For the tcmu DBUS fix: """ - The dbus policy allows all users to call org.kernel.TCMUService1.HandlerManager1.RegisterHandler, which doesn't seem desirable. I don't think there is a direct security impact from this, as external handlers need to be privileged in order to own the type-specific well-known name on the system bus, and the call will return an error if called before that name is owned. But I think this should only be callable as the root user. """
I'm not taking action as we should wait upstream to take action on: https://github.com/open-iscsi/tcmu-runner/issues/582 and, if there isn't a direct security impact I think it would be ok for the MIR to continue despite this change. With that in mind: I: tcmu [.] MIR ack [.] Security ack - dbus fix orthogonal (upstream bug) - https://github.com/open-iscsi/tcmu-runner/issues/582 There is nothing else to be done here but to wait Debian to accept my merge proposals. I'll keep this updated based on salsa MR discussions (if any). -rafaeldtinoco -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854362 Title: [MIR] ceph-iscsi, tcmu, python-configshell-fb, python-rtslib-fb, urwid, targetcli-fb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ceph-iscsi/+bug/1854362/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs