[Pkg-iscsi-maintainers] Bug#885021: open-iscsi: CVE-2017-17840: buffer overflow in process_iscsid_broadcast()
Christian Seiler
christian at iwakd.de
Sat Dec 23 11:32:32 UTC 2017
Control: tags -1 + stretch
Hello,
On 12/22/2017 11:37 PM, Salvatore Bonaccorso wrote:
> the following vulnerability was published for open-iscsi, whilest only
> "one" of the issues from the qualys report has a CVE, cf. [1], all
> fixes from [2] should preferably be applied. Cf. as well [3].
Thanks for reporting this. It wasn't mentioned on the official
open-iscsi mailing list, and the fact that I've missed the pull
request alerted me to the fact that I wasn't watching the upstream
github repository. (Which I've now rectified.)
I've now uploaded -5 that includes all patches in the pull request
you've mentioned.
I've seen in the security tracker you've marked this no-DSA, so I
assume I should ask the Release team for a p-u to get this fixed
in Stretch?
Note: neither Wheezy nor Jessie include iscsiuio (this was added
in Stretch), so they are not affected by this bug, so only
Stretch is also vulnerable. (stretch-backports is vulnerable,
which I'll fix once a fix for stretch has been uploaded.) It
would be great if you could update the security tracker to reflect
this.
Regards,
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-iscsi-maintainers/attachments/20171223/096e21be/attachment-0001.sig>
More information about the Pkg-iscsi-maintainers
mailing list