Hi, Attached patch fixes the open-iscsi version currently in Lenny. The vulnerability being a minor one does not warrant a DSA. This issue is fixed in the versions in squeeze/sid also. Request inclusion of this patch for the next stable point release. Regards, Ritesh ---------- Forwarded Message ---------- Subject: Re: Fwd: Re: open-iscsi: 2.0.870~rc3-0.4.1: CVE-2009-1297: BTS 547011 Date: Friday 19 Feb 2010, 14:55:48 From: Guido Günther <agx@sigxcpu.org> To: Ritesh Raj Sarraf <rrs@researchut.com> Hi Ritesh, On Fri, Feb 19, 2010 at 01:09:03AM +0545, Ritesh Raj Sarraf wrote: > Hello Guido, > > Do we need to prepare an upload for Lenny ? Good point. Makes sense. > I remember that the last NMU was rejected by ftp-masters because of lintian > warnings/errors. The same would be the case if we go with the current version > in Lenny. I don't think so, since this is a security upload. > What are your thoughts here ? Do we need a fixed package for Lenny ? If the package in Lenny is vulenerable we should do that. Prepare a patch against the version in stable and contact security@d.o (with the patch attached). They'll handle the upload. Cheers, -- Guido ----------------------------------------- -- Ritesh Raj Sarraf RESEARCHUT - http://www.researchut.com "Necessity is the mother of invention."
diff -Naru open-iscsi-2.0.870~rc3.orig/debian/changelog open-iscsi-2.0.870~rc3/debian/changelog
--- open-iscsi-2.0.870~rc3.orig/debian/changelog 2010-03-04 14:19:43.000000000 +0530
+++ open-iscsi-2.0.870~rc3/debian/changelog 2010-03-04 14:21:52.923249827 +0530
@@ -1,3 +1,10 @@
+open-iscsi (2.0.870~rc3-0.4.1) stable; urgency=low
+
+ * Fix CVE-2009-1297 (Closes: #547011) - thanks to Colin Watson for
+ the patch
+
+ -- Ritesh Raj Sarraf <rrs@researchut.com> Thu, 04 Mar 2010 14:20:24 +0530
+
open-iscsi (2.0.870~rc3-0.4) unstable; urgency=medium
* Clean up diff.gz, it downgraded the package to 2.0.869.2.
diff -Naru open-iscsi-2.0.870~rc3.orig/utils/iscsi_discovery open-iscsi-2.0.870~rc3/utils/iscsi_discovery
--- open-iscsi-2.0.870~rc3.orig/utils/iscsi_discovery 2008-09-26 05:23:08.000000000 +0530
+++ open-iscsi-2.0.870~rc3/utils/iscsi_discovery 2010-03-04 14:20:02.707747361 +0530
@@ -104,24 +104,22 @@
connected=0
discovered=0
- df=/tmp/discovered.$$
dbg "starting discovery to $ip"
- iscsiadm -m discovery --type sendtargets --portal ${ip}:${port} > ${df}
- while read portal target
+ disc="$(iscsiadm -m discovery --type sendtargets --portal ${ip}:${port})"
+ echo "${disc}" | while read portal target
do
portal=${portal%,*}
select_transport
- done < ${df}
+ done
- discovered=$(cat ${df} | wc -l)
+ discovered=$(echo "${disc}" | wc -l)
if [ ${discovered} = 0 ]; then
echo "failed to discover targets at ${ip}"
exit 2
else
echo "discovered ${discovered} targets at ${ip}"
fi
- /bin/rm -f ${df}
}
try_login()
Attachment:
signature.asc
Description: This is a digitally signed message part.