Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 15 Nov 2016 20:11:11 +0000
From: Hector Marco <hecmargi@....es>
To: oss-security@...ts.openwall.com
Cc: Ismael Ripoll <iripoll@...ca.upv.es>
Subject: Re: [FD] CVE-2016-4484: - Cryptsetup Initrd root Shell

Hello,

It would be more precise to say "2:1.7.3-2" rather than "2:1".
This number refers to the Debian package. It seems that Debian is using
different version numbers for the "cryptsetup" package:

https://security-tracker.debian.org/tracker/CVE-2016-4484

We are not sure whether the last part of the version number (2:1.7.3-2)
of the Debian package (1.7.3-2) is used to match with the cryptsetup
version.

Just to avoid confusion, the bug is on the scripts (initramfs) and not
in the cryptsetup encryption/decryption algorithms.

Regards,
Hector Marco & Ismael Ripoll.


> On Mon, Nov 14, 2016 at 08:45:51PM +0000, Hector Marco wrote:
>> Hello All,
>>
>> Affected package
>> ----------------
>> Cryptsetup <= 2:1
> 
> Hi,
> 
> Can you clarify which versions are affected?
> 
> The latest upstream version is 1.7.3:
> 
> https://gitlab.com/cryptsetup/cryptsetup/commits/master
> 
> What is the 2:1 version?
> 




Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.