Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: t...@packages.debian.org, David Gstir <da...@sigma-star.at>, Richard Weinberger <rich...@sigma-star.at>, car...@debian.org Control: affects -1 + src:tgt User: release.debian....@packages.debian.org Usertags: pu
Hi SRM, tgt is affected in stable by CVE-2024-45751, but it is no-dsa. I did a while back a NMU for unstable, preparing for this bookworm-pu update as well. Given there are no issues reported with it in unstable, now proposing as well the bookworm update. Description is at https://security-tracker.debian.org/tracker/CVE-2024-45751 https://www.openwall.com/lists/oss-security/2024/09/07/2 |The user-space iSCSI target daemon of the Linux target framework (tgt) |uses an insecure random number generator to generate CHAP |authentication callenges. This results in predictable challenges which |an attacker capable of recording network traffic between iSCSI target |and initiator can abuse to bypass CHAP authentication by replaying |previous responses. The patch switches to a proper entropy source. Regards, Salvatore
