Hi, Attached patch fixes the open-iscsi version currently in Lenny. The vulnerability being a minor one does not warrant a DSA. This issue is fixed in the versions in squeeze/sid also. Request inclusion of this patch for the next stable point release. Regards, Ritesh ---------- Forwarded Message ---------- Subject: Re: Fwd: Re: open-iscsi: 2.0.870~rc3-0.4.1: CVE-2009-1297: BTS 547011 Date: Friday 19 Feb 2010, 14:55:48 From: Guido Günther <agx@sigxcpu.org> To: Ritesh Raj Sarraf <rrs@researchut.com> Hi Ritesh, On Fri, Feb 19, 2010 at 01:09:03AM +0545, Ritesh Raj Sarraf wrote: > Hello Guido, > > Do we need to prepare an upload for Lenny ? Good point. Makes sense. > I remember that the last NMU was rejected by ftp-masters because of lintian > warnings/errors. The same would be the case if we go with the current version > in Lenny. I don't think so, since this is a security upload. > What are your thoughts here ? Do we need a fixed package for Lenny ? If the package in Lenny is vulenerable we should do that. Prepare a patch against the version in stable and contact security@d.o (with the patch attached). They'll handle the upload. Cheers, -- Guido ----------------------------------------- -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
diff -Naru open-iscsi-2.0.870~rc3.orig/debian/changelog open-iscsi-2.0.870~rc3/debian/changelog --- open-iscsi-2.0.870~rc3.orig/debian/changelog 2010-03-04 14:19:43.000000000 +0530 +++ open-iscsi-2.0.870~rc3/debian/changelog 2010-03-04 14:21:52.923249827 +0530 @@ -1,3 +1,10 @@ +open-iscsi (2.0.870~rc3-0.4.1) stable; urgency=low + + * Fix CVE-2009-1297 (Closes: #547011) - thanks to Colin Watson for + the patch + + -- Ritesh Raj Sarraf <rrs@researchut.com> Thu, 04 Mar 2010 14:20:24 +0530 + open-iscsi (2.0.870~rc3-0.4) unstable; urgency=medium * Clean up diff.gz, it downgraded the package to 2.0.869.2. diff -Naru open-iscsi-2.0.870~rc3.orig/utils/iscsi_discovery open-iscsi-2.0.870~rc3/utils/iscsi_discovery --- open-iscsi-2.0.870~rc3.orig/utils/iscsi_discovery 2008-09-26 05:23:08.000000000 +0530 +++ open-iscsi-2.0.870~rc3/utils/iscsi_discovery 2010-03-04 14:20:02.707747361 +0530 @@ -104,24 +104,22 @@ connected=0 discovered=0 - df=/tmp/discovered.$$ dbg "starting discovery to $ip" - iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df} - while read portal target + disc="$(iscsiadm -m discovery --type sendtargets --portal ${ip}:${port})" + echo "${disc}" | while read portal target do portal=${portal%,*} select_transport - done < ${df} + done - discovered=$(cat ${df} | wc -l) + discovered=$(echo "${disc}" | wc -l) if [ ${discovered} = 0 ]; then echo "failed to discover targets at ${ip}" exit 2 else echo "discovered ${discovered} targets at ${ip}" fi - /bin/rm -f ${df} } try_login()
Attachment:
signature.asc
Description: This is a digitally signed message part.