap0.7 transition.
+ Sourceful NMU so that every arch rebuilds it.
+
+ -- LaMont Jones <lamont@debian.org> Wed, 14 Aug 2002 21:25:45 -0600
+
+tcpdump (3.7.1-1) unstable; urgency=low
+
+ * New upstream release (closes: #138052).
+
+ -- Torsten Landschoff <torsten@debian.org> Sat, 3 Aug 2002 23:54:04 +0200
+
+tcpdump (3.6.2-2) unstable; urgency=HIGH
+
+ * print-rx.c: Take the version from current CVS fixing the remote
+ buffer overflow reported in FreeBSD Security Advisory SA-01:48
+ yesterday. Thanks to Matt Zimmerman for forwarding the report,
+ I might have missed it.
+ * debian/control: Clean the Build-Depends from build-essential
+ packages.
+
+ -- Torsten Landschoff <torsten@debian.org> Thu, 19 Jul 2001 15:03:48 +0200
+
+tcpdump (3.6.2-1) unstable; urgency=low
+
+ * New upstream release.
+
+ -- Torsten Landschoff <torsten@debian.org> Tue, 6 Mar 2001 04:18:16 +0100
+
+tcpdump (3.6.1-2) unstable; urgency=low
+
+ * debian/rules: Force support for IPv6 (closes: #82665).
+ * print-icmp6.c: Removed duplicate definition also in icmp6.h to
+ get the package to compile with IPv6.
+ * Rebuild should fix the missing libpcap0-dependency (closes: #82666).
+ Additional info: The missing dependency was because the configure
+ script found my libpcap sources in the parent directory. Black magic
+ always works against you :(
+
+ -- Torsten Landschoff <torsten@debian.org> Thu, 18 Jan 2001 00:44:01 +0100
+
+tcpdump (3.6.1-1) unstable; urgency=high
+
+ * Taking back the package. Kudos to Anand for his help.
+ * New upstream release. This release fixes a security hole in print-rx.c.
+ * debian/rules: Disable crypto support (closes: #81969).
+ * Removed empty README.Debian (closes: #81966).
+
+ -- Torsten Landschoff <torsten@debian.org> Tue, 16 Jan 2001 16:04:03 +0100
+
+tcpdump (3.5.2-3) unstable; urgency=low
+
+ * Fixup dependancy stuff. Sheesh. (Closes: #78063, #78081, #78082)
+
+ -- Anand Kumria <wildfire@progsoc.org> Tue, 28 Nov 2000 02:16:01 +1100
+
+tcpdump (3.5.2-2) unstable; urgency=low
+
+ * Update both config.guess and config.sub (Closes: #36692, #53145)
+ * Opps, make the .diff available.
+ * We require a particular libpcap version to work (Closes: #77877)
+
+ -- Anand Kumria <wildfire@progsoc.org> Mon, 27 Nov 2000 01:13:55 +1100
+
+tcpdump (3.5.2-1) unstable; urgency=low
+
+ * New Maintainer
+ * New upstream release (Closes: #75889)
+ * Upstream added hex dump (-x) and ascii dump (-X) Closes: #23514, #29418)
+ * Acknowledge and incorporate security fixes (Closes: #63708, #77489)
+ * Appletalk / Ethertalk patches are in (Closes: #67642)
+
+ -- Anand Kumria <wildfire@progsoc.org> Wed, 22 Nov 2000 13:19:33 +1100
+
+tcpdump (3.4a6-4.1) frozen unstable; urgency=high
+
+ * Non-maintainer upload by security team
+ * Apply patch from tcpdump-workers mailinglist to fix DNS DoS attack
+ against tcpdump. Based on patch from Guy Harris <gharris@flashcom.net> as
+ found on http://www.tcpdump.org/lists/workers/1999/msg00607.html
+ * Fix Build-Depends entry in debian/control
+
+ -- Wichert Akkerman <wakkerma@debian.org> Sun, 7 May 2000 15:17:33 +0200
+
+tcpdump (3.4a6-4) unstable; urgency=low
+
+ * New maintainer.
+ * tcpdump.c (main): Reestablish priviliges before closing the device
+ (closes: #19959).
+ * It seems the problem with ppp came from the kernel - I can dump
+ packages on ppp0 just fine... (closes: #25757)
+ * print-tcp.c (tcp_print): Applied patch from David S. Miller submitted
+ by Andrea Arcangeli to fix tcpdump sack TCP option interpretation
+ (closes: #28530).
+ * print-bootp.c (rfc1048_print): Interpret timezone offset as signed
+ (closes: #40376). Fixed byte order problem in printing internet
+ addresses (closes: #40375). Thanks to Roderick Schertler for the patch.
+ * Several files: Applied SMB patch from samba.org (closes: #27653).
+ * print-ip.c (ip_print): Check for ip headers with less than 5 longs.
+ Patch taken from RedHat's source package.
+ * Redid debian/rules using debhelper.
+ * Makefile.in: Install the manpage into man8 instead of man1.
+ * tcpdump.1: Moved to section 8 (admin commands).
+ * print-smb.c (print_smb): Disabled anything but printing the command
+ info by default. Otherwise we would get flooded with smb information.
+ You can get all info using -vvv. Two -v's will give you the SMB headers.
+ * tcpdump.1: Documented the behaviour described above.
+
+ -- Torsten Landschoff <torsten@debian.org> Mon, 22 Nov 1999 01:31:44 +0100
+
+tcpdump (3.4a6-3) frozen unstable; urgency=low
+
+ * fixed permissions
+
+ -- Peter Tobias <tobias@et-inf.fho-emden.de> Mon, 30 Mar 1998 02:28:39 +0200
+
+
+tcpdump (3.4a6-2) frozen unstable; urgency=low
+
+ * rebuild with latest debmake, fixes #19415
+ (should also fix the lintian warnings)
+ * updated standards-version
+
+ -- Peter Tobias <tobias@et-inf.fho-emden.de> Mon, 30 Mar 1998 00:28:39 +0200
+
+
+tcpdump (3.4a6-1) unstable; urgency=low
+
+ * updated to latest upstream version, fixes: Bug#17163
+ * install changelog.Debian compressed, fixes: Bug#15417
+
+ -- Peter Tobias <tobias@et-inf.fho-emden.de> Sun, 1 Feb 1998 00:08:31 +0100
+
+
+tcpdump (3.4a4-1) unstable; urgency=low
+
+ * updated to latest upstream version
+ * libc6 version
+
+ -- Peter Tobias <tobias@et-inf.fho-emden.de> Wed, 17 Sep 1997 23:22:54 +0200
+
+
+tcpdump (3.3.1a2-1) frozen stable unstable; urgency=medium
+
+ * updated to latest upstream version (works with new libpcap now)
+
+ -- Peter Tobias <tobias@et-inf.fho-emden.de> Sat, 24 May 1997 00:49:17 +0200
+
+
+tcpdump (3.3-2) unstable; urgency=low
+
+ * fixed SLIP support
+
+ -- Peter Tobias <tobias@et-inf.fho-emden.de> Sun, 16 Feb 1997 21:06:51 +0100
+
+
+tcpdump (3.3-1) unstable; urgency=low
+
+ * updated to latest upstream version
+
+ -- Peter Tobias <tobias@et-inf.fho-emden.de> Thu, 16 Jan 1997 01:34:00 +0100
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..368fca9
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,34 @@
+Source: tcpdump
+Section: net
+Priority: optional
+Maintainer: Romain Francoise <rfrancoise@debian.org>
+Build-Depends: debhelper-compat (= 13),
+ dh-apparmor,
+ dpkg-dev (>= 1.16.1~),
+ libpcap0.8-dev (>= 1.9.1),
+ libssl-dev
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
+Homepage: https://www.tcpdump.org/
+Vcs-Browser: https://salsa.debian.org/rfrancoise/tcpdump
+Vcs-Git: https://salsa.debian.org/rfrancoise/tcpdump.git
+
+Package: tcpdump
+Architecture: any
+Depends: adduser,
+ ${misc:Depends},
+ ${shlibs:Depends}
+Breaks: apparmor-profiles-extra (<< 1.12~)
+Replaces: apparmor-profiles-extra (<< 1.12~)
+Suggests: apparmor (>= 2.3)
+Multi-Arch: foreign
+Description: command-line network traffic analyzer
+ This program allows you to dump the traffic on a network. tcpdump
+ is able to examine IPv4, ICMPv4, IPv6, ICMPv6, UDP, TCP, SNMP, AFS
+ BGP, RIP, PIM, DVMRP, IGMP, SMB, OSPF, NFS and many other packet
+ types.
+ .
+ It can be used to print out the headers of packets on a network
+ interface, filter packets that match a certain expression. You can
+ use this tool to track down network problems, to detect attacks
+ or to monitor network activities.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..89dfce3
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,149 @@
+This package was debianized by Anand Kumria <wildfire@progsoc.org> on
+Wed, 22 Nov 2000 13:19:33 +1100, then maintained by Torsten Landschoff
+<torsten@debian.org> and Romain Francoise <rfrancoise@debian.org>.
+
+It was downloaded from http://www.tcpdump.org/
+
+Upstream Authors: tcpdump-workers@tcpdump.org
+
+Licensed under the 3-clause BSD license:
+
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+
+ 1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in
+ the documentation and/or other materials provided with the
+ distribution.
+ 3. The names of the authors may not be used to endorse or promote
+ products derived from this software without specific prior
+ written permission.
+
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+
+Some files in this package are licensed under the 4-clause BSD license,
+the copyright on most of them belongs to The Regents of the University
+of California. Since the license was retroactively changed in 1999 to
+remove the advertising clause, they are effectively under the 3-clause
+license even if the text of the license in the files hasn't been
+updated. See the following document for more details:
+
+ <URL: ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change>
+
+Other files under the 4-clause BSD license and whose copyright doesn't
+belong to the The Regents of the University of California are listed
+below:
+- aodv.h, Copyright (c) 2003 Bruce M. Simpson
+- atmuni31.h, Copyright (c) 1997 Yen Yen Lim and North Dakota State University
+- ieee802_11.h, Copyright (c) 2001 Fortress Technologies and Charlie Lenahan
+- print-802_11.c, Copyright (c) 2001 Fortress Technologies and Charlie Lenahan
+- print-aodv.c, Copyright (c) 2003 Bruce M. Simpson
+- print-ascii.c, Copyright (c) 1997, 1998 The NetBSD Foundation, Inc.
+- print-cnfp.c, Copyright (c) 1998 Michael Shalayeff
+- print-gre.c, Copyright (c) 2002 Jason L. Wright
+- print-mobile.c, Copyright (c) 1998 The NetBSD Foundation, Inc.
+- print-sunatm.c, Copyright (c) 1997 Yen Yen Lim and North Dakota State
+ University
+- print-telnet.c, Copyright (c) 1997, 1998 The NetBSD Foundation, Inc.
+- print-timed.c, Copyright (c) 2000 Ben Smithurst
+- missing/inet_aton.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska
+ Högskolan (Royal Institute of Technology, Stockholm,
+ Sweden).
+- missing/inet_ntop.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska
+ Högskolan (Royal Institute of Technology, Stockholm,
+ Sweden).
+- missing/inet_pton.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska
+ Högskolan (Royal Institute of Technology, Stockholm,
+ Sweden).
+
+Current upstream maintainers:
+ Bill Fenner <fenner@research.att.com>
+ Fulvio Risso <risso@polito.it>
+ Guy Harris <guy@alum.mit.edu>
+ Hannes Gredler <hannes@juniper.net>
+ Jun-ichiro itojun Hagino <itojun@iijlab.net>
+ Michael Richardson <mcr@sandelman.ottawa.on.ca>
+
+Additional people who have contributed patches:
+
+ Alan Bawden <Alan@LCS.MIT.EDU>
+ Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
+ Albert Chin <china@thewrittenword.com>
+ Andrew Brown <atatat@atatdot.net>
+ Antti Kantee <pooka@netbsd.org>
+ Arkadiusz Miskiewicz <misiek@pld.org.pl>
+ Armando L. Caro Jr. <acaro@mail.eecis.udel.edu>
+ Assar Westerlund <assar@sics.se>
+ Brian Ginsbach <ginsbach@cray.com>
+ Charles M. Hannum <mycroft@netbsd.org>
+ Chris G. Demetriou <cgd@netbsd.org>
+ Chris Pepper <pepper@mail.reppep.com>
+ Darren Reed <darrenr@reed.wattle.id.au>
+ David Kaelbling <drk@sgi.com>
+ David Young <dyoung@ojctech.com>
+ Don Ebright <Don.Ebright@compuware.com>
+ Eric Anderson <anderse@hpl.hp.com>
+ Franz Schaefer <schaefer@mond.at>
+ Gianluca Varenni <varenni@netgroup-serv.polito.it>
+ Gisle Vanem <giva@bgnett.no>
+ Graeme Hewson <ghewson@cix.compulink.co.uk>
+ Greg Stark <gsstark@mit.edu>
+ Greg Troxel <gdt@ir.bbn.com>
+ Guillaume Pelat <endymion_@users.sourceforge.net>
+ Hyung Sik Yoon <hsyn@kr.ibm.com>
+ Igor Khristophorov <igor@atdot.org>
+ Jan-Philip Velders <jpv@veldersjes.net>
+ Jason R. Thorpe <thorpej@netbsd.org>
+ Javier Achirica <achirica@ttd.net>
+ Jean Tourrilhes <jt@hpl.hp.com>
+ Jefferson Ogata <jogata@nodc.noaa.gov>
+ Jesper Peterson <jesper@endace.com>
+ John Bankier <jbankier@rainfinity.com>
+ Jon Lindgren <jonl@yubyub.net>
+ Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
+ Kazushi Sugyo <sugyo@pb.jp.nec.com>
+ Klaus Klein <kleink@netbsd.org>
+ Koryn Grant <koryn@endace.com>
+ Krzysztof Halasa <khc@pm.waw.pl>
+ Lorenzo Cavallaro <sullivan@sikurezza.org>
+ Loris Degioanni <loris@netgroup-serv.polito.it>
+ Love Hörnquist-Åstrand <lha@stacken.kth.se>
+ Maciej W. Rozycki <macro@ds2.pg.gda.pl>
+ Marcus Felipe Pereira <marcus@task.com.br>
+ Martin Husemann <martin@netbsd.org>
+ Mike Wiacek <mike@iroot.net>
+ Monroe Williams <monroe@pobox.com>
+ Octavian Cerna <tavy@ylabs.com>
+ Olaf Kirch <okir@caldera.de>
+ Onno van der Linden <onno@simplex.nl>
+ Paul Mundt <lethal@linux-sh.org>
+ Pavel Kankovsky <kan@dcit.cz>
+ Peter Fales <peter@fales-lorenz.net>
+ Peter Jeremy <peter.jeremy@alcatel.com.au>
+ Phil Wood <cpw@lanl.gov>
+ Rafal Maszkowski <rzm@icm.edu.pl>
+ Rick Jones <raj@cup.hp.com>
+ Scott Barron <sb125499@ohiou.edu>
+ Scott Gifford <sgifford@tir.com>
+ Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
+ Shaun Clowes <delius@progsoc.uts.edu.au>
+ Solomon Peachy <pizza@shaftnet.org>
+ Stefan Hudson <hudson@mbay.net>
+ Takashi Yamamoto <yamt@mwd.biglobe.ne.jp>
+ Tony Li <tli@procket.com>
+ Torsten Landschoff <torsten@debian.org>
+ Uns Lider <unslider@miranda.org>
+ Uwe Girlich <Uwe.Girlich@philosys.de>
+ Xianjie Zhang <xzhang@cup.hp.com>
+ Yen Yen Lim
+ Yoann Vandoorselaere <yoann@prelude-ids.org>
+
+The original LBL crew:
+ Steve McCanne
+ Craig Leres
+ Van Jacobson
diff --git a/debian/patches/drop-privs-after-opening-savefile.diff b/debian/patches/drop-privs-after-opening-savefile.diff
new file mode 100644
index 0000000..a4c856a
--- /dev/null
+++ b/debian/patches/drop-privs-after-opening-savefile.diff
@@ -0,0 +1,91 @@
+Description: Drop root privileges after opening savefile
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/935112
+Origin: https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0003-Drop-root-priviledges-before-opening-first-savefile-.patch
+---
+ tcpdump.1.in | 7 ++++++-
+ tcpdump.c | 30 ++++++++++++++++++++++++++++++
+ 2 files changed, 36 insertions(+), 1 deletion(-)
+
+--- a/tcpdump.1.in
++++ b/tcpdump.1.in
+@@ -269,6 +269,9 @@
+ flag, with a number after it, starting at 1 and continuing upward.
+ The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes,
+ not 1,048,576 bytes).
++
++Note that when used with \fB\-Z\fR option (enabled by default), privileges
++are dropped before opening first savefile.
+ .TP
+ .B \-d
+ Dump the compiled packet-matching code in a human readable form to
+@@ -966,12 +969,14 @@
+ If
+ .I tcpdump
+ is running as root, after opening the capture device or input savefile,
+-but before opening any savefiles for output, change the user ID to
++change the user ID to
+ .I user
+ and the group ID to the primary group of
+ .IR user .
+ .IP
+-This behavior can also be enabled by default at compile time.
++This behavior is enabled by default (\fB\-Z tcpdump\fR), and can
++be disabled by \fB\-Z root\fR.
++
+ .IP "\fI expression\fP"
+ .RS
+ selects which packets will be dumped.
+--- a/tcpdump.c
++++ b/tcpdump.c
+@@ -1510,6 +1510,7 @@
+ cap_rights_t rights;
+ int cansandbox;
+ #endif /* HAVE_CAPSICUM */
++ int chown_flag = 0;
+ int Oflag = 1; /* run filter code optimizer */
+ int yflag_dlt = -1;
+ const char *yflag_dlt_name = NULL;
+@@ -2338,6 +2339,19 @@
+ }
+ capng_apply(CAPNG_SELECT_BOTH);
+ #endif /* HAVE_LIBCAP_NG */
++ /* If user is running tcpdump as root and wants to write to the savefile,
++ * we will check if -C is set and if it is, we will drop root
++ * privileges right away and consequent call to>pcap_dump_open()
++ * will most likely fail for the first file. If -C flag is not set we
++ * will create file as root then change ownership of file to proper
++ * user(default tcpdump) and drop root privileges.
++ */
++ if (WFileName)
++ if (Cflag && (username || chroot_dir))
++ droproot(username, chroot_dir);
++ else
++ chown_flag = 1;
++ else
+ if (username || chroot_dir)
+ droproot(username, chroot_dir);
+
+@@ -2395,6 +2409,22 @@
+ #endif /* HAVE_LIBCAP_NG */
+ if (pdd == NULL)
+ error("%s", pcap_geterr(pd));
++
++ /* Change ownership of file and drop root privileges */
++ if (chown_flag) {
++ struct passwd *pwd;
++
++ pwd = getpwnam(username);
++ if (!pwd)
++ error("Couldn't find user '%s'", username);
++
++ if (strcmp(WFileName, "-") && chown(dumpinfo.CurrentFileName, pwd->pw_uid, pwd->pw_gid) < 0)
++ error("Couldn't change ownership of savefile");
++
++ if (username || chroot_dir)
++ droproot(username, chroot_dir);
++ }
++
+ #ifdef HAVE_CAPSICUM
+ set_dumper_capsicum_rights(pdd);
+ #endif
diff --git a/debian/patches/drop-privs-only-if-non-root.diff b/debian/patches/drop-privs-only-if-non-root.diff
new file mode 100644
index 0000000..e7001b7
--- /dev/null
+++ b/debian/patches/drop-privs-only-if-non-root.diff
@@ -0,0 +1,41 @@
+From dec0e5183c026ccef342ba3a877c13c1cdab61d5 Mon Sep 17 00:00:00 2001
+From: Martin Willi <martin@strongswan.org>
+Date: Tue, 12 Nov 2019 13:43:31 +0100
+Subject: [PATCH] Skip privilege dropping when using -Z root on --with-user
+ builds
+
+Distributions which started building --with-user to switch to an
+unpriviliged user claim that the old behavior of running under root
+can be restored by passing "-Z root" on the command line. However,
+doing so is different from not using --with-user, as tcpdump still
+drops privileges and sets supplementary user groups.
+
+In Linux containers using user namespaces with an in-container root
+user mapped to an unprivileged external user, calling setgroups() is
+usually denied, as it would allow that unprivileged user to leave
+groups (see user_namespaces(7) for details). Passing "-Z root" on
+a --with-user build still goes through initgroups() and therefore
+setgroups(), which will fail in such a container environment. This
+makes tcpdump builds using --with-user effectively unusable in such
+containers.
+
+Adjust the "-Z root" fallback to skip any privilege dropping and
+supplementary group setup, making it identical to builds not using
+--with-user.
+---
+ tcpdump.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/tcpdump.c b/tcpdump.c
+index 219ac2a2b..36ba60c17 100644
+--- a/tcpdump.c
++++ b/tcpdump.c
+@@ -2078,6 +2078,8 @@ main(int argc, char **argv)
+ /* Run with '-Z root' to restore old behaviour */
+ if (!username)
+ username = WITH_USER;
++ else if (strcmp(username, "root") == 0)
++ username = NULL;
+ }
+ #endif
+
diff --git a/debian/patches/drop-privs-silently.diff b/debian/patches/drop-privs-silently.diff
new file mode 100644
index 0000000..b4a5412
--- /dev/null
+++ b/debian/patches/drop-privs-silently.diff
@@ -0,0 +1,29 @@
+Description: Drop root privileges silently as it's the default
+Forwarded: not-needed
+Bug-Debian: https://bugs.debian.org/935112
+Origin: vendor, https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
+---
+ tcpdump.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/tcpdump.c
++++ b/tcpdump.c
+@@ -788,8 +788,6 @@
+ int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
+ if (ret < 0)
+ error("capng_change_id(): return %d\n", ret);
+- else
+- fprintf(stderr, "dropped privs to %s\n", username);
+ }
+ #else
+ if (initgroups(pw->pw_name, pw->pw_gid) != 0 ||
+@@ -799,9 +797,6 @@
+ (unsigned long)pw->pw_uid,
+ (unsigned long)pw->pw_gid,
+ pcap_strerror(errno));
+- else {
+- fprintf(stderr, "dropped privs to %s\n", username);
+- }
+ #endif /* HAVE_LIBCAP_NG */
+ } else
+ error("Couldn't find user '%.32s'", username);
diff --git a/debian/patches/install.diff b/debian/patches/install.diff
new file mode 100644
index 0000000..69a550f
--- /dev/null
+++ b/debian/patches/install.diff
@@ -0,0 +1,26 @@
+Description: Change man page install paths for Debian and don't install a versioned binary.
+Forwarded: not-needed
+Author: Romain Francoise <rfrancoise@debian.org>
+
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -424,15 +424,14 @@
+ [ -d $(DESTDIR)$(bindir) ] || \
+ (mkdir -p $(DESTDIR)$(bindir); chmod 755 $(DESTDIR)$(bindir))
+ $(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(bindir)/$(PROG)
+- $(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(bindir)/$(PROG).`cat ${srcdir}/VERSION`
+- [ -d $(DESTDIR)$(mandir)/man1 ] || \
+- (mkdir -p $(DESTDIR)$(mandir)/man1; chmod 755 $(DESTDIR)$(mandir)/man1)
+- $(INSTALL_DATA) $(PROG).1 $(DESTDIR)$(mandir)/man1/$(PROG).1
++ [ -d $(DESTDIR)$(mandir)/man8 ] || \
++ (mkdir -p $(DESTDIR)$(mandir)/man8; chmod 755 $(DESTDIR)$(mandir)/man8)
++ $(INSTALL_DATA) $(PROG).1 $(DESTDIR)$(mandir)/man8/$(PROG).8
+
+ uninstall:
+ rm -f $(DESTDIR)$(bindir)/$(PROG)
+ rm -f $(DESTDIR)$(bindir)/$(PROG).`cat ${srcdir}/VERSION`
+- rm -f $(DESTDIR)$(mandir)/man1/$(PROG).1
++ rm -f $(DESTDIR)$(mandir)/man8/$(PROG).8
+
+ lint:
+ lint -hbxn $(SRC) $(LIBNETDISSECT_SRC) | \
diff --git a/debian/patches/man-section.diff b/debian/patches/man-section.diff
new file mode 100644
index 0000000..83df10d
--- /dev/null
+++ b/debian/patches/man-section.diff
@@ -0,0 +1,15 @@
+Description: Change man page section
+Forwarded: not-needed
+Author: Romain Francoise <rfrancoise@debian.org>
+
+--- a/tcpdump.1.in
++++ b/tcpdump.1.in
+@@ -20,7 +20,7 @@
+ .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ .\"
+-.TH TCPDUMP 1 "12 March 2023"
++.TH TCPDUMP 8 "12 March 2023"
+ .SH NAME
+ tcpdump \- dump traffic on a network
+ .SH SYNOPSIS
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..297b6c9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,5 @@
+drop-privs-after-opening-savefile.diff
+drop-privs-silently.diff
+drop-privs-only-if-non-root.diff
+install.diff
+man-section.diff
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..6b41603
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,14 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+export DEB_CFLAGS_MAINT_APPEND = -D_FILE_OFFSET_BITS=64
+
+%:
+ dh $@
+
+override_dh_auto_configure:
+ dh_auto_configure -- --with-crypto=yes --with-user=tcpdump
+
+override_dh_installdeb:
+ dh_apparmor --profile-name=usr.bin.tcpdump -ptcpdump
+ dh_installdeb
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
new file mode 100644
index 0000000..1e7946b
--- /dev/null
+++ b/debian/salsa-ci.yml
@@ -0,0 +1,7 @@
+---
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
+
+variables:
+ SALSA_CI_DISABLE_REPROTEST: 1
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/tcpdump.docs b/debian/tcpdump.docs
new file mode 100644
index 0000000..b43bf86
--- /dev/null
+++ b/debian/tcpdump.docs
@@ -0,0 +1 @@
+README.md
diff --git a/debian/tcpdump.examples b/debian/tcpdump.examples
new file mode 100644
index 0000000..793b4e7
--- /dev/null
+++ b/debian/tcpdump.examples
@@ -0,0 +1,4 @@
+atime.awk
+packetdat.awk
+send-ack.awk
+stime.awk
diff --git a/debian/tcpdump.install b/debian/tcpdump.install
new file mode 100644
index 0000000..0d477cd
--- /dev/null
+++ b/debian/tcpdump.install
@@ -0,0 +1 @@
+debian/usr.bin.tcpdump etc/apparmor.d
diff --git a/debian/tcpdump.lintian-overrides b/debian/tcpdump.lintian-overrides
new file mode 100644
index 0000000..df693cf
--- /dev/null
+++ b/debian/tcpdump.lintian-overrides
@@ -0,0 +1 @@
+tcpdump binary: spelling-error-in-binary iif if [usr/bin/tcpdump]
diff --git a/debian/tcpdump.maintscript b/debian/tcpdump.maintscript
new file mode 100644
index 0000000..0d70dac
--- /dev/null
+++ b/debian/tcpdump.maintscript
@@ -0,0 +1 @@
+mv_conffile /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/usr.bin.tcpdump 4.99.0~
diff --git a/debian/tcpdump.postinst b/debian/tcpdump.postinst
new file mode 100755
index 0000000..a3a5f95
--- /dev/null
+++ b/debian/tcpdump.postinst
@@ -0,0 +1,28 @@
+#!/bin/sh
+
+set -e
+
+if ! getent group tcpdump >/dev/null 2>&1; then
+ addgroup --system --quiet tcpdump
+fi
+if ! getent passwd tcpdump >/dev/null 2>&1; then
+ adduser --system --quiet --ingroup tcpdump \
+ --no-create-home --home /nonexistent \
+ tcpdump
+fi
+
+# dh_apparmor leaves behind the local profile for the old binary
+# location (/usr/sbin/tcpdump), we need to clean it up (#990554).
+#
+# Only remove it if it's empty, meaning that the system doesn't have
+# local configuration.
+if dpkg --compare-versions "$2" lt-nl "4.99.1-3~"; then
+ OLD_LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.sbin.tcpdump"
+ if [ -e "$OLD_LOCAL_APP_PROFILE" ]; then
+ if [ ! -s "$OLD_LOCAL_APP_PROFILE" ]; then
+ rm -f "$OLD_LOCAL_APP_PROFILE"
+ fi
+ fi
+fi
+
+#DEBHELPER#
diff --git a/debian/tcpdump.postrm b/debian/tcpdump.postrm
new file mode 100755
index 0000000..ce8ded9
--- /dev/null
+++ b/debian/tcpdump.postrm
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+ purge)
+ userdel tcpdump >/dev/null 2>&1 || true
+ groupdel tcpdump >/dev/null 2>&1 || true
+ ;;
+esac
+
+#DEBHELPER#
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..dce60c3
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,2 @@
+Test-Command: env TCPDUMP_BIN=/usr/bin/tcpdump ./tests/TESTrun
+Restrictions: build-needed
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..ebe8b82
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,4 @@
+Bug-Database: https://github.com/the-tcpdump-group/tcpdump/issues
+Bug-Submit: https://github.com/the-tcpdump-group/tcpdump/issues/new
+Repository: https://github.com/the-tcpdump-group/tcpdump.git
+Repository-Browse: https://github.com/the-tcpdump-group/tcpdump
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..e104b34
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,24 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGRBFGRD2gBDCDcthM1N9jeWic9tD17LsHwWyh/IelKgFMVFShgHk31YsQUetKn
+5hGKlW0WU7+r3dsECiqxgyuqeUKvqiZneqma0GDk1n8ucXLc7oFFLrF7qbvssPPM
+831014FlzsN82OZZ1SnNUGacdyNzV5myPybKILWemsLuAJaGU60IkAJkTReiaMFR
+pB0QmBiqM5KY2SHAkeja2+UhupBw/lHyAwU/KVhkohmvUTJeUBJaKK2gRY7jJQmf
+ouTbIe0nKIqDzMmE9GvFhyQmMJzbxAwTfSxSZq3bMCpsyQtjoi2LGQFoMVkI6g7K
+IRNWgCqSTHF238VIdOkLzbwuoZAmS+oacXszIln2jLJsKkbiCCOb/lV+5u5O6/wJ
+M4RHxCBnkRgBmMLyXSM9qAo1FU5suPqf01msqvKMsa99lTF6kIWurR/7rw4S2bNl
+iaMqHNHliFNfaAE42S8as+Pw5Rhq2SJczWyd8rYw/q1IIZyKLO1oGn6ZRt+EQ7BS
+8nlREmT/MDqP0rgrpvRrABEBAAG0PVRoZSBUY3BkdW1wIEdyb3VwIChQYWNrYWdl
+IHNpZ25pbmcga2V5KSA8cmVsZWFzZUB0Y3BkdW1wLm9yZz6JAcIEEwECACgFAlGR
+D2gCGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOCJ3vHZwV0N
+wPAMH22fmTbjByMSvR/gxDFA26ULgf02qZzqYlRLKB7EDbEjB1Ga6PrLB22Sn/b5
+8fxNw/9zH0EPkorv0YnBhinE51jLmZ99Sk5eGFIMcCkNAOOhadFZGGKarekEPwNB
+oDtxCuSuOQ0JVvyn5fLcbA5u3+LBvHvbnUKgCpiXahpq15bZiS1aoVkdXknUQVO+
+bU6Y2lj3m8Q1C6t+J29UvbyixgQhFeTkl25NZkTS6Cqds5F9q3nUBD/7gvQbATBy
+A+p+iWLHqt1s4c5UHRzriuLyBbnJgOEI13pNbgFIoKhbCSGQj0uQVZORmzzqs0nh
+QXtj+JPOAMd619mHjmhXItgqu2llywQ36tXTEdRoUjJmgMkoqXtZQ8XDVdJ6f/sG
+OJDHCctr5aVanWierzePl1PvWPWeC9mnB6Nnxuah+8zQFb4wXUnYO09OX47UgQlu
+mE9/lZfY7okIODVrXjqbPVxSBLzCzptBrkeZ3brkrl5oCdYlWsUiQCY0hO6jzMEd
+CnxEp1kkn2c=
+=2mPY
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/usr.bin.tcpdump b/debian/usr.bin.tcpdump
new file mode 100644
index 0000000..510a5ad
--- /dev/null
+++ b/debian/usr.bin.tcpdump
@@ -0,0 +1,71 @@
+# vim:syntax=apparmor
+#include <tunables/global>
+
+profile tcpdump /usr/bin/tcpdump {
+ #include <abstractions/base>
+ #include <abstractions/nameservice>
+ #include <abstractions/user-tmp>
+
+ capability net_raw,
+ capability setuid,
+ capability setgid,
+ capability dac_override,
+ capability chown,
+ network raw,
+ network packet,
+
+ # for -D
+ @{PROC}/bus/usb/ r,
+ @{PROC}/bus/usb/** r,
+
+ # for finding an interface
+ /dev/ r,
+ @{PROC}/[0-9]*/net/dev r,
+ /sys/bus/usb/devices/ r,
+ /sys/class/net/ r,
+ /sys/devices/**/net/** r,
+
+ # for -j
+ capability net_admin,
+
+ # for tracing USB bus, which libpcap supports
+ /dev/usbmon* r,
+ /dev/bus/usb/ r,
+ /dev/bus/usb/** r,
+
+ # for init_etherarray(), with -e
+ /etc/ethers r,
+
+ # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices())
+ /dev/bus/usb/**/[0-9]* w,
+
+ # for -z
+ /{usr/,}bin/gzip ixr,
+ /{usr/,}bin/bzip2 ixr,
+
+ # for -F and -w
+ audit deny @{HOME}/.* mrwkl,
+ audit deny @{HOME}/.*/ rw,
+ audit deny @{HOME}/.*/** mrwkl,
+ audit deny @{HOME}/bin/ rw,
+ audit deny @{HOME}/bin/** mrwkl,
+ owner @{HOME}/ r,
+ owner @{HOME}/** rw,
+
+ # for -r, -F and -w
+ /**.[pP][cC][aA][pP] rw,
+ /**.[pP][cC][aA][pP][nN][gG] rw,
+ /**.[cC][aA][pP] rw,
+ # -W adds a numerical suffix
+ /**.[pP][cC][aA][pP][0-9]* rw,
+ /**.[pP][cC][aA][pP][nN][gG][0-9]* rw,
+ /**.[cC][aA][pP][0-9]* rw,
+
+ # for convenience with -r (ie, read pcap files from other sources)
+ /var/log/snort/*log* r,
+
+ /usr/bin/tcpdump mr,
+
+ # Site-specific additions and overrides. See local/README for details.
+ #include <local/usr.bin.tcpdump>
+}
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..634e3ac
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,2 @@
+version=4
+opts="pgpsigurlmangle=s%$%.sig%" https://www.tcpdump.org release/tcpdump-([\d\.]*).tar.gz