diff options
Diffstat (limited to '')
-rw-r--r-- | debian/NEWS | 13 | ||||
-rw-r--r-- | debian/README.Debian | 11 | ||||
-rw-r--r-- | debian/changelog | 1048 | ||||
-rw-r--r-- | debian/control | 34 | ||||
-rw-r--r-- | debian/copyright | 149 | ||||
-rw-r--r-- | debian/patches/drop-privs-after-opening-savefile.diff | 91 | ||||
-rw-r--r-- | debian/patches/drop-privs-only-if-non-root.diff | 41 | ||||
-rw-r--r-- | debian/patches/drop-privs-silently.diff | 29 | ||||
-rw-r--r-- | debian/patches/install.diff | 26 | ||||
-rw-r--r-- | debian/patches/man-section.diff | 15 | ||||
-rw-r--r-- | debian/patches/series | 5 | ||||
-rwxr-xr-x | debian/rules | 14 | ||||
-rw-r--r-- | debian/salsa-ci.yml | 7 | ||||
-rw-r--r-- | debian/source/format | 1 | ||||
-rw-r--r-- | debian/tcpdump.docs | 1 | ||||
-rw-r--r-- | debian/tcpdump.examples | 4 | ||||
-rw-r--r-- | debian/tcpdump.install | 1 | ||||
-rw-r--r-- | debian/tcpdump.lintian-overrides | 1 | ||||
-rw-r--r-- | debian/tcpdump.maintscript | 1 | ||||
-rwxr-xr-x | debian/tcpdump.postinst | 28 | ||||
-rwxr-xr-x | debian/tcpdump.postrm | 12 | ||||
-rw-r--r-- | debian/tests/control | 2 | ||||
-rw-r--r-- | debian/upstream/metadata | 4 | ||||
-rw-r--r-- | debian/upstream/signing-key.asc | 24 | ||||
-rw-r--r-- | debian/usr.bin.tcpdump | 71 | ||||
-rw-r--r-- | debian/watch | 2 |
26 files changed, 1635 insertions, 0 deletions
diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index 0000000..3bc5325 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,13 @@ +tcpdump (4.99.0-1) unstable; urgency=medium + + tcpdump is now installed to /usr/bin, not /usr/sbin. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 03 Jan 2021 21:23:34 +0100 + +tcpdump (4.9.3~git20190901-1) unstable; urgency=low + + tcpdump now drops root privileges by default and runs as user 'tcpdump'. + To have tcpdump run as root as before, use `tcpdump -Z root'. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Sep 2019 12:54:02 +0200 + diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..7b18ed7 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,11 @@ +Apparmor Profile +---------------- + +If your system uses AppArmor, note that the shipped enforcing profile +works with the default installation, and changes in your configuration may +require changes to the installed AppArmor profile. Before filing a bug against +this package, please see: + + * https://wiki.debian.org/AppArmor/Debug + * https://wiki.ubuntu.com/DebuggingApparmor + diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..a1bfe78 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,1048 @@ +tcpdump (4.99.4-3) unstable; urgency=medium + + * Allow *.pcapng in AppArmor policy, thanks to Chris Kuethe for the + patch (closes: #1039993). + * Pick up patch from upstream PR#812 to avoid the call to droproot() + altogether if called with `-Z root', thanks to Tj (closes: #1035842). + * Override 'spelling-error-in-binary' and move 'set -e' inside maintscripts. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 22 Jul 2023 17:23:56 +0200 + +tcpdump (4.99.4-2) unstable; urgency=medium + + * Upload to unstable. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 17 Jun 2023 17:29:12 +0200 + +tcpdump (4.99.4-1) experimental; urgency=medium + + * New upstream release. + * Mark Debian-specific patches as "Forwarded: not-needed" in metadata. + + -- Romain Francoise <rfrancoise@debian.org> Mon, 10 Apr 2023 16:57:18 +0200 + +tcpdump (4.99.3-1) unstable; urgency=medium + + * New upstream release. + * Drop Hurd build patch, which doesn't seem to be right anymore. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 14 Jan 2023 18:23:25 +0100 + +tcpdump (4.99.2-1) unstable; urgency=medium + + * New upstream release. + * Re-enable all tests. + * Bump Standards-Version to 4.6.2. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Jan 2023 18:19:40 +0100 + +tcpdump (4.99.1-4) unstable; urgency=medium + + * debian/usr.bin.tcpdump: account for numerical suffix in filenames + added by -W (closes: #1010688). + + -- Romain Francoise <rfrancoise@debian.org> Sun, 08 May 2022 18:25:45 +0200 + +tcpdump (4.99.1-3) unstable; urgency=medium + + * Clean up AppArmor local profile for /usr/sbin/tcpdump, if it's still + empty (closes: #990554). + * Switch to debhelper compat level 13. + * Set `Rules-Requires-Root' to "no". + * Bump Standards-Version to 4.6.0. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 12 Sep 2021 18:55:44 +0200 + +tcpdump (4.99.1-2) unstable; urgency=medium + + * Upload to unstable. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 15 Aug 2021 17:29:54 +0200 + +tcpdump (4.99.1-1) experimental; urgency=medium + + * New upstream release. + * debian/usr.bin.tcpdump: grant access to *.cap (closes: #989433). + + -- Romain Francoise <rfrancoise@debian.org> Sun, 20 Jun 2021 20:48:30 +0200 + +tcpdump (4.99.0-2) unstable; urgency=medium + + * Add autopkgtest support, running the upstream test suite. + + -- Romain Francoise <rfrancoise@debian.org> Fri, 15 Jan 2021 23:41:47 +0100 + +tcpdump (4.99.0-1) unstable; urgency=medium + + * New upstream release. + * Mention in debian/NEWS that tcpdump is now installed to /usr/bin + instead of /usr/sbin. + * Rename AppArmor profile to match new binary location and add + maintscript stanza to move the previous conffile if present. + * Temporarily disable tests that require the just-released libpcap 1.10, + we don't want to tie the migration of the two just before the bullseye + freeze. + * Drop unused lintian override. + * Bump Standards-Version to 4.5.1. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 03 Jan 2021 21:28:16 +0100 + +tcpdump (4.9.3-7) unstable; urgency=high + + * Cherry-pick commit 32027e1993 from the upstream tcpdump-4.9 branch to fix + untrusted input issue in the PPP printer (CVE-2020-8037, closes: #973877). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 07 Nov 2020 13:19:14 +0100 + +tcpdump (4.9.3-6) unstable; urgency=medium + + [ Simon Deziel ] + * debian/usr.sbin.tcpdump: use profile name specifier instead of + '/usr/sbin/tcpdump'. + + -- Romain Francoise <rfrancoise@debian.org> Thu, 28 May 2020 19:23:57 +0200 + +tcpdump (4.9.3-5) unstable; urgency=medium + + * Minor packaging fixes courtesy of the Janitor bot and lintian-brush: + + Set upstream metadata fields: Bug-Submit, Repository, Repository- + Browse. + * Bump Standards-Version to 4.5.0. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 09 May 2020 20:42:57 +0200 + +tcpdump (4.9.3-4) unstable; urgency=medium + + * Set upstream metadata fields: Bug-Database. + + -- Romain Francoise <rfrancoise@debian.org> Tue, 31 Dec 2019 19:24:04 +0100 + +tcpdump (4.9.3-3) unstable; urgency=medium + + * Minor packaging fixes courtesy of the Janitor bot and lintian-brush: + + Use secure URI in debian/watch. + + Use secure URI in Homepage field. + + Bump debhelper from old 11 to 12. + + Set debhelper-compat version in Build-Depends. + + Re-export upstream signing key without extra signatures. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 08 Dec 2019 13:56:42 +0100 + +tcpdump (4.9.3-2) unstable; urgency=medium + + * Disable failing IKEv2 test yet again to fix build on ppc64el (again) + (closes: #942171). + + -- Romain Francoise <rfrancoise@debian.org> Fri, 11 Oct 2019 20:48:04 +0200 + +tcpdump (4.9.3-1) unstable; urgency=medium + + * New upstream release, with fixes for 24 different CVEs (closes: #941698). + * Build-depend on libpcap >= 1.9.1 to make all build-time tests pass. + * Re-enable IKEv2 test. + * Bump Standards-Version to 4.4.1. + + -- Romain Francoise <rfrancoise@debian.org> Thu, 10 Oct 2019 21:31:38 +0200 + +tcpdump (4.9.3~git20190901-2) unstable; urgency=medium + + * Disable failing IKEv2 test again to fix build on ppc64el. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 07 Sep 2019 12:14:43 +0200 + +tcpdump (4.9.3~git20190901-1) unstable; urgency=low + + * New upstream snapshot from the tcpdump-4.9 branch: + + Includes fix for CVE-2017-16808 (closes: #881862). + + Fixes ESP decryption on ppc64el (and others), re-enable tests. + * Drop root privileges by default (closes: #935112): + + debian/rules: Configure --with-user=tcpdump. + + debian/tcpdump.post{inst,rm}: Create/delete a 'tcpdump' system group + and user. + + debian/control: Add dependency on adduser. + + debian/patches/drop-privs-after-opening-savefile.diff: New patch + (from Fedora) to drop root privileges *after* opening the savefile + when possible, to alleviate possible inconvenience if the target + directory is not writable by user tcpdump. + + debian/patches/drop-privs-silently.diff: New patch (from Fedora) to + drop root privileges silently. + + debian/usr.sbin.tcpdump: Add chown capability, and update rules + about device discovery. + + debian/NEWS: Mention how to run tcpdump as root. + * Bump Standards-Version to 4.4.0. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Sep 2019 13:05:24 +0200 + +tcpdump (4.9.2-3) unstable; urgency=medium + + [ Jamie Strandboge ] + * debian/usr.sbin.tcpdump: drop 'capability sys_module' since we already + have 'net_admin' and network module loading (which happens with -D) is + allowed with 'net_admin' (LP: #1759029) (closes: #894161) + + [ Romain Francoise ] + * Switch to debhelper compatibility level 11. + * Bump Standards-Version to 4.1.3. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 31 Mar 2018 22:22:36 +0200 + +tcpdump (4.9.2-2) unstable; urgency=medium + + * Use new URLs on salsa.debian.org for Vcs-* fields. + * Bump Standards-Version to 4.1.2. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 31 Dec 2017 15:53:41 +0100 + +tcpdump (4.9.2-1) unstable; urgency=high + + * New upstream release: + + Fixes 86 new CVEs, see the upstream changelog for the full list. + + Now supports OpenSSL 1.1, so move back to libssl-dev (closes: #859740). + * Urgency high due to security fixes. + + -- Romain Francoise <rfrancoise@debian.org> Fri, 08 Sep 2017 21:30:47 +0200 + +tcpdump (4.9.1-3) unstable; urgency=high + + * Cherry-pick three upstream commits to fix the following: + + CVE-2017-11541: buffer over-read in safeputs() (closes: #873804) + + CVE-2017-11542: buffer over-read in pimv1_print() (closes: #873805) + + CVE-2017-11543: buffer overflow in sliplink_print() (closes: #873806) + * Urgency high due to security fixes. + + -- Romain Francoise <rfrancoise@debian.org> Mon, 04 Sep 2017 19:45:45 +0200 + +tcpdump (4.9.1-2) unstable; urgency=medium + + * Disable IKEv2 test which mysteriously fails on ppc64el (closes: #873377). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 02 Sep 2017 11:01:30 +0200 + +tcpdump (4.9.1-1) unstable; urgency=medium + + * New upstream release, fixes CVE-2017-11108 (closes: #867718). + * Bump Standards-Version to 4.1.0. + * debian/watch: add pgpsigurlmangle option. + * Add upstream signing key in debian/upstream. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 26 Aug 2017 18:48:32 +0200 + +tcpdump (4.9.0-3) unstable; urgency=medium + + [ intrigeri ] + * Include AppArmor profile from Ubuntu (closes: #866682). + + [ Romain Francoise ] + * Bump Standards-Version to 4.0.0. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 02 Jul 2017 12:13:53 +0200 + +tcpdump (4.9.0-2) unstable; urgency=medium + + * Re-enable crypto support, targeting OpenSSL 1.0 as upstream still + doesn't support OpenSSL 1.1. + * Drop --enable-ipv6 from configure line, it has been the default for + years now. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 11 Feb 2017 16:40:05 +0100 + +tcpdump (4.9.0-1) unstable; urgency=high + + * New upstream security release, fixing the following: + + CVE-2016-7922: buffer overflow in print-ah.c:ah_print(). + + CVE-2016-7923: buffer overflow in print-arp.c:arp_print(). + + CVE-2016-7924: buffer overflow in print-atm.c:oam_print(). + + CVE-2016-7925: buffer overflow in print-sl.c:sl_if_print(). + + CVE-2016-7926: buffer overflow in print-ether.c:ethertype_print(). + + CVE-2016-7927: buffer overflow in print-802_11.c:ieee802_11_radio_print(). + + CVE-2016-7928: buffer overflow in print-ipcomp.c:ipcomp_print(). + + CVE-2016-7929: buffer overflow in print-juniper.c:juniper_parse_header(). + + CVE-2016-7930: buffer overflow in print-llc.c:llc_print(). + + CVE-2016-7931: buffer overflow in print-mpls.c:mpls_print(). + + CVE-2016-7932: buffer overflow in print-pim.c:pimv2_check_checksum(). + + CVE-2016-7933: buffer overflow in print-ppp.c:ppp_hdlc_if_print(). + + CVE-2016-7934: buffer overflow in print-udp.c:rtcp_print(). + + CVE-2016-7935: buffer overflow in print-udp.c:rtp_print(). + + CVE-2016-7936: buffer overflow in print-udp.c:udp_print(). + + CVE-2016-7937: buffer overflow in print-udp.c:vat_print(). + + CVE-2016-7938: integer overflow in print-zeromq.c:zmtp1_print_frame(). + + CVE-2016-7939: buffer overflow in print-gre.c, multiple functions. + + CVE-2016-7940: buffer overflow in print-stp.c, multiple functions. + + CVE-2016-7973: buffer overflow in print-atalk.c, multiple functions. + + CVE-2016-7974: buffer overflow in print-ip.c, multiple functions. + + CVE-2016-7975: buffer overflow in print-tcp.c:tcp_print(). + + CVE-2016-7983: buffer overflow in print-bootp.c:bootp_print(). + + CVE-2016-7984: buffer overflow in print-tftp.c:tftp_print(). + + CVE-2016-7985: buffer overflow in print-calm-fast.c:calm_fast_print(). + + CVE-2016-7986: buffer overflow in print-geonet.c, multiple functions. + + CVE-2016-7992: buffer overflow in print-cip.c:cip_if_print(). + + CVE-2016-7993: a bug in util-print.c:relts_print() could cause a + buffer overflow in multiple protocol parsers (DNS, DVMRP, HSRP, IGMP, + lightweight resolver protocol, PIM). + + CVE-2016-8574: buffer overflow in print-fr.c:frf15_print(). + + CVE-2016-8575: buffer overflow in print-fr.c:q933_print(). + + CVE-2017-5202: buffer overflow in print-isoclns.c:clnp_print(). + + CVE-2017-5203: buffer overflow in print-bootp.c:bootp_print(). + + CVE-2017-5204: buffer overflow in print-ip6.c:ip6_print(). + + CVE-2017-5205: buffer overflow in print-isakmp.c:ikev2_e_print(). + + CVE-2017-5341: buffer overflow in print-otv.c:otv_print(). + + CVE-2017-5342: a bug in multiple protocol parsers (Geneve, GRE, NSH, + OTV, VXLAN and VXLAN GPE) could cause a buffer overflow in + print-ether.c:ether_print(). + + CVE-2017-5482: buffer overflow in print-fr.c:q933_print(). + + CVE-2017-5483: buffer overflow in print-snmp.c:asn1_parse(). + + CVE-2017-5484: buffer overflow in print-atm.c:sig_print(). + + CVE-2017-5485: buffer overflow in addrtoname.c:lookup_nsap(). + + CVE-2017-5486: buffer overflow in print-isoclns.c:clnp_print(). + * Re-enable all tests and bump build-dep on libpcap0.8-dev to >= 1.8 + accordingly. + * Switch Vcs-Git URL to the https one. + * Adjust lintian override name about dh 9. + + -- Romain Francoise <rfrancoise@debian.org> Thu, 26 Jan 2017 20:04:11 +0100 + +tcpdump (4.8.1-2) unstable; urgency=medium + + * Disable new HNCP test, which fails on some buildds for some + as-of-yet unexplained reason. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 29 Oct 2016 19:40:01 +0200 + +tcpdump (4.8.1-1) unstable; urgency=medium + + * New upstream release. + * Re-enable Geneve tests (disabled in 4.7.4-1) and bump build-dep on + libpcap0.8-dev to >= 1.7 accordingly. + * Disable new pcap version tests which require libpcap 1.8+. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 29 Oct 2016 17:16:06 +0200 + +tcpdump (4.7.4-3) unstable; urgency=medium + + * Use dh-autoreconf instead of calling autoconf directly and patching + config.{guess,sub}. + * Call dh_auto_configure instead of configure in override target, patch + by Helmut Grohne (closes: #837951). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 17 Sep 2016 11:18:45 +0200 + +tcpdump (4.7.4-2) unstable; urgency=medium + + * Disable crypto support as it causes FTBFS with OpenSSL 1.1.x and we + don't have a working fix upstream yet (closes: #828569). + * Bump Standards-Version to 3.9.8. + * Use cgit URL for Vcs-Browser. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 28 Aug 2016 18:16:50 +0200 + +tcpdump (4.7.4-1) unstable; urgency=medium + + * New upstream release. + * Disable two geneve tests that require libpcap 1.7+. + * Bump Standards-Version to 3.9.6. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 23 May 2015 18:25:01 +0200 + +tcpdump (4.6.2-5) unstable; urgency=high + + * Cherry-pick commit fb6e5377f3 from upstream Git to fix regressions in the + RPKI/RTR printer after the CVE-2015-2153 changes. Thanks to Artur Rona + from Ubuntu for the heads-up (closes: #781362). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 04 Apr 2015 19:10:27 +0200 + +tcpdump (4.6.2-4) unstable; urgency=high + + * Cherry-pick changes from upstream Git to fix the following security + issues: + + CVE-2015-0261: missing bounds checks in IPv6 Mobility printer. + + CVE-2015-2153: missing bounds checks in RPKI/RTR printer. + + CVE-2015-2154: missing bounds checks in ISOCLNS printer. + + CVE-2015-2155: missing bounds checks in ForCES printer. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 14 Mar 2015 18:43:44 +0100 + +tcpdump (4.6.2-3) unstable; urgency=high + + * Cherry-pick commit 0f95d441e4 from upstream Git to fix a buffer overflow + in the PPP dissector (CVE-2014-9140). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 29 Nov 2014 12:23:53 +0100 + +tcpdump (4.6.2-2) unstable; urgency=high + + * Urgency high due to security fixes. + * Add three patches extracted from various upstream commits fixing + vulnerabilities in three dissectors: + + CVE-2014-8767: missing bounds checks in OLSR dissector (closes: #770434). + + CVE-2014-8768: missing bounds checks in Geonet dissector + (closes: #770415). + + CVE-2014-8769: missing bounds checks in AOVD dissector (closes: #770424). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 22 Nov 2014 11:48:08 +0100 + +tcpdump (4.6.2-1) unstable; urgency=medium + + * New upstream release. + + -- Romain Francoise <rfrancoise@debian.org> Thu, 04 Sep 2014 18:53:34 +0200 + +tcpdump (4.6.1-3) unstable; urgency=medium + + * Bump build-dep on libpcap0.8-dev to >= 1.5 as the pppoes_id test case + requires a pcap version that supports PPPoE session ID filtering. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 16 Aug 2014 17:38:28 +0200 + +tcpdump (4.6.1-2) unstable; urgency=medium + + * Expand configure check for net/pfvar.h to also check for existence of + net/if_pflog.h to fix build on GNU/kFreeBSD, which ships the former + but not the latter, see #756553 (closes: #756790). + + -- Romain Francoise <rfrancoise@debian.org> Mon, 04 Aug 2014 22:37:24 +0200 + +tcpdump (4.6.1-1) unstable; urgency=medium + + * New upstream release. + * debian/control: Mark tcpdump 'Multi-Arch: foreign' (closes: #700727). + + -- Romain Francoise <rfrancoise@debian.org> Wed, 30 Jul 2014 19:16:49 +0200 + +tcpdump (4.5.1-2) unstable; urgency=low + + * Disable nflog-e testcase, the NFLOG header length is specified in host + byte order which makes capture files order-dependent (closes: #731031). + + -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Dec 2013 12:13:16 +0100 + +tcpdump (4.5.1-1) unstable; urgency=low + + * New upstream release. + * Disable new pppoes testcase which uses a new pcap feature to avoid tying + the two upstream versions together. + * debian/control: Set Standards-Version to 3.9.5. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 30 Nov 2013 23:54:03 +0100 + +tcpdump (4.4.0-1) unstable; urgency=low + + * New upstream release: + + Fixes format error in NTP printer (closes: #686276). + + Rewords -e description (closes: #648768). + * debian/control: Set Standards-Version to 3.9.4. + * Use canonical locations in Vcs-* fields. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 25 May 2013 13:50:30 +0200 + +tcpdump (4.3.0-1) unstable; urgency=low + + * New upstream release. + * Re-enable test suite. + + -- Romain Francoise <rfrancoise@debian.org> Wed, 13 Jun 2012 22:55:54 +0200 + +tcpdump (4.2.1-3) unstable; urgency=low + + * Fix CPPFLAGS handling in upstream configure.in to avoid losing + hardening flags, patch by Simon Ruderich <simon@ruderich.org> + (closes: #662016). + * Fix some misspellings pointed out by lintian. + * debian/control: Set Standards-Version to 3.9.3. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 03 Mar 2012 17:11:48 +0100 + +tcpdump (4.2.1-2) unstable; urgency=low + + * Drop debian/patches/50_kfreebsd.diff (closes: #658848). + + -- Romain Francoise <rfrancoise@debian.org> Mon, 06 Feb 2012 19:01:12 +0100 + +tcpdump (4.2.1-1) unstable; urgency=low + + * New upstream release. + * Upload to unstable. + + -- Romain Francoise <rfrancoise@debian.org> Mon, 02 Jan 2012 20:19:22 +0100 + +tcpdump (4.2.0~rc1-2) experimental; urgency=low + + * Make sure OpenSSL support gets enabled: since it moved to multiarch + paths, the configure script doesn't find libcrypto.so and disables + crypto support. To fix this, simplify detection logic in configure.in + and run autoconf before configuring. + * Redo build flags handling: + + Enable hardening flags via dpkg-buildflags, not hardening-includes. + + Switch to debhelper compat level 9 to have build flags exported + automatically. + + Adjust build-depends accordingly. + * Enable parallel build in debhelper. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 06 Nov 2011 19:14:23 +0100 + +tcpdump (4.2.0~rc1-1) experimental; urgency=low + + * New upstream beta release (closes: #636806); now switches to the -Z + user before opening the first output file (closes: #434603). + * debian/control: Set Standards-Version to 3.9.2. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 14 Aug 2011 10:44:58 +0200 + +tcpdump (4.1.1-2) unstable; urgency=low + + * Fix FTBFS on GNU/Hurd; patch from Svante Signell (closes: #622287). + * debian/control: Tweak short and long descriptions, set + Standards-Version to 3.9.1. + + -- Romain Francoise <rfrancoise@debian.org> Mon, 11 Apr 2011 22:37:29 +0200 + +tcpdump (4.1.1-1) unstable; urgency=low + + * New upstream release (closes: #576001). + * debian/rules: Disable dh_auto_test (for now). + * debian/control: Set Standards-Version to 3.8.4. + * debian/patches/30_uflag_flushopen.diff: New patch: when saving to a + capture file with -U, flush the file immediately after opening it. + Suggested by Ferenc Wagner <wferi@niif.hu> (closes: #533625). + * debian/patches/20_man_fixes.diff: Fix TCP flags description, thanks to + Christophe Rhodes <csr21@cantab.net> (closes: #575724). + + -- Romain Francoise <rfrancoise@debian.org> Tue, 06 Apr 2010 19:58:14 +0200 + +tcpdump (4.0.0-6) unstable; urgency=low + + * debian/control: Build-depend on hardening-includes. + * debian/rules: Use hardening.make. + + -- Romain Francoise <rfrancoise@debian.org> Thu, 24 Dec 2009 11:51:12 +0100 + +tcpdump (4.0.0-5) unstable; urgency=low + + * Switch to 3.0 (quilt) source format: + + Drop build-depends on quilt. + + Remove patch/unpatch logic from debian/rules. + + Remove README.source. + + Refresh debian/patches/30_tcp_seq.diff. + * Use dh(1): + + debian/compat: Bump to 7. + + debian/control: Build-depend on debhelper (>= 7.0.50~). + + debian/rules: Simplify. + + debian/tcpdump.dirs: Removed. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 08 Nov 2009 17:25:38 +0100 + +tcpdump (4.0.0-4) unstable; urgency=low + + * debian/control: + + Add ${misc:Depends} to Depends. + + Set Standards-Version to 3.8.3; no changes needed. + * debian/{watch,README.source}: New files. + * debian/copyright: Remove link to original file. + + -- Romain Francoise <rfrancoise@debian.org> Thu, 08 Oct 2009 19:00:23 +0200 + +tcpdump (4.0.0-3) unstable; urgency=low + + * debian/patches/20_man_fixes.diff: Update; pcap-filter is in section 7, + not 4 (closes: #527599). + * debian/control: Set Standards-Version to 3.8.1. + + -- Romain Francoise <rfrancoise@debian.org> Tue, 16 Jun 2009 11:51:14 +0200 + +tcpdump (4.0.0-2) unstable; urgency=low + + * debian/patches/30_tcp_seq.diff: Patch from Ilpo Järvinen adding back + default display of sequence numbers in TCP printer (closes: #517661). + * debian/patches/series: Update. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 01 Mar 2009 14:51:25 +0100 + +tcpdump (4.0.0-1) unstable; urgency=low + + * Upload to unstable. + + -- Romain Francoise <rfrancoise@debian.org> Wed, 18 Feb 2009 18:55:35 +0100 + +tcpdump (4.0.0-1~exp1) experimental; urgency=low + + * New upstream release. + * debian/control: Set Standards-Version to 3.8.0. + * debian/rules: Don't set DH_VERBOSE. + * debian/patches/15_install.diff: New patch, don't install two identical + tcpdump binaries. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 30 Nov 2008 22:55:39 +0100 + +tcpdump (3.9.8-4) unstable; urgency=low + + * debian/control: Build-Depend on libpcap0.8-dev (>= 0.9.3), + not (>= 0.9.3-1). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 08 Mar 2008 19:24:02 +0100 + +tcpdump (3.9.8-3) unstable; urgency=low + + * debian/copyright: Convert to UTF-8 encoding. + * debian/control: Set Standards-Version to 3.7.3, no changes needed. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 23 Dec 2007 14:32:17 +0100 + +tcpdump (3.9.8-2) unstable; urgency=low + + * debian/control: Add Vcs-Browser and Vcs-Git fields. + * debian/patches/50_kfreebsd.diff: New patch by Petr Salinger fixing + FTBFS on Debian GNU/kFreeBSD (closes: #448695). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 03 Nov 2007 11:12:53 +0100 + +tcpdump (3.9.8-1) unstable; urgency=low + + * New upstream release. + + -- Romain Francoise <rfrancoise@debian.org> Thu, 27 Sep 2007 22:41:53 +0200 + +tcpdump (3.9.7-2) unstable; urgency=low + + * debian/control: Move upstream URL to the Homepage header. + + -- Romain Francoise <rfrancoise@debian.org> Fri, 21 Sep 2007 19:48:05 +0200 + +tcpdump (3.9.7-1) unstable; urgency=low + + * New upstream release. + * debian/patches/41_cve-2007-3798.diff: Deleted. + * debian/patches/40_cve-2007-1218.diff: Deleted. + * debian/patches/series: Update. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 12 Aug 2007 12:45:31 +0200 + +tcpdump (3.9.5-4) unstable; urgency=low + + * debian/rules: Don't ignore errors in clean target. + * debian/patches/50_autotools-dev.diff: New patch, make config.{guess,sub} + exec newer versions of themselves if autotools-dev is installed. + * debian/patches/series: Update. + * debian/control: Add build-depends on autotools-dev. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 11 Aug 2007 20:18:34 +0200 + +tcpdump (3.9.5-3) unstable; urgency=medium + + * Convert to quilt for patch management: + + debian/control: Build-Depend on quilt (>= 0.40) instead of dpatch. + + debian/rules: Include /usr/share/quilt/quilt.make. + + Convert all dpatch patches to regular patches. + + * debian/patches/41_cve-2007-3798.diff: New patch, fixes an integer + overflow in the BGP dissector (CVE-2007-3798), thanks to Daniel Leidert + (closes: #434030). + * debian/patches/series: Update. + + -- Romain Francoise <rfrancoise@debian.org> Wed, 01 Aug 2007 19:56:04 +0200 + +tcpdump (3.9.5-2) unstable; urgency=medium + + * debian/patches/40_cve-2007-1218.dpatch: New patch, fixes a potential + buffer overflow in the 802.11 printer (CVE-2007-1218), thanks to + Moritz Muehlenhoff <jmm@debian.org> (closes: #413430). + * debian/patches/00list: Update. + + -- Romain Francoise <rfrancoise@debian.org> Mon, 5 Mar 2007 20:22:50 +0100 + +tcpdump (3.9.5-1) unstable; urgency=low + + * New upstream release. + * debian/patches/20_man_fixes.dpatch: Resync. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 23 Sep 2006 21:13:07 +0200 + +tcpdump (3.9.4-4) unstable; urgency=low + + * debian/compat: Switch to debhelper compatibility level 5. + * debian/control: + + Build-Depend on debhelper (>= 5). + + Remove Uploaders field. + + Bump Standards-Version to 3.7.2, no changes needed. + * debian/rules: Misc. cleanups. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 20 May 2006 13:07:45 +0200 + +tcpdump (3.9.4-3) unstable; urgency=low + + * debian/patches/20_man_fixes.dpatch: Merge patch from A Costa + <agcosta@gis.net> fixing a few typos (closes: #351014). + + -- Romain Francoise <rfrancoise@debian.org> Thu, 2 Feb 2006 22:24:04 +0100 + +tcpdump (3.9.4-2) unstable; urgency=low + + * debian/patches/20_man_fixes.dpatch: Merge patch from A Costa + <agcosta@gis.net> fixing a few typos (closes: #342310). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 10 Dec 2005 14:26:20 +0100 + +tcpdump (3.9.4-1) unstable; urgency=low + + * New upstream release. + + * debian/patches/40_spelling.dpatch: Dropped (included upstream). + * debian/patches/30_version.dpatch: Dropped. + * debian/patches/30_vlan_eflag: New patch, reverse test for eflag in + print-ether.c to match the intended effect (closes: #324706). + + * This upload also transitions tcpdump to OpenSSL 0.9.8. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 9 Oct 2005 20:11:49 +0200 + +tcpdump (3.9.3-2) unstable; urgency=low + + * debian/patches/40_spelling.dpatch: New patch, fixes spelling errors + ("advertisment" vs. "advertisement"), thanks to Michael Shields + <shields@msrl.com> (closes: #318676). + * debian/patches/00list: Update. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 17 Jul 2005 12:28:22 +0200 + +tcpdump (3.9.3-1) unstable; urgency=low + + * New upstream release. + * Build-Depend on libpcap0.8-dev (which is really libpcap 0.9.3). + + * debian/patches/30_ascii-output.dpatch: Dropped (merged upstream). + * debian/patches/30_version: New patch, fixes upstream version (still at + 3.9.2 while this is version 3.9.3). + * debian/patches/00list: Update. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 16 Jul 2005 14:59:30 +0200 + +tcpdump (3.9.1-1) unstable; urgency=low + + * New upstream release. + * debian/patches/30_ascii-output.dpatch: New patch, fixes -x, -X and -A + priorities and removes extra newline and tab characters in the ascii + output (closes: #285764, #316908). + * debian/patches/00list: Update. + + -- Romain Francoise <rfrancoise@debian.org> Wed, 6 Jul 2005 20:17:19 +0200 + +tcpdump (3.9.0.cvs.20050622-1) unstable; urgency=low + + * New CVS snapshot. + * debian/control: Bump Standards-Version to 3.6.2.1, no changes needed. + + -- Romain Francoise <rfrancoise@debian.org> Wed, 22 Jun 2005 19:52:31 +0200 + +tcpdump (3.9.0.cvs.20050614-1) unstable; urgency=low + + * New CVS snapshot. + * Upload to unstable. + + -- Romain Francoise <rfrancoise@debian.org> Tue, 14 Jun 2005 19:43:24 +0200 + +tcpdump (3.9.0.cvs.20050529-1) experimental; urgency=low + + * New upstream CVS snapshot for experimental. + + -- Romain Francoise <rfrancoise@debian.org> Sun, 29 May 2005 12:55:31 +0200 + +tcpdump (3.9.0.cvs.20050511-1) experimental; urgency=low + + * Upstream CVS snapshot of tcpdump 3.9 for experimental. + * debian/patches/20_man_fixes.dpatch: Resynchronized. + * debian/patches/30_openssl_des.dpatch: Dropped (fixed upstream). + * debian/patches/40_ipv6cp.dpatch: Ditto. + * debian/patches/50_misc_dos.dpatch: Ditto. + * debian/patches/00list: Update. + * debian/control: Build with libpcap0.9, also in experimental. + + -- Romain Francoise <rfrancoise@debian.org> Wed, 11 May 2005 20:00:31 +0200 + +tcpdump (3.8.3-5) unstable; urgency=low + + * debian/copyright: Clarify license conditions, some files in the + distribution are still under the 4-clause BSD license (closes: #283008). + * debian/changelog: Revise 3.8.3-4 entry to add CAN numbers (which have + been assigned in the meantime). + + -- Romain Francoise <rfrancoise@debian.org> Sun, 1 May 2005 17:23:45 +0200 + +tcpdump (3.8.3-4) unstable; urgency=high + + * Urgency set to high due to security fixes. + * debian/patches/50_misc_dos.dpatch: Security fixes stolen from the 3.8 + branch fix infinite loops in the BGP, ISIS, LDP and RSVP dissectors + [CAN-2005-1278, CAN-2005-1279, CAN-2005-1280] (closes: #306529). + * debian/patches/00list: Add 50_misc_dos. + + -- Romain Francoise <rfrancoise@debian.org> Wed, 27 Apr 2005 21:05:37 +0200 + +tcpdump (3.8.3-3) unstable; urgency=low + + * debian/patches/40_ipv6cp.dpatch: New patch, do not try to print IPV6CP + ppp packets, the dissector doesn't support it (closes: #255179). + * debian/patches/00list: Add 40_ipv6cp. + + -- Romain Francoise <rfrancoise@debian.org> Sat, 19 Jun 2004 15:01:27 +0200 + +tcpdump (3.8.3-2) unstable; urgency=low + + * debian/rules: Enable crypto support (closes: #82581, #93428). + * debian/control: + + Build-Depend on libssl-dev. + + Put back URL markers in description. + + Switch Maintainer and Uploaders fields to match reality. + * debian/patches/30_openssl_des.dpatch: Patch to make upstream's + configure script check for DES_cbc_encrypt instead of des_cbc_encrypt, + (the function got renamed in OpenSSL 0.9.7), which saves us the hassle + of re-running autoconf. Temporary hack since upstream has fixed this + in CVS already. + * debian/patches/00list: Add 30_openssl_des. + + -- Romain Francoise <rfrancoise@debian.org> Fri, 14 May 2004 22:14:08 +0200 + +tcpdump (3.8.3-1) unstable; urgency=low + + * New upstream release. + * debian/rules: + + Add -D_FILE_OFFSET_BITS=64 to default CFLAGS to match libpcap + (closes: #154762). + + Use dpatch for patch management. + + Clean up CFLAGS handling. + + Support DEB_BUILD_OPTIONS. + * debian/control: + + Build-Depend on libpcap0.8-dev, dpatch. + + Add versioned Build-Depends on debhelper. + + Remove Emacs-style URL markers from description. + * debian/compat: New file. + * debian/copyright: Update. + * debian/tcpdump.docs: Do not install upstream INSTALL file. + * debian/patches: New directory. + * debian/patches/10_man_install.dpatch: Patch split off the Debian diff + to change man install paths in upstream Makefile.in. + * debian/patches/20_man_fixes.dpatch: Patch split off the Debian diff to + fix some inconsistencies in the upstream man page. + * debian/patches/00list: New file (patch list). + + -- Romain Francoise <rfrancoise@debian.org> Tue, 11 May 2004 14:02:09 +0200 + +tcpdump (3.7.2-4) unstable; urgency=high + + * Urgency high due to security fixes. + * Backport changes from upstream CVS to fix ISAKMP payload handling + denial-of-service vulnerabilities (CAN-2004-0183, CAN-2004-0184). + Detailed changes (with corresponding upstream revisions): + + Add length checks in isakmp_id_print() (print-isakmp.c, rev. 1.47) + + Add data checks all over the place, change rawprint() prototype and + add corresponding return value checks (print-isakmp.c, rev. 1.46) + + Add missing ntohs() and change length initialization in + isakmp_id_print(), not porting prototype changes (print-isakmp.c, + rev. 1.45) + + -- Romain Francoise <rfrancoise@debian.org> Tue, 6 Apr 2004 19:39:24 +0200 + +tcpdump (3.7.2-3) unstable; urgency=low + + * Backport changes from upstream CVS to fix several vulnerabilities in + ISAKMP, L2TP and Radius parsing (closes: #227844, #227845, #227846). + + -- Romain Francoise <rfrancoise@debian.org> Sat, 17 Jan 2004 14:12:30 +0100 + +tcpdump (3.7.2-2) unstable; urgency=low + + * Acknowledge NMU by Romain (closes: #208543). + * Apply man page fixes by Romain: + + networks(4) changed to networks(5) (closes: #194180). + + ethers(3N) changed to ethers(5) (closes: #197888). + * debian/control: Added Romain Francoise as co maintainer. Thanks for + your help, Romain! + + -- Torsten Landschoff <torsten@debian.org> Sun, 19 Oct 2003 04:12:31 +0200 + +tcpdump (3.7.2-1.1) unstable; urgency=low + + * NMU + * Reverse order of #include directives in print-sctp.c so that + IPPROTO_SCTP is defined (closes: #208543). + + -- Romain Francoise <rfrancoise@debian.org> Sun, 12 Oct 2003 17:06:01 +0200 + +tcpdump (3.7.2-1) unstable; urgency=low + + * New upstream release (closes: #195816). + + -- Torsten Landschoff <torsten@debian.org> Sun, 8 Jun 2003 00:14:44 +0200 + +tcpdump (3.7.1-1.2) unstable; urgency=high + + * Non-maintainer upload + * Apply security fixes from 3.7.2 + - Fixed infinite loop when parsing malformed isakmp packets. + (CAN-2003-0108) + - Fixed infinite loop when parsing malformed BGP packets. + - Fixed buffer overflow with certain malformed NFS packets. + + -- Matt Zimmerman <mdz@debian.org> Thu, 27 Feb 2003 11:00:32 -0500 + +tcpdump (3.7.1-1.1) unstable; urgency=low + + * NMU + * Simple rebuild to deal with libpcap0->libpcap0.7 transition. + Sourceful NMU so that every arch rebuilds it. + + -- LaMont Jones <lamont@debian.org> Wed, 14 Aug 2002 21:25:45 -0600 + +tcpdump (3.7.1-1) unstable; urgency=low + + * New upstream release (closes: #138052). + + -- Torsten Landschoff <torsten@debian.org> Sat, 3 Aug 2002 23:54:04 +0200 + +tcpdump (3.6.2-2) unstable; urgency=HIGH + + * print-rx.c: Take the version from current CVS fixing the remote + buffer overflow reported in FreeBSD Security Advisory SA-01:48 + yesterday. Thanks to Matt Zimmerman for forwarding the report, + I might have missed it. + * debian/control: Clean the Build-Depends from build-essential + packages. + + -- Torsten Landschoff <torsten@debian.org> Thu, 19 Jul 2001 15:03:48 +0200 + +tcpdump (3.6.2-1) unstable; urgency=low + + * New upstream release. + + -- Torsten Landschoff <torsten@debian.org> Tue, 6 Mar 2001 04:18:16 +0100 + +tcpdump (3.6.1-2) unstable; urgency=low + + * debian/rules: Force support for IPv6 (closes: #82665). + * print-icmp6.c: Removed duplicate definition also in icmp6.h to + get the package to compile with IPv6. + * Rebuild should fix the missing libpcap0-dependency (closes: #82666). + Additional info: The missing dependency was because the configure + script found my libpcap sources in the parent directory. Black magic + always works against you :( + + -- Torsten Landschoff <torsten@debian.org> Thu, 18 Jan 2001 00:44:01 +0100 + +tcpdump (3.6.1-1) unstable; urgency=high + + * Taking back the package. Kudos to Anand for his help. + * New upstream release. This release fixes a security hole in print-rx.c. + * debian/rules: Disable crypto support (closes: #81969). + * Removed empty README.Debian (closes: #81966). + + -- Torsten Landschoff <torsten@debian.org> Tue, 16 Jan 2001 16:04:03 +0100 + +tcpdump (3.5.2-3) unstable; urgency=low + + * Fixup dependancy stuff. Sheesh. (Closes: #78063, #78081, #78082) + + -- Anand Kumria <wildfire@progsoc.org> Tue, 28 Nov 2000 02:16:01 +1100 + +tcpdump (3.5.2-2) unstable; urgency=low + + * Update both config.guess and config.sub (Closes: #36692, #53145) + * Opps, make the .diff available. + * We require a particular libpcap version to work (Closes: #77877) + + -- Anand Kumria <wildfire@progsoc.org> Mon, 27 Nov 2000 01:13:55 +1100 + +tcpdump (3.5.2-1) unstable; urgency=low + + * New Maintainer + * New upstream release (Closes: #75889) + * Upstream added hex dump (-x) and ascii dump (-X) Closes: #23514, #29418) + * Acknowledge and incorporate security fixes (Closes: #63708, #77489) + * Appletalk / Ethertalk patches are in (Closes: #67642) + + -- Anand Kumria <wildfire@progsoc.org> Wed, 22 Nov 2000 13:19:33 +1100 + +tcpdump (3.4a6-4.1) frozen unstable; urgency=high + + * Non-maintainer upload by security team + * Apply patch from tcpdump-workers mailinglist to fix DNS DoS attack + against tcpdump. Based on patch from Guy Harris <gharris@flashcom.net> as + found on http://www.tcpdump.org/lists/workers/1999/msg00607.html + * Fix Build-Depends entry in debian/control + + -- Wichert Akkerman <wakkerma@debian.org> Sun, 7 May 2000 15:17:33 +0200 + +tcpdump (3.4a6-4) unstable; urgency=low + + * New maintainer. + * tcpdump.c (main): Reestablish priviliges before closing the device + (closes: #19959). + * It seems the problem with ppp came from the kernel - I can dump + packages on ppp0 just fine... (closes: #25757) + * print-tcp.c (tcp_print): Applied patch from David S. Miller submitted + by Andrea Arcangeli to fix tcpdump sack TCP option interpretation + (closes: #28530). + * print-bootp.c (rfc1048_print): Interpret timezone offset as signed + (closes: #40376). Fixed byte order problem in printing internet + addresses (closes: #40375). Thanks to Roderick Schertler for the patch. + * Several files: Applied SMB patch from samba.org (closes: #27653). + * print-ip.c (ip_print): Check for ip headers with less than 5 longs. + Patch taken from RedHat's source package. + * Redid debian/rules using debhelper. + * Makefile.in: Install the manpage into man8 instead of man1. + * tcpdump.1: Moved to section 8 (admin commands). + * print-smb.c (print_smb): Disabled anything but printing the command + info by default. Otherwise we would get flooded with smb information. + You can get all info using -vvv. Two -v's will give you the SMB headers. + * tcpdump.1: Documented the behaviour described above. + + -- Torsten Landschoff <torsten@debian.org> Mon, 22 Nov 1999 01:31:44 +0100 + +tcpdump (3.4a6-3) frozen unstable; urgency=low + + * fixed permissions + + -- Peter Tobias <tobias@et-inf.fho-emden.de> Mon, 30 Mar 1998 02:28:39 +0200 + + +tcpdump (3.4a6-2) frozen unstable; urgency=low + + * rebuild with latest debmake, fixes #19415 + (should also fix the lintian warnings) + * updated standards-version + + -- Peter Tobias <tobias@et-inf.fho-emden.de> Mon, 30 Mar 1998 00:28:39 +0200 + + +tcpdump (3.4a6-1) unstable; urgency=low + + * updated to latest upstream version, fixes: Bug#17163 + * install changelog.Debian compressed, fixes: Bug#15417 + + -- Peter Tobias <tobias@et-inf.fho-emden.de> Sun, 1 Feb 1998 00:08:31 +0100 + + +tcpdump (3.4a4-1) unstable; urgency=low + + * updated to latest upstream version + * libc6 version + + -- Peter Tobias <tobias@et-inf.fho-emden.de> Wed, 17 Sep 1997 23:22:54 +0200 + + +tcpdump (3.3.1a2-1) frozen stable unstable; urgency=medium + + * updated to latest upstream version (works with new libpcap now) + + -- Peter Tobias <tobias@et-inf.fho-emden.de> Sat, 24 May 1997 00:49:17 +0200 + + +tcpdump (3.3-2) unstable; urgency=low + + * fixed SLIP support + + -- Peter Tobias <tobias@et-inf.fho-emden.de> Sun, 16 Feb 1997 21:06:51 +0100 + + +tcpdump (3.3-1) unstable; urgency=low + + * updated to latest upstream version + + -- Peter Tobias <tobias@et-inf.fho-emden.de> Thu, 16 Jan 1997 01:34:00 +0100 diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..368fca9 --- /dev/null +++ b/debian/control @@ -0,0 +1,34 @@ +Source: tcpdump +Section: net +Priority: optional +Maintainer: Romain Francoise <rfrancoise@debian.org> +Build-Depends: debhelper-compat (= 13), + dh-apparmor, + dpkg-dev (>= 1.16.1~), + libpcap0.8-dev (>= 1.9.1), + libssl-dev +Standards-Version: 4.6.2 +Rules-Requires-Root: no +Homepage: https://www.tcpdump.org/ +Vcs-Browser: https://salsa.debian.org/rfrancoise/tcpdump +Vcs-Git: https://salsa.debian.org/rfrancoise/tcpdump.git + +Package: tcpdump +Architecture: any +Depends: adduser, + ${misc:Depends}, + ${shlibs:Depends} +Breaks: apparmor-profiles-extra (<< 1.12~) +Replaces: apparmor-profiles-extra (<< 1.12~) +Suggests: apparmor (>= 2.3) +Multi-Arch: foreign +Description: command-line network traffic analyzer + This program allows you to dump the traffic on a network. tcpdump + is able to examine IPv4, ICMPv4, IPv6, ICMPv6, UDP, TCP, SNMP, AFS + BGP, RIP, PIM, DVMRP, IGMP, SMB, OSPF, NFS and many other packet + types. + . + It can be used to print out the headers of packets on a network + interface, filter packets that match a certain expression. You can + use this tool to track down network problems, to detect attacks + or to monitor network activities. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..89dfce3 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,149 @@ +This package was debianized by Anand Kumria <wildfire@progsoc.org> on +Wed, 22 Nov 2000 13:19:33 +1100, then maintained by Torsten Landschoff +<torsten@debian.org> and Romain Francoise <rfrancoise@debian.org>. + +It was downloaded from http://www.tcpdump.org/ + +Upstream Authors: tcpdump-workers@tcpdump.org + +Licensed under the 3-clause BSD license: + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other materials provided with the + distribution. + 3. The names of the authors may not be used to endorse or promote + products derived from this software without specific prior + written permission. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + +Some files in this package are licensed under the 4-clause BSD license, +the copyright on most of them belongs to The Regents of the University +of California. Since the license was retroactively changed in 1999 to +remove the advertising clause, they are effectively under the 3-clause +license even if the text of the license in the files hasn't been +updated. See the following document for more details: + + <URL: ftp://ftp.cs.berkeley.edu/pub/4bsd/README.Impt.License.Change> + +Other files under the 4-clause BSD license and whose copyright doesn't +belong to the The Regents of the University of California are listed +below: +- aodv.h, Copyright (c) 2003 Bruce M. Simpson +- atmuni31.h, Copyright (c) 1997 Yen Yen Lim and North Dakota State University +- ieee802_11.h, Copyright (c) 2001 Fortress Technologies and Charlie Lenahan +- print-802_11.c, Copyright (c) 2001 Fortress Technologies and Charlie Lenahan +- print-aodv.c, Copyright (c) 2003 Bruce M. Simpson +- print-ascii.c, Copyright (c) 1997, 1998 The NetBSD Foundation, Inc. +- print-cnfp.c, Copyright (c) 1998 Michael Shalayeff +- print-gre.c, Copyright (c) 2002 Jason L. Wright +- print-mobile.c, Copyright (c) 1998 The NetBSD Foundation, Inc. +- print-sunatm.c, Copyright (c) 1997 Yen Yen Lim and North Dakota State + University +- print-telnet.c, Copyright (c) 1997, 1998 The NetBSD Foundation, Inc. +- print-timed.c, Copyright (c) 2000 Ben Smithurst +- missing/inet_aton.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska + Högskolan (Royal Institute of Technology, Stockholm, + Sweden). +- missing/inet_ntop.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska + Högskolan (Royal Institute of Technology, Stockholm, + Sweden). +- missing/inet_pton.c, Copyright (c) 1995, 1996, 1997 Kungliga Tekniska + Högskolan (Royal Institute of Technology, Stockholm, + Sweden). + +Current upstream maintainers: + Bill Fenner <fenner@research.att.com> + Fulvio Risso <risso@polito.it> + Guy Harris <guy@alum.mit.edu> + Hannes Gredler <hannes@juniper.net> + Jun-ichiro itojun Hagino <itojun@iijlab.net> + Michael Richardson <mcr@sandelman.ottawa.on.ca> + +Additional people who have contributed patches: + + Alan Bawden <Alan@LCS.MIT.EDU> + Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> + Albert Chin <china@thewrittenword.com> + Andrew Brown <atatat@atatdot.net> + Antti Kantee <pooka@netbsd.org> + Arkadiusz Miskiewicz <misiek@pld.org.pl> + Armando L. Caro Jr. <acaro@mail.eecis.udel.edu> + Assar Westerlund <assar@sics.se> + Brian Ginsbach <ginsbach@cray.com> + Charles M. Hannum <mycroft@netbsd.org> + Chris G. Demetriou <cgd@netbsd.org> + Chris Pepper <pepper@mail.reppep.com> + Darren Reed <darrenr@reed.wattle.id.au> + David Kaelbling <drk@sgi.com> + David Young <dyoung@ojctech.com> + Don Ebright <Don.Ebright@compuware.com> + Eric Anderson <anderse@hpl.hp.com> + Franz Schaefer <schaefer@mond.at> + Gianluca Varenni <varenni@netgroup-serv.polito.it> + Gisle Vanem <giva@bgnett.no> + Graeme Hewson <ghewson@cix.compulink.co.uk> + Greg Stark <gsstark@mit.edu> + Greg Troxel <gdt@ir.bbn.com> + Guillaume Pelat <endymion_@users.sourceforge.net> + Hyung Sik Yoon <hsyn@kr.ibm.com> + Igor Khristophorov <igor@atdot.org> + Jan-Philip Velders <jpv@veldersjes.net> + Jason R. Thorpe <thorpej@netbsd.org> + Javier Achirica <achirica@ttd.net> + Jean Tourrilhes <jt@hpl.hp.com> + Jefferson Ogata <jogata@nodc.noaa.gov> + Jesper Peterson <jesper@endace.com> + John Bankier <jbankier@rainfinity.com> + Jon Lindgren <jonl@yubyub.net> + Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de> + Kazushi Sugyo <sugyo@pb.jp.nec.com> + Klaus Klein <kleink@netbsd.org> + Koryn Grant <koryn@endace.com> + Krzysztof Halasa <khc@pm.waw.pl> + Lorenzo Cavallaro <sullivan@sikurezza.org> + Loris Degioanni <loris@netgroup-serv.polito.it> + Love Hörnquist-Åstrand <lha@stacken.kth.se> + Maciej W. Rozycki <macro@ds2.pg.gda.pl> + Marcus Felipe Pereira <marcus@task.com.br> + Martin Husemann <martin@netbsd.org> + Mike Wiacek <mike@iroot.net> + Monroe Williams <monroe@pobox.com> + Octavian Cerna <tavy@ylabs.com> + Olaf Kirch <okir@caldera.de> + Onno van der Linden <onno@simplex.nl> + Paul Mundt <lethal@linux-sh.org> + Pavel Kankovsky <kan@dcit.cz> + Peter Fales <peter@fales-lorenz.net> + Peter Jeremy <peter.jeremy@alcatel.com.au> + Phil Wood <cpw@lanl.gov> + Rafal Maszkowski <rzm@icm.edu.pl> + Rick Jones <raj@cup.hp.com> + Scott Barron <sb125499@ohiou.edu> + Scott Gifford <sgifford@tir.com> + Sebastian Krahmer <krahmer@cs.uni-potsdam.de> + Shaun Clowes <delius@progsoc.uts.edu.au> + Solomon Peachy <pizza@shaftnet.org> + Stefan Hudson <hudson@mbay.net> + Takashi Yamamoto <yamt@mwd.biglobe.ne.jp> + Tony Li <tli@procket.com> + Torsten Landschoff <torsten@debian.org> + Uns Lider <unslider@miranda.org> + Uwe Girlich <Uwe.Girlich@philosys.de> + Xianjie Zhang <xzhang@cup.hp.com> + Yen Yen Lim + Yoann Vandoorselaere <yoann@prelude-ids.org> + +The original LBL crew: + Steve McCanne + Craig Leres + Van Jacobson diff --git a/debian/patches/drop-privs-after-opening-savefile.diff b/debian/patches/drop-privs-after-opening-savefile.diff new file mode 100644 index 0000000..a4c856a --- /dev/null +++ b/debian/patches/drop-privs-after-opening-savefile.diff @@ -0,0 +1,91 @@ +Description: Drop root privileges after opening savefile +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/935112 +Origin: https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0003-Drop-root-priviledges-before-opening-first-savefile-.patch +--- + tcpdump.1.in | 7 ++++++- + tcpdump.c | 30 ++++++++++++++++++++++++++++++ + 2 files changed, 36 insertions(+), 1 deletion(-) + +--- a/tcpdump.1.in ++++ b/tcpdump.1.in +@@ -269,6 +269,9 @@ + flag, with a number after it, starting at 1 and continuing upward. + The units of \fIfile_size\fP are millions of bytes (1,000,000 bytes, + not 1,048,576 bytes). ++ ++Note that when used with \fB\-Z\fR option (enabled by default), privileges ++are dropped before opening first savefile. + .TP + .B \-d + Dump the compiled packet-matching code in a human readable form to +@@ -966,12 +969,14 @@ + If + .I tcpdump + is running as root, after opening the capture device or input savefile, +-but before opening any savefiles for output, change the user ID to ++change the user ID to + .I user + and the group ID to the primary group of + .IR user . + .IP +-This behavior can also be enabled by default at compile time. ++This behavior is enabled by default (\fB\-Z tcpdump\fR), and can ++be disabled by \fB\-Z root\fR. ++ + .IP "\fI expression\fP" + .RS + selects which packets will be dumped. +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -1510,6 +1510,7 @@ + cap_rights_t rights; + int cansandbox; + #endif /* HAVE_CAPSICUM */ ++ int chown_flag = 0; + int Oflag = 1; /* run filter code optimizer */ + int yflag_dlt = -1; + const char *yflag_dlt_name = NULL; +@@ -2338,6 +2339,19 @@ + } + capng_apply(CAPNG_SELECT_BOTH); + #endif /* HAVE_LIBCAP_NG */ ++ /* If user is running tcpdump as root and wants to write to the savefile, ++ * we will check if -C is set and if it is, we will drop root ++ * privileges right away and consequent call to>pcap_dump_open() ++ * will most likely fail for the first file. If -C flag is not set we ++ * will create file as root then change ownership of file to proper ++ * user(default tcpdump) and drop root privileges. ++ */ ++ if (WFileName) ++ if (Cflag && (username || chroot_dir)) ++ droproot(username, chroot_dir); ++ else ++ chown_flag = 1; ++ else + if (username || chroot_dir) + droproot(username, chroot_dir); + +@@ -2395,6 +2409,22 @@ + #endif /* HAVE_LIBCAP_NG */ + if (pdd == NULL) + error("%s", pcap_geterr(pd)); ++ ++ /* Change ownership of file and drop root privileges */ ++ if (chown_flag) { ++ struct passwd *pwd; ++ ++ pwd = getpwnam(username); ++ if (!pwd) ++ error("Couldn't find user '%s'", username); ++ ++ if (strcmp(WFileName, "-") && chown(dumpinfo.CurrentFileName, pwd->pw_uid, pwd->pw_gid) < 0) ++ error("Couldn't change ownership of savefile"); ++ ++ if (username || chroot_dir) ++ droproot(username, chroot_dir); ++ } ++ + #ifdef HAVE_CAPSICUM + set_dumper_capsicum_rights(pdd); + #endif diff --git a/debian/patches/drop-privs-only-if-non-root.diff b/debian/patches/drop-privs-only-if-non-root.diff new file mode 100644 index 0000000..e7001b7 --- /dev/null +++ b/debian/patches/drop-privs-only-if-non-root.diff @@ -0,0 +1,41 @@ +From dec0e5183c026ccef342ba3a877c13c1cdab61d5 Mon Sep 17 00:00:00 2001 +From: Martin Willi <martin@strongswan.org> +Date: Tue, 12 Nov 2019 13:43:31 +0100 +Subject: [PATCH] Skip privilege dropping when using -Z root on --with-user + builds + +Distributions which started building --with-user to switch to an +unpriviliged user claim that the old behavior of running under root +can be restored by passing "-Z root" on the command line. However, +doing so is different from not using --with-user, as tcpdump still +drops privileges and sets supplementary user groups. + +In Linux containers using user namespaces with an in-container root +user mapped to an unprivileged external user, calling setgroups() is +usually denied, as it would allow that unprivileged user to leave +groups (see user_namespaces(7) for details). Passing "-Z root" on +a --with-user build still goes through initgroups() and therefore +setgroups(), which will fail in such a container environment. This +makes tcpdump builds using --with-user effectively unusable in such +containers. + +Adjust the "-Z root" fallback to skip any privilege dropping and +supplementary group setup, making it identical to builds not using +--with-user. +--- + tcpdump.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tcpdump.c b/tcpdump.c +index 219ac2a2b..36ba60c17 100644 +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -2078,6 +2078,8 @@ main(int argc, char **argv) + /* Run with '-Z root' to restore old behaviour */ + if (!username) + username = WITH_USER; ++ else if (strcmp(username, "root") == 0) ++ username = NULL; + } + #endif + diff --git a/debian/patches/drop-privs-silently.diff b/debian/patches/drop-privs-silently.diff new file mode 100644 index 0000000..b4a5412 --- /dev/null +++ b/debian/patches/drop-privs-silently.diff @@ -0,0 +1,29 @@ +Description: Drop root privileges silently as it's the default +Forwarded: not-needed +Bug-Debian: https://bugs.debian.org/935112 +Origin: vendor, https://src.fedoraproject.org/rpms/tcpdump/raw/master/f/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch +--- + tcpdump.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/tcpdump.c ++++ b/tcpdump.c +@@ -788,8 +788,6 @@ + int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG); + if (ret < 0) + error("capng_change_id(): return %d\n", ret); +- else +- fprintf(stderr, "dropped privs to %s\n", username); + } + #else + if (initgroups(pw->pw_name, pw->pw_gid) != 0 || +@@ -799,9 +797,6 @@ + (unsigned long)pw->pw_uid, + (unsigned long)pw->pw_gid, + pcap_strerror(errno)); +- else { +- fprintf(stderr, "dropped privs to %s\n", username); +- } + #endif /* HAVE_LIBCAP_NG */ + } else + error("Couldn't find user '%.32s'", username); diff --git a/debian/patches/install.diff b/debian/patches/install.diff new file mode 100644 index 0000000..69a550f --- /dev/null +++ b/debian/patches/install.diff @@ -0,0 +1,26 @@ +Description: Change man page install paths for Debian and don't install a versioned binary. +Forwarded: not-needed +Author: Romain Francoise <rfrancoise@debian.org> + +--- a/Makefile.in ++++ b/Makefile.in +@@ -424,15 +424,14 @@ + [ -d $(DESTDIR)$(bindir) ] || \ + (mkdir -p $(DESTDIR)$(bindir); chmod 755 $(DESTDIR)$(bindir)) + $(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(bindir)/$(PROG) +- $(INSTALL_PROGRAM) $(PROG) $(DESTDIR)$(bindir)/$(PROG).`cat ${srcdir}/VERSION` +- [ -d $(DESTDIR)$(mandir)/man1 ] || \ +- (mkdir -p $(DESTDIR)$(mandir)/man1; chmod 755 $(DESTDIR)$(mandir)/man1) +- $(INSTALL_DATA) $(PROG).1 $(DESTDIR)$(mandir)/man1/$(PROG).1 ++ [ -d $(DESTDIR)$(mandir)/man8 ] || \ ++ (mkdir -p $(DESTDIR)$(mandir)/man8; chmod 755 $(DESTDIR)$(mandir)/man8) ++ $(INSTALL_DATA) $(PROG).1 $(DESTDIR)$(mandir)/man8/$(PROG).8 + + uninstall: + rm -f $(DESTDIR)$(bindir)/$(PROG) + rm -f $(DESTDIR)$(bindir)/$(PROG).`cat ${srcdir}/VERSION` +- rm -f $(DESTDIR)$(mandir)/man1/$(PROG).1 ++ rm -f $(DESTDIR)$(mandir)/man8/$(PROG).8 + + lint: + lint -hbxn $(SRC) $(LIBNETDISSECT_SRC) | \ diff --git a/debian/patches/man-section.diff b/debian/patches/man-section.diff new file mode 100644 index 0000000..83df10d --- /dev/null +++ b/debian/patches/man-section.diff @@ -0,0 +1,15 @@ +Description: Change man page section +Forwarded: not-needed +Author: Romain Francoise <rfrancoise@debian.org> + +--- a/tcpdump.1.in ++++ b/tcpdump.1.in +@@ -20,7 +20,7 @@ + .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF + .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. + .\" +-.TH TCPDUMP 1 "12 March 2023" ++.TH TCPDUMP 8 "12 March 2023" + .SH NAME + tcpdump \- dump traffic on a network + .SH SYNOPSIS diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..297b6c9 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,5 @@ +drop-privs-after-opening-savefile.diff +drop-privs-silently.diff +drop-privs-only-if-non-root.diff +install.diff +man-section.diff diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..6b41603 --- /dev/null +++ b/debian/rules @@ -0,0 +1,14 @@ +#!/usr/bin/make -f + +export DEB_BUILD_MAINT_OPTIONS = hardening=+all +export DEB_CFLAGS_MAINT_APPEND = -D_FILE_OFFSET_BITS=64 + +%: + dh $@ + +override_dh_auto_configure: + dh_auto_configure -- --with-crypto=yes --with-user=tcpdump + +override_dh_installdeb: + dh_apparmor --profile-name=usr.bin.tcpdump -ptcpdump + dh_installdeb diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 0000000..1e7946b --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,7 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + SALSA_CI_DISABLE_REPROTEST: 1 diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tcpdump.docs b/debian/tcpdump.docs new file mode 100644 index 0000000..b43bf86 --- /dev/null +++ b/debian/tcpdump.docs @@ -0,0 +1 @@ +README.md diff --git a/debian/tcpdump.examples b/debian/tcpdump.examples new file mode 100644 index 0000000..793b4e7 --- /dev/null +++ b/debian/tcpdump.examples @@ -0,0 +1,4 @@ +atime.awk +packetdat.awk +send-ack.awk +stime.awk diff --git a/debian/tcpdump.install b/debian/tcpdump.install new file mode 100644 index 0000000..0d477cd --- /dev/null +++ b/debian/tcpdump.install @@ -0,0 +1 @@ +debian/usr.bin.tcpdump etc/apparmor.d diff --git a/debian/tcpdump.lintian-overrides b/debian/tcpdump.lintian-overrides new file mode 100644 index 0000000..df693cf --- /dev/null +++ b/debian/tcpdump.lintian-overrides @@ -0,0 +1 @@ +tcpdump binary: spelling-error-in-binary iif if [usr/bin/tcpdump] diff --git a/debian/tcpdump.maintscript b/debian/tcpdump.maintscript new file mode 100644 index 0000000..0d70dac --- /dev/null +++ b/debian/tcpdump.maintscript @@ -0,0 +1 @@ +mv_conffile /etc/apparmor.d/usr.sbin.tcpdump /etc/apparmor.d/usr.bin.tcpdump 4.99.0~ diff --git a/debian/tcpdump.postinst b/debian/tcpdump.postinst new file mode 100755 index 0000000..a3a5f95 --- /dev/null +++ b/debian/tcpdump.postinst @@ -0,0 +1,28 @@ +#!/bin/sh + +set -e + +if ! getent group tcpdump >/dev/null 2>&1; then + addgroup --system --quiet tcpdump +fi +if ! getent passwd tcpdump >/dev/null 2>&1; then + adduser --system --quiet --ingroup tcpdump \ + --no-create-home --home /nonexistent \ + tcpdump +fi + +# dh_apparmor leaves behind the local profile for the old binary +# location (/usr/sbin/tcpdump), we need to clean it up (#990554). +# +# Only remove it if it's empty, meaning that the system doesn't have +# local configuration. +if dpkg --compare-versions "$2" lt-nl "4.99.1-3~"; then + OLD_LOCAL_APP_PROFILE="/etc/apparmor.d/local/usr.sbin.tcpdump" + if [ -e "$OLD_LOCAL_APP_PROFILE" ]; then + if [ ! -s "$OLD_LOCAL_APP_PROFILE" ]; then + rm -f "$OLD_LOCAL_APP_PROFILE" + fi + fi +fi + +#DEBHELPER# diff --git a/debian/tcpdump.postrm b/debian/tcpdump.postrm new file mode 100755 index 0000000..ce8ded9 --- /dev/null +++ b/debian/tcpdump.postrm @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +case "$1" in + purge) + userdel tcpdump >/dev/null 2>&1 || true + groupdel tcpdump >/dev/null 2>&1 || true + ;; +esac + +#DEBHELPER# diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..dce60c3 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,2 @@ +Test-Command: env TCPDUMP_BIN=/usr/bin/tcpdump ./tests/TESTrun +Restrictions: build-needed diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..ebe8b82 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,4 @@ +Bug-Database: https://github.com/the-tcpdump-group/tcpdump/issues +Bug-Submit: https://github.com/the-tcpdump-group/tcpdump/issues/new +Repository: https://github.com/the-tcpdump-group/tcpdump.git +Repository-Browse: https://github.com/the-tcpdump-group/tcpdump diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..e104b34 --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGRBFGRD2gBDCDcthM1N9jeWic9tD17LsHwWyh/IelKgFMVFShgHk31YsQUetKn +5hGKlW0WU7+r3dsECiqxgyuqeUKvqiZneqma0GDk1n8ucXLc7oFFLrF7qbvssPPM +831014FlzsN82OZZ1SnNUGacdyNzV5myPybKILWemsLuAJaGU60IkAJkTReiaMFR +pB0QmBiqM5KY2SHAkeja2+UhupBw/lHyAwU/KVhkohmvUTJeUBJaKK2gRY7jJQmf +ouTbIe0nKIqDzMmE9GvFhyQmMJzbxAwTfSxSZq3bMCpsyQtjoi2LGQFoMVkI6g7K +IRNWgCqSTHF238VIdOkLzbwuoZAmS+oacXszIln2jLJsKkbiCCOb/lV+5u5O6/wJ +M4RHxCBnkRgBmMLyXSM9qAo1FU5suPqf01msqvKMsa99lTF6kIWurR/7rw4S2bNl +iaMqHNHliFNfaAE42S8as+Pw5Rhq2SJczWyd8rYw/q1IIZyKLO1oGn6ZRt+EQ7BS +8nlREmT/MDqP0rgrpvRrABEBAAG0PVRoZSBUY3BkdW1wIEdyb3VwIChQYWNrYWdl +IHNpZ25pbmcga2V5KSA8cmVsZWFzZUB0Y3BkdW1wLm9yZz6JAcIEEwECACgFAlGR +D2gCGwMFCRLMAwAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEOCJ3vHZwV0N +wPAMH22fmTbjByMSvR/gxDFA26ULgf02qZzqYlRLKB7EDbEjB1Ga6PrLB22Sn/b5 +8fxNw/9zH0EPkorv0YnBhinE51jLmZ99Sk5eGFIMcCkNAOOhadFZGGKarekEPwNB +oDtxCuSuOQ0JVvyn5fLcbA5u3+LBvHvbnUKgCpiXahpq15bZiS1aoVkdXknUQVO+ +bU6Y2lj3m8Q1C6t+J29UvbyixgQhFeTkl25NZkTS6Cqds5F9q3nUBD/7gvQbATBy +A+p+iWLHqt1s4c5UHRzriuLyBbnJgOEI13pNbgFIoKhbCSGQj0uQVZORmzzqs0nh +QXtj+JPOAMd619mHjmhXItgqu2llywQ36tXTEdRoUjJmgMkoqXtZQ8XDVdJ6f/sG +OJDHCctr5aVanWierzePl1PvWPWeC9mnB6Nnxuah+8zQFb4wXUnYO09OX47UgQlu +mE9/lZfY7okIODVrXjqbPVxSBLzCzptBrkeZ3brkrl5oCdYlWsUiQCY0hO6jzMEd +CnxEp1kkn2c= +=2mPY +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/usr.bin.tcpdump b/debian/usr.bin.tcpdump new file mode 100644 index 0000000..510a5ad --- /dev/null +++ b/debian/usr.bin.tcpdump @@ -0,0 +1,71 @@ +# vim:syntax=apparmor +#include <tunables/global> + +profile tcpdump /usr/bin/tcpdump { + #include <abstractions/base> + #include <abstractions/nameservice> + #include <abstractions/user-tmp> + + capability net_raw, + capability setuid, + capability setgid, + capability dac_override, + capability chown, + network raw, + network packet, + + # for -D + @{PROC}/bus/usb/ r, + @{PROC}/bus/usb/** r, + + # for finding an interface + /dev/ r, + @{PROC}/[0-9]*/net/dev r, + /sys/bus/usb/devices/ r, + /sys/class/net/ r, + /sys/devices/**/net/** r, + + # for -j + capability net_admin, + + # for tracing USB bus, which libpcap supports + /dev/usbmon* r, + /dev/bus/usb/ r, + /dev/bus/usb/** r, + + # for init_etherarray(), with -e + /etc/ethers r, + + # for USB probing (see libpcap-1.1.x/pcap-usb-linux.c:probe_devices()) + /dev/bus/usb/**/[0-9]* w, + + # for -z + /{usr/,}bin/gzip ixr, + /{usr/,}bin/bzip2 ixr, + + # for -F and -w + audit deny @{HOME}/.* mrwkl, + audit deny @{HOME}/.*/ rw, + audit deny @{HOME}/.*/** mrwkl, + audit deny @{HOME}/bin/ rw, + audit deny @{HOME}/bin/** mrwkl, + owner @{HOME}/ r, + owner @{HOME}/** rw, + + # for -r, -F and -w + /**.[pP][cC][aA][pP] rw, + /**.[pP][cC][aA][pP][nN][gG] rw, + /**.[cC][aA][pP] rw, + # -W adds a numerical suffix + /**.[pP][cC][aA][pP][0-9]* rw, + /**.[pP][cC][aA][pP][nN][gG][0-9]* rw, + /**.[cC][aA][pP][0-9]* rw, + + # for convenience with -r (ie, read pcap files from other sources) + /var/log/snort/*log* r, + + /usr/bin/tcpdump mr, + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.tcpdump> +} diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..634e3ac --- /dev/null +++ b/debian/watch @@ -0,0 +1,2 @@ +version=4 +opts="pgpsigurlmangle=s%$%.sig%" https://www.tcpdump.org release/tcpdump-([\d\.]*).tar.gz |