[Pkg-samba-maint] Bug#483410: CVE-2008-1105: Boundary failure when parsing SMB responses can result in a buffer overrun
Christian Perrier
bubulle at debian.org
Thu May 29 05:05:29 UTC 2008
(CC'ing you though I suppose you're subscribed to sec. bugs in some way)
Quoting Florian Weimer (fw at deneb.enyo.de):
> * Christian Perrier:
>
> > To security team: as I said, I'm unsure that I'll be able to work on
> > packages for etch. I'll at least try building with that patch. As
> > usual, I may need guidance to upload to the right place if you're OK
> > for us to upload for etch.
>
> You should prepare an upload with distribution stable-security, urgency
> high, and upload it to:
>
> <ftp://security-master.debian.org/pub/SecurityUploadQueue>
OK, that upload is ready.
So is another upload of 3.0.30, for unstable, security=high. It should
deal with testing-security as well as I think that the transition
shouldn't be blocked by an external factor (dependency packages).
>
> I could do that for you. The problem is regression testing, which I can
> do only to an extremely limited extent.
When it comes at samba, regression testing is *anyway* possible on an
extremely limited extent. There are way too many use cases which
require big infrastructures for testing (often "server member of an
Active Directory domain"), so we mostly rely on the good communication
with our upstream (as it happened for the last sec. issues which were
jerky for that reason and also because upstream themselves are
sometimes late wrt regression testing).
>
> > What about sarge? It is affected as well (samba is 3.0.14 there) but is it
> > still officially supported wrt security updates?
>
> sarge is officially out of support.
OK. I'll confirm that in users mailing lists for samba just to be sure
that some users are aware of that and don't expect packages from us.
(unofficial packages could be easy to build, though)
I may have very well missed that but has the official "out of support"
for sarge been announced somewhere. It definitely was announced when
etch was released, but a reminder would help our users (assuming
nothing has been sent, which, as I said, I'm unsure of).
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20080529/4fbcac41/attachment.pgp
More information about the Pkg-samba-maint
mailing list