[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell
From: |
Leo Famulari |
Subject: |
Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell |
Date: |
Tue, 15 Nov 2016 13:41:51 -0500 |
User-agent: |
Mutt/1.7.1 (2016-10-04) |
On Tue, Nov 15, 2016 at 11:35:12AM +0100, Ludovic Courtès wrote:
> Hi Leo,
>
> Leo Famulari <address@hidden> skribis:
>
> > On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote:
> >> Hello All,
> >>
> >> Affected package
> >> ----------------
> >> Cryptsetup <= 2:1
> >
> > Hi,
> >
> > Can you clarify which versions are affected?
> >
> > The latest upstream version is 1.7.3:
> >
> > https://gitlab.com/cryptsetup/cryptsetup/commits/master
> >
> > What is the 2:1 version?
>
> FWIW GuixSD does not use the vulnerable shell scripts mentioned in
> <http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html>.
> They are not even installed in our ‘cryptsetup’ package.
That's what I thought, but thanks for confirming. I hope the original
reporter will clarify that the vulnerability is in Debian's (and the
Debian downstream distros) packaging, and not in cryptsetup.