[Pkg-samba-maint] Debian experimental package for samba4 4.0.3 and required ldb, tdb, talloc. Fixes CVE-2013-0172

Andrew Bartlett abartlet at samba.org
Wed Feb 13 04:10:01 UTC 2013 

On Tue, 2013-02-12 at 13:39 +1100, Andrew Bartlett wrote:
> I was a little shocked to realise that the package in Wheezy hasn't had
> the CVE-2013-0172 fix applied.
> 
> What I've done is test in a git tree with a backported set of patches,
> using the test we designed to check this issue.  I've then bundled these
> patches into a debian package, and built it. 
> 
> The source and binary packages are at:
> 
> http://abartlet.net/samba4-debian/
> 
> I've also installed them and watched the (very nice thankyou)
> auto-configuration just work.
> 
> I've then run the same test to prove the security issue is fixed, so
> what I'm looking for from where is some help getting this into Debian. 
> 
> If I've done this all correctly, then I'll rev the experimental package
> from 4.0.0 to 4.0.3, catching both the security fix and our first
> maintenance release.  
> 
> Finally, someone will need to port these across to Ubuntu, so I've CC'ed
> the ubuntu-motu list in the hope that someone can pick this up, or at
> least be aware of the issue. 

I've updated this URL with packages for current ldb, tdb, talloc and
samba4.  I've fixed samba4 so that it actually starts in 'ntvfs' mode
(required for the current cut-down package). 

The only issue I've found is that on upgrade, the 'samba-tool dbcheck'
will fail.  This is actually the right thing - the admin needs to
manually ack the changes during a re-run with --fix or --fix --yes (if
they are brave).  Of course this can be improved in a number of ways,
but I would like someone with more confidence in debconf to help me with
that. 

We (upstream) are also still working out the ideal upgrade steps (as
user testing contraindicated our initial plan), and I don't want to put
anything in the package until we have that concrete. 

In the meantime, I think this is a massive improvement over what we
currently have, both by having the security fix, as well as all the
other fixes we have made. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the Pkg-samba-maint mailing list