[Pkg-iscsi-maintainers] Bug#885021: open-iscsi: CVE-2017-17840: buffer overflow in process_iscsid_broadcast()
Christian Seiler
christian at iwakd.de
Sat Dec 23 12:22:36 UTC 2017
Hi Salvatore,
On 12/23/2017 01:17 PM, Salvatore Bonaccorso wrote:
> On Sat, Dec 23, 2017 at 12:32:32PM +0100, Christian Seiler wrote:
>> Thanks for reporting this. It wasn't mentioned on the official
>> open-iscsi mailing list, and the fact that I've missed the pull
>> request alerted me to the fact that I wasn't watching the upstream
>> github repository. (Which I've now rectified.)
>>
>> I've now uploaded -5 that includes all patches in the pull request
>> you've mentioned.
>
> And thanks for fixing that so quickly :)
Well, it's a security issue after all. :)
>> I've seen in the security tracker you've marked this no-DSA, so I
>> assume I should ask the Release team for a p-u to get this fixed
>> in Stretch?
>
> That is right, I think the issue is not severe enough that we would
> issue a DSA for it.
Ok, I'm currenty preparing the package for that and will open a
p-u bug once I've finished.
>> Note: neither Wheezy nor Jessie include iscsiuio (this was added
>> in Stretch), so they are not affected by this bug, so only
>> Stretch is also vulnerable. (stretch-backports is vulnerable,
>> which I'll fix once a fix for stretch has been uploaded.) It
>> would be great if you could update the security tracker to reflect
>> this.
>
> Yes that's a bit tricky. We are interested to track source package
> status, and in fact, the code looks there in jessie, so <not-affected>
> would not be technically fully correct. I though changed the status to
> <ignored>, that is, we will not further look into it, neither has the
> maintainer, and added a note/explanation of "Minor issue, iscsiuio not
> built in this version, source affected)".
Ok, that's fine. Wheezy is completely unaffected though as there
iscsiuio was not present in the source code.
Regards,
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-iscsi-maintainers/attachments/20171223/b740d3a6/attachment.sig>
More information about the Pkg-iscsi-maintainers
mailing list