Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2021-3139 CVE-2020-28374

Source

Debian Bug report logs - #980007
tcmu: CVE-2021-3139

Package: src:tcmu; Maintainer for src:tcmu is Freexian Packaging Team <team+freexian@tracker.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Tue, 12 Jan 2021 20:18:01 UTC

Severity: grave

Tags: security, upstream

Found in version tcmu/1.5.2-5

Fixed in version tcmu/1.5.2-6

Done: Sebastien Delafond <seb@debian.org>

Forwarded to https://github.com/open-iscsi/tcmu-runner/issues/645

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Freexian Packaging Team <team+freexian@tracker.debian.org>:
Bug#980007; Package src:tcmu. (Tue, 12 Jan 2021 20:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Freexian Packaging Team <team+freexian@tracker.debian.org>. (Tue, 12 Jan 2021 20:18:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: tcmu
Version: 1.5.2-5
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for tcmu.

CVE-2020-28374[0]:
| Linux SCSI target (LIO) unrestricted copy offload

A patch was provided in [1] but at time of writing it does not apper
to be yet in the upstream repository.

Further information in [2].

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-28374
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28374
[1] https://bugzilla.suse.com/show_bug.cgi?id=1180676
[2] https://www.openwall.com/lists/oss-security/2021/01/12/12

Regards,
Salvatore

Set Bug forwarded-to-address to 'https://github.com/open-iscsi/tcmu-runner/issues/645'. Request was from Sebastien Delafond <seb@debian.org> to control@bugs.debian.org. (Wed, 13 Jan 2021 07:42:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Freexian Packaging Team <team+freexian@tracker.debian.org>:
Bug#980007; Package src:tcmu. (Wed, 13 Jan 2021 20:27:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Freexian Packaging Team <team+freexian@tracker.debian.org>. (Wed, 13 Jan 2021 20:27:02 GMT) (full text, mbox, link).

Message #12 received at 980007@bugs.debian.org (full text, mbox, reply):

Control: retitle -1 tcmu: VE-2021-3139

On Tue, Jan 12, 2021 at 09:15:30PM +0100, Salvatore Bonaccorso wrote:
> Source: tcmu
> Version: 1.5.2-5
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
> 
> Hi,
> 
> The following vulnerability was published for tcmu.
> 
> CVE-2020-28374[0]:
> | Linux SCSI target (LIO) unrestricted copy offload

MITRE assigned a separate CVE for the tcmu issue as per
https://www.openwall.com/lists/oss-security/2021/01/13/5 .

Regards,
Salvatore

Changed Bug title to 'tcmu: VE-2021-3139' from 'tcmu: CVE-2020-28374'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 980007-submit@bugs.debian.org. (Wed, 13 Jan 2021 20:27:03 GMT) (full text, mbox, link).

Changed Bug title to 'tcmu: CVE-2021-3139' from 'tcmu: VE-2021-3139'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 14 Jan 2021 10:24:02 GMT) (full text, mbox, link).

Reply sent to Sebastien Delafond <seb@debian.org>:
You have taken responsibility. (Mon, 18 Jan 2021 09:24:02 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Mon, 18 Jan 2021 09:24:02 GMT) (full text, mbox, link).

Message #21 received at 980007-close@bugs.debian.org (full text, mbox, reply):

Source: tcmu
Source-Version: 1.5.2-6
Done: Sebastien Delafond <seb@debian.org>

We believe that the bug you reported is fixed in the latest version of
tcmu, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 980007@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sebastien Delafond <seb@debian.org> (supplier of updated tcmu package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 18 Jan 2021 09:26:23 +0100
Source: tcmu
Architecture: source
Version: 1.5.2-6
Distribution: unstable
Urgency: high
Maintainer: Freexian Packaging Team <team+freexian@tracker.debian.org>
Changed-By: Sebastien Delafond <seb@debian.org>
Closes: 980007
Changes:
 tcmu (1.5.2-6) unstable; urgency=high
 .
   * Fix CVE-2021-3139 (Closes: #980007)
Checksums-Sha1:
 c3e1c5276c292dee51488dfff61733b50524109c 1683 tcmu_1.5.2-6.dsc
 efeb3bed957ac68ebceab7df051e7891097d8205 7148 tcmu_1.5.2-6.debian.tar.xz
 55de47f3abbfcd62a62bbdcf5d8af68bb0145d25 8766 tcmu_1.5.2-6_amd64.buildinfo
Checksums-Sha256:
 6ac10874e1237292ab3a57cef0fd0588be16bf5e8c26a80042e2a2ef1f670ffb 1683 tcmu_1.5.2-6.dsc
 b87c00bd0bd5aa92ff4bd263bddeeb3dd1dc3f694d149b33b70798cb5b8386db 7148 tcmu_1.5.2-6.debian.tar.xz
 812bcc30bff44cc15cbdff29e02c36302394c1ba65a98da636c74245c6a674c0 8766 tcmu_1.5.2-6_amd64.buildinfo
Files:
 1a93e68e393bd4264ef547193e75bb07 1683 admin optional tcmu_1.5.2-6.dsc
 8b0049f6016f2f4342c78eef4410919e 7148 admin optional tcmu_1.5.2-6.debian.tar.xz
 f0ee41db44e0ed17411c179dcdbcdfa3 8766 admin optional tcmu_1.5.2-6_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh4EL6Jg/PVnWQFAmAFSz4ACgkQEL6Jg/PV
nWSmMwgApkCanLRQbox0O3VjBNH5xJUUZFUVvUHSgtC6jQLyG3MEa1PyBqI5AqPV
ivXej82WuxY2c7H8wmEGciv5OgLOwiA99wfZ7SEA+0UwQOp9zfqJGFLBjmyP3TXa
a60j5/BvvTWXUjo37arsCMV7C9bDlf3ngOCiLqqZFv2GdMDIPwcsuxlZXdaCFb8B
HPFI6KtEc03/sTpyUBXerltfAfxquL3IefjT3i+OT5ItYK6yPqHytSUccxq4Qf2X
XPpKo7rc4iRfYjChzK48RHdkebyjX2RuEt7AChXm48vTdvRItCNBLfDZc0TzZJxF
5r+KNa1g6c0Q09UAmUxWgOuH936SFw==
=LVZX
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Jan 25 08:56:42 2021; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

tcmu: CVE-2021-3139

Debian Bug report logs - #980007
tcmu: CVE-2021-3139

Vulmon Search

About

Products

Connect

tcmu: CVE-2021-3139

Debian Bug report logs - #980007 tcmu: CVE-2021-3139

Vulmon Search

About

Products

Connect

Debian Bug report logs - #980007
tcmu: CVE-2021-3139