[Pkg-samba-maint] status of CVE-2007-4138 for samba
Christian Perrier
bubulle at debian.org
Wed Sep 12 04:43:54 UTC 2007
Dear security team,
Let me confirm news for that issue which was unveiled yesterday by
the Samba team and which I mailed you about on Sept 4th.
In short, this mail confirms what I mentioned at that moment: etch and
sarge are safe with regards of this issue, testing and unstable are
affected.
The issue is, more specifically:
"Incorrect primary group assignment for domain users using the rfc2307
or sfu winbind nss info plugin."
It is a privilege escalation issue where, in some quite rarely used
cases ("winbind nss info" defined to rfc2307 or sfu in smb.conf *and*
the server being member of an Active Directory domain *and* this
domain uses Microsoft's SFU, Software For Unix, services).
Only samba versions in testing and unstable were affected. Neither
etch nor sarge are.
The Debian package version 3.0.26-1 was uploaded yesterday in unstable
with urgency=high, to fix that issue for users of testing and
unstable.
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20070912/de19baae/attachment.pgp
More information about the Pkg-samba-maint
mailing list