Hi Christian, On Sat, Dec 23, 2017 at 01:22:36PM +0100, Christian Seiler wrote: > Hi Salvatore, > > On 12/23/2017 01:17 PM, Salvatore Bonaccorso wrote: > > On Sat, Dec 23, 2017 at 12:32:32PM +0100, Christian Seiler wrote: > >> Thanks for reporting this. It wasn't mentioned on the official > >> open-iscsi mailing list, and the fact that I've missed the pull > >> request alerted me to the fact that I wasn't watching the upstream > >> github repository. (Which I've now rectified.) > >> > >> I've now uploaded -5 that includes all patches in the pull request > >> you've mentioned. > > > > And thanks for fixing that so quickly :) > > Well, it's a security issue after all. :) > > >> I've seen in the security tracker you've marked this no-DSA, so I > >> assume I should ask the Release team for a p-u to get this fixed > >> in Stretch? > > > > That is right, I think the issue is not severe enough that we would > > issue a DSA for it. > > Ok, I'm currenty preparing the package for that and will open a > p-u bug once I've finished.
Seen that, thank you. > > >> Note: neither Wheezy nor Jessie include iscsiuio (this was added > >> in Stretch), so they are not affected by this bug, so only > >> Stretch is also vulnerable. (stretch-backports is vulnerable, > >> which I'll fix once a fix for stretch has been uploaded.) It > >> would be great if you could update the security tracker to reflect > >> this. > > > > Yes that's a bit tricky. We are interested to track source package > > status, and in fact, the code looks there in jessie, so <not-affected> > > would not be technically fully correct. I though changed the status to > > <ignored>, that is, we will not further look into it, neither has the > > maintainer, and added a note/explanation of "Minor issue, iscsiuio not > > built in this version, source affected)". > > Ok, that's fine. Wheezy is completely unaffected though as there > iscsiuio was not present in the source code. Alright, I have updated the security-tracker to indicate that correctly. Regards, Salvatore
