Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell

From:	Leo Famulari
Subject:	Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell
Date:	Tue, 15 Nov 2016 13:41:51 -0500
User-agent:	Mutt/1.7.1 (2016-10-04)

On Tue, Nov 15, 2016 at 11:35:12AM +0100, Ludovic Courtès wrote:
> Hi Leo,
> 
> Leo Famulari <address@hidden> skribis:
> 
> > On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote:
> >> Hello All,
> >> 
> >> Affected package
> >> ----------------
> >> Cryptsetup <= 2:1
> >
> > Hi,
> >
> > Can you clarify which versions are affected?
> >
> > The latest upstream version is 1.7.3:
> >
> > https://gitlab.com/cryptsetup/cryptsetup/commits/master
> >
> > What is the 2:1 version?
> 
> FWIW GuixSD does not use the vulnerable shell scripts mentioned in
> <http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html>.
> They are not even installed in our ‘cryptsetup’ package.

That's what I thought, but thanks for confirming. I hope the original
reporter will clarify that the vulnerability is in Debian's (and the
Debian downstream distros) packaging, and not in cryptsetup.

[Prev in Thread]

Current Thread

[Next in Thread]

Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell, Ludovic Courtès, 2016/11/15
- Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell, Leo Famulari <=

Prev by Date: Re: Please review: documentation for python build system
Next by Date: Re: OpenSSL 1.1.0c security update required
Previous by thread: Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell
Next by thread: [PATCH 1/1] gnu: libtiff: Fix CVE-2016-9297.
Index(es):
- Date
- Thread