all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
* Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell
       [not found] ` <20161115032707.GA5104@jasmine>
@ 2016-11-15 10:35   ` Ludovic Courtès
  2016-11-15 18:41     ` Leo Famulari
  0 siblings, 1 reply; 2+ messages in thread
From: Ludovic Courtès @ 2016-11-15 10:35 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

> On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote:
>> Hello All,
>> 
>> Affected package
>> ----------------
>> Cryptsetup <= 2:1
>
> Hi,
>
> Can you clarify which versions are affected?
>
> The latest upstream version is 1.7.3:
>
> https://gitlab.com/cryptsetup/cryptsetup/commits/master
>
> What is the 2:1 version?

FWIW GuixSD does not use the vulnerable shell scripts mentioned in
<http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html>.
They are not even installed in our ‘cryptsetup’ package.

Ludo’.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell
  2016-11-15 10:35   ` [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell Ludovic Courtès
@ 2016-11-15 18:41     ` Leo Famulari
  0 siblings, 0 replies; 2+ messages in thread
From: Leo Famulari @ 2016-11-15 18:41 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: guix-devel

On Tue, Nov 15, 2016 at 11:35:12AM +0100, Ludovic Courtès wrote:
> Hi Leo,
> 
> Leo Famulari <leo@famulari.name> skribis:
> 
> > On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote:
> >> Hello All,
> >> 
> >> Affected package
> >> ----------------
> >> Cryptsetup <= 2:1
> >
> > Hi,
> >
> > Can you clarify which versions are affected?
> >
> > The latest upstream version is 1.7.3:
> >
> > https://gitlab.com/cryptsetup/cryptsetup/commits/master
> >
> > What is the 2:1 version?
> 
> FWIW GuixSD does not use the vulnerable shell scripts mentioned in
> <http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html>.
> They are not even installed in our ‘cryptsetup’ package.

That's what I thought, but thanks for confirming. I hope the original
reporter will clarify that the vulnerability is in Debian's (and the
Debian downstream distros) packaging, and not in cryptsetup.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-11-15 18:41 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <88958a9e-25c1-97ce-1800-bc4bff93d9a9@hmarco.org>
     [not found] ` <20161115032707.GA5104@jasmine>
2016-11-15 10:35   ` [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell Ludovic Courtès
2016-11-15 18:41     ` Leo Famulari

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.