Bug#1086154: bookworm-pu: package tgt/1:1.0.85-1+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: tgt@packages.debian.org, David Gstir <david@sigma-star.at>, Richard Weinberger <richard@sigma-star.at>, carnil@debian.org
Control: affects -1 + src:tgt
User: release.debian.org@packages.debian.org
Usertags: pu
Hi SRM,
tgt is affected in stable by CVE-2024-45751, but it is no-dsa. I did a
while back a NMU for unstable, preparing for this bookworm-pu update
as well. Given there are no issues reported with it in unstable, now
proposing as well the bookworm update.
Description is at
https://security-tracker.debian.org/tracker/CVE-2024-45751
https://www.openwall.com/lists/oss-security/2024/09/07/2
|The user-space iSCSI target daemon of the Linux target framework (tgt)
|uses an insecure random number generator to generate CHAP
|authentication callenges. This results in predictable challenges which
|an attacker capable of recording network traffic between iSCSI target
|and initiator can abuse to bypass CHAP authentication by replaying
|previous responses.
The patch switches to a proper entropy source.
Regards,
Salvatore
Reply to: