From 471510bb66f2f03b6cbfed6f342eac05111f5c5f Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Tue, 3 Nov 2020 06:59:02 -0500
Subject: [PATCH] import tcpdump-4.9.3-1.el8

---
 .gitignore                                    |   2 +-
 .tcpdump.metadata                             |   2 +-
 ...hable-Time-and-Retransmit-Time-from-.patch |  26 ----
 ...we-dropped-root-we-are-always-droppi.patch |  36 -----
 ...0009-Change-n-flag-to-nn-in-TESTonce.patch |  17 +--
 ...ds-instead-of-seconds-in-icmp-captur.patch |  45 ------
 SOURCES/0011-Evp-cipher-buffers.patch         | 128 +-----------------
 ...tcpdump-stack-based-buffer-over-read.patch |  26 ----
 SOURCES/tcpdump-4.9.2.tar.gz.sig              | Bin 442 -> 0 bytes
 SOURCES/tcpdump-4.9.3.tar.gz.sig              | Bin 0 -> 442 bytes
 SPECS/tcpdump.spec                            |  11 +-
 11 files changed, 18 insertions(+), 275 deletions(-)
 delete mode 100644 SOURCES/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
 delete mode 100644 SOURCES/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
 delete mode 100644 SOURCES/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
 delete mode 100644 SOURCES/0014-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch
 delete mode 100644 SOURCES/tcpdump-4.9.2.tar.gz.sig
 create mode 100644 SOURCES/tcpdump-4.9.3.tar.gz.sig

diff --git a/.gitignore b/.gitignore
index 8b13cdc..e45ade0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/tcpdump-4.9.2.tar.gz
+SOURCES/tcpdump-4.9.3.tar.gz
 SOURCES/tcpslice-1.2a3.tar.gz
diff --git a/.tcpdump.metadata b/.tcpdump.metadata
index 0bccb2a..7eaf682 100644
--- a/.tcpdump.metadata
+++ b/.tcpdump.metadata
@@ -1,2 +1,2 @@
-f7dccebe94c3d07ac8744d43297ea2b98b35a13f SOURCES/tcpdump-4.9.2.tar.gz
+59b309f3620ac4b709de2eaf7bf3a83bf04bc048 SOURCES/tcpdump-4.9.3.tar.gz
 98790301cb1bf4399a95153bc62d49b3f5808994 SOURCES/tcpslice-1.2a3.tar.gz
diff --git a/SOURCES/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch b/SOURCES/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
deleted file mode 100644
index c5e54ae..0000000
--- a/SOURCES/0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From f19e0376b8e98b38240d28eb9e6f78c465bb1c6e Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Mon, 20 Oct 2014 13:34:24 +0200
-Subject: [PATCH 1/8] icmp6: print Reachable Time and Retransmit Time from
- ICMPv6 as milliseconds
-
----
- print-icmp6.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/print-icmp6.c b/print-icmp6.c
-index 7fe639d..cfaa2df 100644
---- a/print-icmp6.c
-+++ b/print-icmp6.c
-@@ -1034,7 +1034,7 @@ icmp6_print(netdissect_options *ndo,
- 			p = (const struct nd_router_advert *)dp;
- 			ND_TCHECK(p->nd_ra_retransmit);
- 			ND_PRINT((ndo,"\n\thop limit %u, Flags [%s]" \
--                                  ", pref %s, router lifetime %us, reachable time %us, retrans time %us",
-+                                  ", pref %s, router lifetime %us, reachable time %ums, retrans time %ums",
-                                   (u_int)p->nd_ra_curhoplimit,
-                                   bittok2str(icmp6_opt_ra_flag_values,"none",(p->nd_ra_flags_reserved)),
-                                   get_rtpref(p->nd_ra_flags_reserved),
--- 
-2.9.3
-
diff --git a/SOURCES/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch b/SOURCES/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
deleted file mode 100644
index 2e4551c..0000000
--- a/SOURCES/0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From d5508c13119404102104a3935e7445c9fddf79b5 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Fri, 3 Feb 2017 09:43:03 +0100
-Subject: [PATCH 8/8] Don't print out we dropped root, we are always dropping
- it
-
----
- tcpdump.c | 5 -----
- 1 file changed, 5 deletions(-)
-
-diff --git a/tcpdump.c b/tcpdump.c
-index 29f7f87..18c4a5c 100644
---- a/tcpdump.c
-+++ b/tcpdump.c
-@@ -618,8 +618,6 @@ droproot(const char *username, const char *chroot_dir)
- 			int ret = capng_change_id(pw->pw_uid, pw->pw_gid, CAPNG_NO_FLAG);
- 			if (ret < 0) {
- 				fprintf(stderr, "error : ret %d\n", ret);
--			} else {
--				fprintf(stderr, "dropped privs to %s\n", username);
- 			}
- 		}
- #else
-@@ -632,9 +630,6 @@ droproot(const char *username, const char *chroot_dir)
- 				pcap_strerror(errno));
- 			exit_tcpdump(1);
- 		}
--		else {
--			fprintf(stderr, "dropped privs to %s\n", username);
--		}
- #endif /* HAVE_LIBCAP_NG */
- 	}
- 	else {
--- 
-2.9.3
-
diff --git a/SOURCES/0009-Change-n-flag-to-nn-in-TESTonce.patch b/SOURCES/0009-Change-n-flag-to-nn-in-TESTonce.patch
index 53a9556..d106be3 100644
--- a/SOURCES/0009-Change-n-flag-to-nn-in-TESTonce.patch
+++ b/SOURCES/0009-Change-n-flag-to-nn-in-TESTonce.patch
@@ -10,18 +10,15 @@ flag than upstream does. We use -nn in those cases.
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/tests/TESTonce b/tests/TESTonce
-index 7026624..e348701 100755
+index 425abaa..81283d9 100755
 --- a/tests/TESTonce
 +++ b/tests/TESTonce
-@@ -21,7 +21,7 @@ if ($^O eq 'MSWin32') {
+@@ -43,7 +43,7 @@ if ($^O eq 'MSWin32') {
  else {
      # we used to do this as a nice pipeline, but the problem is that $r fails to
      # to be set properly if the tcpdump core dumps.
--    $r = system "../tcpdump 2>/dev/null -n -t -r $input $options >NEW/$output";
-+    $r = system "../tcpdump 2>/dev/null -nn -t -r $input $options >NEW/$output";
-     if($r != 0) {
-         # this means tcpdump failed.
-         open(OUTPUT, ">>"."NEW/$output") || die "fail to open $output\n";
--- 
-2.13.5
-
+-    $cmd = "$TCPDUMP 2>${rawstderrlog} -t -n -r $input $options >tests/NEW/${outputbase}";
++    $cmd = "$TCPDUMP 2>${rawstderrlog} -t -nn -r $input $options >tests/NEW/${outputbase}";
+     print "CMD: $cmd\n" if $debug;
+     $r = system $cmd;
+     if($r == -1) {
diff --git a/SOURCES/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch b/SOURCES/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
deleted file mode 100644
index 30502b8..0000000
--- a/SOURCES/0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 0ae4aa1881bbe40443bff802b5e4aa6ca0696dd9 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 11 Apr 2017 09:37:53 +0200
-Subject: [PATCH 10/13] Expect miliseconds instead of seconds in icmp capture.
-
-Again this is caused by our patch, so we need to modify tests
-accordingly.
----
- tests/icmpv6.out         | 2 +-
- tests/icmpv6_opt24-v.out | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/tests/icmpv6.out b/tests/icmpv6.out
-index bb7775e..8979540 100644
---- a/tests/icmpv6.out
-+++ b/tests/icmpv6.out
-@@ -1,5 +1,5 @@
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 176) fe80::b299:28ff:fec8:d66c > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 176
--	hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0s, retrans time 0s
-+	hop limit 64, Flags [home agent], pref medium, router lifetime 15s, reachable time 0ms, retrans time 0ms
- 	  prefix info option (3), length 32 (4): 2222:3333:4444:5555:6600::/72, Flags [onlink, auto], valid time 2592000s, pref. time 604800s
- 	    0x0000:  48c0 0027 8d00 0009 3a80 0000 0000 2222
- 	    0x0010:  3333 4444 5555 6600 0000 0000 0000
-diff --git a/tests/icmpv6_opt24-v.out b/tests/icmpv6_opt24-v.out
-index 2b7cf09..00512df 100644
---- a/tests/icmpv6_opt24-v.out
-+++ b/tests/icmpv6_opt24-v.out
-@@ -1,5 +1,5 @@
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
--	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
-+	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
- 	  source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
- 	  mtu option (5), length 8 (1):  1500
- 	  prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
-@@ -7,7 +7,7 @@ IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87
- 	  rdnss option (25), length 24 (3):  lifetime 1800s, addr: fd8d:4fb3:5b2e::1
- 	  dnssl option (31), length 16 (2):  lifetime 1800s, domain(s): lan.
- IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120) fe80::16cf:92ff:fe87:23d6 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 120
--	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0s, retrans time 0s
-+	hop limit 0, Flags [managed, other stateful], pref medium, router lifetime 0s, reachable time 0ms, retrans time 0ms
- 	  source link-address option (1), length 8 (1): 14:cf:92:87:23:d6
- 	  mtu option (5), length 8 (1):  1500
- 	  prefix info option (3), length 32 (4): fd8d:4fb3:5b2e::/64, Flags [onlink, auto], valid time 7200s, pref. time 1800s
--- 
-2.13.5
diff --git a/SOURCES/0011-Evp-cipher-buffers.patch b/SOURCES/0011-Evp-cipher-buffers.patch
index a271419..2a507ee 100644
--- a/SOURCES/0011-Evp-cipher-buffers.patch
+++ b/SOURCES/0011-Evp-cipher-buffers.patch
@@ -1,133 +1,13 @@
 diff --git a/print-esp.c b/print-esp.c
-index 511ee8a3..5b282526 100644
+index 6fabff1..cdeca9d 100644
 --- a/print-esp.c
 +++ b/print-esp.c
-@@ -192,8 +192,8 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 	const u_char *iv;
- 	unsigned int len;
- 	EVP_CIPHER_CTX *ctx;
--	unsigned int block_size, output_buffer_size;
--	u_char *output_buffer;
-+	unsigned int block_size, buffer_size;
-+	u_char *input_buffer, *output_buffer;
- 
- 	/* initiator arg is any non-zero value */
- 	if(initiator) initiator=1;
-@@ -228,19 +228,41 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 		(*ndo->ndo_warning)(ndo, "espkey init failed");
- 	set_cipher_parameters(ctx, NULL, NULL, iv, 0);
- 	/*
--	 * Allocate a buffer for the decrypted data.
--	 * The output buffer must be separate from the input buffer, and
--	 * its size must be a multiple of the cipher block size.
-+	 * Allocate buffers for the encrypted and decrypted data.
-+	 * Both buffers' sizes must be a multiple of the cipher block
-+	 * size, and the output buffer must be separate from the input
-+	 * buffer.
- 	 */
- 	block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
--	output_buffer_size = len + (block_size - len % block_size);
--	output_buffer = (u_char *)malloc(output_buffer_size);
-+	buffer_size = len + (block_size - len % block_size);
-+
-+	/*
-+	 * Attempt to allocate the input buffer.
-+	 */
-+	input_buffer = (u_char *)malloc(buffer_size);
-+	if (input_buffer == NULL) {
-+		(*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
-+		EVP_CIPHER_CTX_free(ctx);
-+		return 0;
-+	}
-+	/*
-+	 * Copy the input data to the encrypted data buffer, and pad it
-+	 * with zeroes.
-+	 */
-+	memcpy(input_buffer, buf, len);
-+	memset(input_buffer + len, 0, buffer_size - len);
-+
-+	/*
-+	 * Attempt to allocate the output buffer.
-+	 */
-+	output_buffer = (u_char *)malloc(buffer_size);
- 	if (output_buffer == NULL) {
- 		(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
-+		free(input_buffer);
+@@ -259,7 +259,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
  		EVP_CIPHER_CTX_free(ctx);
- 		return 0;
+ 		(*ndo->ndo_error)(ndo, "can't allocate memory for decryption buffer");
  	}
--	EVP_Cipher(ctx, output_buffer, buf, len);
+-	EVP_Cipher(ctx, output_buffer, input_buffer, len);
 +	EVP_Cipher(ctx, output_buffer, input_buffer, buffer_size);
  	EVP_CIPHER_CTX_free(ctx);
  
  	/*
-@@ -249,6 +272,7 @@ int esp_print_decrypt_buffer_by_ikev2(netdissect_options *ndo,
- 	 * but changing this would require a more complicated fix.
- 	 */
- 	memcpy(buf, output_buffer, len);
-+	free(input_buffer);
- 	free(output_buffer);
- 
- 	ndo->ndo_packetp = buf;
-@@ -666,8 +690,8 @@ esp_print(netdissect_options *ndo,
- 	const u_char *ivoff;
- 	const u_char *p;
- 	EVP_CIPHER_CTX *ctx;
--	unsigned int block_size, output_buffer_size;
--	u_char *output_buffer;
-+	unsigned int block_size, buffer_size;
-+	u_char *input_buffer, *output_buffer;
- #endif
- 
- 	esp = (const struct newesp *)bp;
-@@ -784,21 +808,43 @@ esp_print(netdissect_options *ndo,
- 			len = ep - (p + ivlen);
- 
- 			/*
--			 * Allocate a buffer for the decrypted data.
--			 * The output buffer must be separate from the
--			 * input buffer, and its size must be a multiple
--			 * of the cipher block size.
-+			 * Allocate buffers for the encrypted and decrypted
-+			 * data.  Both buffers' sizes must be a multiple of
-+			 * the cipher block size, and the output buffer must
-+			 * be separate from the input buffer.
- 			 */
- 			block_size = (unsigned int)EVP_CIPHER_CTX_block_size(ctx);
--			output_buffer_size = len + (block_size - len % block_size);
--			output_buffer = (u_char *)malloc(output_buffer_size);
-+			buffer_size = len + (block_size - len % block_size);
-+
-+			/*
-+			 * Attempt to allocate the input buffer.
-+			 */
-+			input_buffer = (u_char *)malloc(buffer_size);
-+			if (input_buffer == NULL) {
-+				(*ndo->ndo_warning)(ndo, "can't allocate memory for encrypted data buffer");
-+				EVP_CIPHER_CTX_free(ctx);
-+				return 0;
-+			}
-+			/*
-+			 * Copy the input data to the encrypted data buffer,
-+			 * and pad it with zeroes.
-+			 */
-+			memcpy(input_buffer, p + ivlen, len);
-+			memset(input_buffer + len, 0, buffer_size - len);
-+
-+			/*
-+			 * Attempt to allocate the output buffer.
-+			 */
-+			output_buffer = (u_char *)malloc(buffer_size);
- 			if (output_buffer == NULL) {
- 				(*ndo->ndo_warning)(ndo, "can't allocate memory for decryption buffer");
-+				free(input_buffer);
- 				EVP_CIPHER_CTX_free(ctx);
- 				return -1;
- 			}
- 
--			EVP_Cipher(ctx, output_buffer, p + ivlen, len);
-+			EVP_Cipher(ctx, output_buffer, input_buffer, len);
-+			free(input_buffer);
- 			EVP_CIPHER_CTX_free(ctx);
- 			/*
- 			 * XXX - of course this is wrong, because buf is a
diff --git a/SOURCES/0014-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch b/SOURCES/0014-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch
deleted file mode 100644
index e340c93..0000000
--- a/SOURCES/0014-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From bbae61cda27b8d565456c95a697d9e7ed3298937 Mon Sep 17 00:00:00 2001
-From: rpm-build <rpm-build>
-Date: Tue, 8 Oct 2019 14:32:32 +0200
-Subject: [PATCH] 
- 0015-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch
-
----
- print-hncp.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/print-hncp.c b/print-hncp.c
-index 11a6a93..7537a0d 100644
---- a/print-hncp.c
-+++ b/print-hncp.c
-@@ -229,6 +229,8 @@ print_prefix(netdissect_options *ndo, const u_char *prefix, u_int max_length)
-         plenbytes += 1 + IPV4_MAPPED_HEADING_LEN;
-     } else {
-         plenbytes = decode_prefix6(ndo, prefix, max_length, buf, sizeof(buf));
-+        if (plenbytes < 0)
-+            return plenbytes;
-     }
- 
-     ND_PRINT((ndo, "%s", buf));
--- 
-2.21.0
-
diff --git a/SOURCES/tcpdump-4.9.2.tar.gz.sig b/SOURCES/tcpdump-4.9.2.tar.gz.sig
deleted file mode 100644
index 6456b348dab2b183bbaea78235abcb7653a72646..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 442
zcmV;r0Y(0a0k;GI0SEvc79j*57HU^QtGVDLnvF2viQe(q!Cegn0$Ht(7yt?h5a5a4
z@!7#$4M;c)AgDC~CV8>3^xdUrckOV7a-5_T05ZU{6kI#FTB5=5jpO~@e{zdxW-AS(
zA>8w@c^98;l$~#2h0|t}K7=D;wKE-CzILSK1$K-r-T7bl@2p^b(EVu^o4<>cput09
z-zi0e57YQQNweCNQ95W3g5aWleR7jfQ|Z{=83Q-sw{sb`FKDoY%2Vpv6}7z5MUP7P
z@JQIRCQ^gw5YyI1T71|YO1g#Bgp0eit^5Q`?>7Ba58!1uW}Vq{)AN8$YH<y7&<{4I
zvqX09doK1j=K&ziDato|i7(jA2?!ngQvif>!f4}5vh<4UT}PV@=iT8e`=yp->LPg_
zKSE#~6%~FkeXJ&OQ<Qml0B8&!A5eu1{K@_c(>uOfOm0nMfZuy3>y#wQr3HS;GIR{D
zWNY1zz@;sho<dxTr;c%pg>FH&-BCM6D@FTkQ+dj)3L?1Tpc7`$r%O616GHR2^S#ve
k>c+IQlNIxzC%MEW2A$)CM4nX{geu{O*3V!#w)~-fos#X>e*gdg

diff --git a/SOURCES/tcpdump-4.9.3.tar.gz.sig b/SOURCES/tcpdump-4.9.3.tar.gz.sig
new file mode 100644
index 0000000000000000000000000000000000000000..ef927bf9541086cdcb1c31b5ce33e9d38b355ea9
GIT binary patch
literal 442
zcmV;r0Y(0a0k;GI0SEvc79j*57HU^QtGVDLnvF2viQe(q!Cegn0$q|DkN^q^5a5a4
z@!7#$4Q#~>A4IO*)nFcHUfv5*8k5$`S*%%g<oD9&)pz7?w?dCM+XB;n<UwM3xN2g{
z`cL$Z<d?fv;vbxuw^YNgC7T<BSEaEf=Dueg`w0ZjB=X+mKpq460glC@adsxF)LM}e
zeUVu|)5Y_p|I@sN;h9aQ9}EW`)t4sM-2Dj%McG{WyrOoPH~qW=ys}ZtZAoPL?B$E-
z+H#X*mmvBqYHesjMvr<3ag1DsNTVJ)CnhA+l?b_>cm@B$eL<ZgfQ#z_sQE;w6h1^=
zl$@R(vpJEa+85IhLE!gG(@2T)6WYStt<5wA_X7dY%N)qc4Z*86?s2|$5JVb4VxgxO
zrO~O{rxy>!06>_ak%79e+c?^$S;^bu-=V06PyKFg`}WZI_>RXBO&AD%3*)$=bRnO}
zJD}e4bV1mM_sSFRbY6*UX+T#Dc)c_@=#X@LMqaRT;q0@kIZuAK+nmvS`hJ~*OWETM
krD>GSGQJq+S0^^kT3vUF;1k_r^*i6ag|Muj`ed%cdD<l5{{R30

literal 0
HcmV?d00001

diff --git a/SPECS/tcpdump.spec b/SPECS/tcpdump.spec
index e4500d4..ff93b71 100644
--- a/SPECS/tcpdump.spec
+++ b/SPECS/tcpdump.spec
@@ -1,8 +1,8 @@
 Summary: A network traffic monitoring tool
 Name: tcpdump
 Epoch: 14
-Version: 4.9.2
-Release: 6%{?dist}
+Version: 4.9.3
+Release: 1%{?dist}
 License: BSD with advertising
 URL: http://www.tcpdump.org
 Group: Applications/Internet
@@ -13,20 +13,16 @@ Source0: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz
 Source1: ftp://ftp.ee.lbl.gov/tcpslice-1.2a3.tar.gz
 Source2: http://www.tcpdump.org/release/tcpdump-%{version}.tar.gz.sig
 
-Patch0001:      0001-icmp6-print-Reachable-Time-and-Retransmit-Time-from-.patch
 Patch0002:      0002-Use-getnameinfo-instead-of-gethostbyaddr.patch
 Patch0003:      0003-Drop-root-priviledges-before-opening-first-savefile-.patch
 Patch0004:      0004-tcpslice-update-tcpslice-patch-to-1.2a3.patch
 Patch0005:      0005-tcpslice-remove-unneeded-include.patch
 Patch0006:      0006-tcpslice-don-t-test-the-pointer-but-pointee-for-NULL.patch
 Patch0007:      0007-Introduce-nn-option.patch
-Patch0008:      0008-Don-t-print-out-we-dropped-root-we-are-always-droppi.patch
 Patch0009:      0009-Change-n-flag-to-nn-in-TESTonce.patch
-Patch0010:      0010-Expect-miliseconds-instead-of-seconds-in-icmp-captur.patch
 Patch0011:      0011-Evp-cipher-buffers.patch
 Patch0012:      0012-Add-printing-support-for-vsockmon-devices.patch
 Patch0013:      0013-tcpslice-stdlib.patch
-Patch0014:      0014-CVE-2018-19519-tcpdump-stack-based-buffer-over-read.patch
 
 %define tcpslice_dir tcpslice-1.2a3
 
@@ -92,6 +88,9 @@ exit 0
 %{_mandir}/man8/tcpdump.8*
 
 %changelog
+* Thu May 07 2020 Michal Ruprich <michalruprich@gmail.com> - 14:4.9.3-1
+- Resolves: #1804063 - Rebase tcpdump to 4.9.3 to fix multiple CVEs
+
 * Tue Oct 29 2019 Michal Ruprich <mruprich@redhat.com> - 14:4.9.2-6
 - Resolves: #1715423 - tcpdump pre creates user and groups unconditionally
 - Resolves: #1655622 - CVE-2018-19519 Stack-based buffer over-read in print-hncp.c:print_prefix() via crafted pcap