[Pkg-iscsi-maintainers] Bug#885021: open-iscsi: CVE-2017-17840: buffer overflow in process_iscsid_broadcast()
Salvatore Bonaccorso
carnil at debian.org
Sat Dec 23 13:30:58 UTC 2017
Hi Christian,
On Sat, Dec 23, 2017 at 01:22:36PM +0100, Christian Seiler wrote:
> Hi Salvatore,
>
> On 12/23/2017 01:17 PM, Salvatore Bonaccorso wrote:
> > On Sat, Dec 23, 2017 at 12:32:32PM +0100, Christian Seiler wrote:
> >> Thanks for reporting this. It wasn't mentioned on the official
> >> open-iscsi mailing list, and the fact that I've missed the pull
> >> request alerted me to the fact that I wasn't watching the upstream
> >> github repository. (Which I've now rectified.)
> >>
> >> I've now uploaded -5 that includes all patches in the pull request
> >> you've mentioned.
> >
> > And thanks for fixing that so quickly :)
>
> Well, it's a security issue after all. :)
>
> >> I've seen in the security tracker you've marked this no-DSA, so I
> >> assume I should ask the Release team for a p-u to get this fixed
> >> in Stretch?
> >
> > That is right, I think the issue is not severe enough that we would
> > issue a DSA for it.
>
> Ok, I'm currenty preparing the package for that and will open a
> p-u bug once I've finished.
Seen that, thank you.
>
> >> Note: neither Wheezy nor Jessie include iscsiuio (this was added
> >> in Stretch), so they are not affected by this bug, so only
> >> Stretch is also vulnerable. (stretch-backports is vulnerable,
> >> which I'll fix once a fix for stretch has been uploaded.) It
> >> would be great if you could update the security tracker to reflect
> >> this.
> >
> > Yes that's a bit tricky. We are interested to track source package
> > status, and in fact, the code looks there in jessie, so <not-affected>
> > would not be technically fully correct. I though changed the status to
> > <ignored>, that is, we will not further look into it, neither has the
> > maintainer, and added a note/explanation of "Minor issue, iscsiuio not
> > built in this version, source affected)".
>
> Ok, that's fine. Wheezy is completely unaffected though as there
> iscsiuio was not present in the source code.
Alright, I have updated the security-tracker to indicate that
correctly.
Regards,
Salvatore
More information about the Pkg-iscsi-maintainers
mailing list