Hi Wouter, On 09/03/2022 11:09, Wouter Verhelst wrote:
Hi, There are two CVEs in NBD currently. One of them does not apply to stretch (it is in functionality introduced in NBD 3.16), but part of the other does.
Thanks for the notice. I was just triaging this vulnerability for stretch and noticed that only the EXPORT_NAME part of the vulnerability applied.
I've prepared an update and pushed it to my repository at https://salsa.debian.org/wouter/nbd/-/tree/debian-stretch I've not yet tested this for the stretch version specifically, but the reporter wrote a script that exposes whether the bug is fixed; you can find it at https://lists.debian.org/nbd/2022/01/msg00037.html (you only need the second one; the first is the one that does not apply to stretch).
Both tests fail for me, but it looks like it may be caused by some virtualization problem. Anyway as the EXPORT_NAME part seems vulnerable, I'll add the package to dla-needed. If you're able to handle the upload yourself, then feel free to do so and someone can take care of the announcement (unless you want to do it yourself too).
Thanks, Emilio