Hi Christian! On Sat, Dec 23, 2017 at 12:32:32PM +0100, Christian Seiler wrote: > Control: tags -1 + stretch > > Hello, > > On 12/22/2017 11:37 PM, Salvatore Bonaccorso wrote: > > the following vulnerability was published for open-iscsi, whilest only > > "one" of the issues from the qualys report has a CVE, cf. [1], all > > fixes from [2] should preferably be applied. Cf. as well [3]. > > Thanks for reporting this. It wasn't mentioned on the official > open-iscsi mailing list, and the fact that I've missed the pull > request alerted me to the fact that I wasn't watching the upstream > github repository. (Which I've now rectified.) > > I've now uploaded -5 that includes all patches in the pull request > you've mentioned.
And thanks for fixing that so quickly :) > I've seen in the security tracker you've marked this no-DSA, so I > assume I should ask the Release team for a p-u to get this fixed > in Stretch? That is right, I think the issue is not severe enough that we would issue a DSA for it. > Note: neither Wheezy nor Jessie include iscsiuio (this was added > in Stretch), so they are not affected by this bug, so only > Stretch is also vulnerable. (stretch-backports is vulnerable, > which I'll fix once a fix for stretch has been uploaded.) It > would be great if you could update the security tracker to reflect > this. Yes that's a bit tricky. We are interested to track source package status, and in fact, the code looks there in jessie, so <not-affected> would not be technically fully correct. I though changed the status to <ignored>, that is, we will not further look into it, neither has the maintainer, and added a note/explanation of "Minor issue, iscsiuio not built in this version, source affected)". Hope this explains on the status, if you strongly disagree we can try to track it otherwise still as not-affected and explain why we marked it as such. Regards, Salvatore
