Summary: | <=sys-block/open-iscsi-2.0.870.3: Symlink attack (CVE-2009-1297) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | trivial | CC: | base-system, dertobi123, kingtaco | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | ~3 [noglsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Tobias Heinlein (RETIRED)
2009-10-26 20:40:10 UTC
More information: https://bugzilla.redhat.com/show_bug.cgi?id=523936 Patch used by Debian is linked in there. Gentoo ships the iscsi_discovery script when the utils USE flag is enabled. Maintainers, please prepare a fixed ebuild, thanks. Oh, ~arch only, adjusting severity. I've updated the ebuild for 2.0.871 in http://bugs.gentoo.org/show_bug.cgi?id=278589 As no one really maintains open-iscsi I'm currently proxy-maintaining it. I've changed several things in 2.0.871, and honestly really don't want to see 2.0.870.3 in portage anymore, I can't even build/test it on my workstation because the kernel is too new (that was an issue with the old ebuild). The last bump & QA was done by Tobias, maybe he could bump again? ;) Created attachment 208374 [details, diff]
CVE-2009-1297.patch
Created attachment 208375 [details]
open-iscsi-2.0.870.3-r1.ebuild
Sorry for bugspam! =) Argh, again. (In reply to comment #3) > The last bump & QA was done by Tobias, maybe he could bump again? ;) Proxy commit in CVS. Get your quiz done plz ;) No stable version, closing this one therefore. |