On Tue, Nov 15, 2016 at 11:35:12AM +0100, Ludovic Courtès wrote: > Hi Leo, > > Leo Famulari <l...@famulari.name> skribis: > > > On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote: > >> Hello All, > >> > >> Affected package > >> ---------------- > >> Cryptsetup <= 2:1 > > > > Hi, > > > > Can you clarify which versions are affected? > > > > The latest upstream version is 1.7.3: > > > > https://gitlab.com/cryptsetup/cryptsetup/commits/master > > > > What is the 2:1 version? > > FWIW GuixSD does not use the vulnerable shell scripts mentioned in > <http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html>. > They are not even installed in our ‘cryptsetup’ package.
That's what I thought, but thanks for confirming. I hope the original reporter will clarify that the vulnerability is in Debian's (and the Debian downstream distros) packaging, and not in cryptsetup.
