Hi Salvatore, On 12/23/2017 01:17 PM, Salvatore Bonaccorso wrote: > On Sat, Dec 23, 2017 at 12:32:32PM +0100, Christian Seiler wrote: >> Thanks for reporting this. It wasn't mentioned on the official >> open-iscsi mailing list, and the fact that I've missed the pull >> request alerted me to the fact that I wasn't watching the upstream >> github repository. (Which I've now rectified.) >> >> I've now uploaded -5 that includes all patches in the pull request >> you've mentioned. > > And thanks for fixing that so quickly :)
Well, it's a security issue after all. :) >> I've seen in the security tracker you've marked this no-DSA, so I >> assume I should ask the Release team for a p-u to get this fixed >> in Stretch? > > That is right, I think the issue is not severe enough that we would > issue a DSA for it. Ok, I'm currenty preparing the package for that and will open a p-u bug once I've finished. >> Note: neither Wheezy nor Jessie include iscsiuio (this was added >> in Stretch), so they are not affected by this bug, so only >> Stretch is also vulnerable. (stretch-backports is vulnerable, >> which I'll fix once a fix for stretch has been uploaded.) It >> would be great if you could update the security tracker to reflect >> this. > > Yes that's a bit tricky. We are interested to track source package > status, and in fact, the code looks there in jessie, so <not-affected> > would not be technically fully correct. I though changed the status to > <ignored>, that is, we will not further look into it, neither has the > maintainer, and added a note/explanation of "Minor issue, iscsiuio not > built in this version, source affected)". Ok, that's fine. Wheezy is completely unaffected though as there iscsiuio was not present in the source code. Regards, Christian
signature.asc
Description: OpenPGP digital signature
