Source: util-linux Version: 2.25.2-3 Severity: grave Tags: security upstream patch fixed-upstream
Hi, the following vulnerability was published for util-linux. CVE-2014-9114[0]: blkid command injection I'm a bit undecided about the severity, so have choosen grave for now, but important might be more appropriate. Feel free to downgrade if you disagree: I checked what might be calling blkid -o udev directly as root in a Debian package: http://codesearch.debian.net/search?q=blkid+-o+udev Most seem to call blkid also with -p so not using the cache. OTOH, there is e.g. grml-debootstrap which calls it this way, but should be safe as it is called after creating a filesystem on the $TARGET. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-9114 [1] http://www.openwall.com/lists/oss-security/2014/11/26/13 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1168485 [3] https://github.com/karelzak/util-linux/commit/89e90ae7b2826110ea28c1c0eb8e7c56c3907bdc Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
