* Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell [not found] ` <20161115032707.GA5104@jasmine> @ 2016-11-15 10:35 ` Ludovic Courtès 2016-11-15 18:41 ` Leo Famulari 0 siblings, 1 reply; 2+ messages in thread From: Ludovic Courtès @ 2016-11-15 10:35 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Hi Leo, Leo Famulari <leo@famulari.name> skribis: > On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote: >> Hello All, >> >> Affected package >> ---------------- >> Cryptsetup <= 2:1 > > Hi, > > Can you clarify which versions are affected? > > The latest upstream version is 1.7.3: > > https://gitlab.com/cryptsetup/cryptsetup/commits/master > > What is the 2:1 version? FWIW GuixSD does not use the vulnerable shell scripts mentioned in <http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html>. They are not even installed in our ‘cryptsetup’ package. Ludo’. ^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell 2016-11-15 10:35 ` [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell Ludovic Courtès @ 2016-11-15 18:41 ` Leo Famulari 0 siblings, 0 replies; 2+ messages in thread From: Leo Famulari @ 2016-11-15 18:41 UTC (permalink / raw) To: Ludovic Courtès; +Cc: guix-devel On Tue, Nov 15, 2016 at 11:35:12AM +0100, Ludovic Courtès wrote: > Hi Leo, > > Leo Famulari <leo@famulari.name> skribis: > > > On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote: > >> Hello All, > >> > >> Affected package > >> ---------------- > >> Cryptsetup <= 2:1 > > > > Hi, > > > > Can you clarify which versions are affected? > > > > The latest upstream version is 1.7.3: > > > > https://gitlab.com/cryptsetup/cryptsetup/commits/master > > > > What is the 2:1 version? > > FWIW GuixSD does not use the vulnerable shell scripts mentioned in > <http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html>. > They are not even installed in our ‘cryptsetup’ package. That's what I thought, but thanks for confirming. I hope the original reporter will clarify that the vulnerability is in Debian's (and the Debian downstream distros) packaging, and not in cryptsetup. ^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-11-15 18:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <88958a9e-25c1-97ce-1800-bc4bff93d9a9@hmarco.org>
[not found] ` <20161115032707.GA5104@jasmine>
2016-11-15 10:35 ` [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell Ludovic Courtès
2016-11-15 18:41 ` Leo Famulari
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.