[Pkg-samba-maint] Debian experimental package for samba4 4.0.3 and required ldb, tdb, talloc. Fixes CVE-2013-0172
Andrew Bartlett
abartlet at samba.org
Fri Feb 15 01:22:49 UTC 2013
On Wed, 2013-02-13 at 16:49 +1100, Andrew Bartlett wrote:
> On Wed, 2013-02-13 at 15:10 +1100, Andrew Bartlett wrote:
> > On Tue, 2013-02-12 at 13:39 +1100, Andrew Bartlett wrote:
> > > I was a little shocked to realise that the package in Wheezy hasn't had
> > > the CVE-2013-0172 fix applied.
> > >
> > > What I've done is test in a git tree with a backported set of patches,
> > > using the test we designed to check this issue. I've then bundled these
> > > patches into a debian package, and built it.
> > >
> > > The source and binary packages are at:
> > >
> > > http://abartlet.net/samba4-debian/
> > >
> > > I've also installed them and watched the (very nice thankyou)
> > > auto-configuration just work.
> > >
> > > I've then run the same test to prove the security issue is fixed, so
> > > what I'm looking for from where is some help getting this into Debian.
> > >
> > > If I've done this all correctly, then I'll rev the experimental package
> > > from 4.0.0 to 4.0.3, catching both the security fix and our first
> > > maintenance release.
> > >
> > > Finally, someone will need to port these across to Ubuntu, so I've CC'ed
> > > the ubuntu-motu list in the hope that someone can pick this up, or at
> > > least be aware of the issue.
> >
> > I've updated this URL with packages for current ldb, tdb, talloc and
> > samba4. I've fixed samba4 so that it actually starts in 'ntvfs' mode
> > (required for the current cut-down package).
> >
> > The only issue I've found is that on upgrade, the 'samba-tool dbcheck'
> > will fail. This is actually the right thing - the admin needs to
> > manually ack the changes during a re-run with --fix or --fix --yes (if
> > they are brave). Of course this can be improved in a number of ways,
> > but I would like someone with more confidence in debconf to help me with
> > that.
> >
> > We (upstream) are also still working out the ideal upgrade steps (as
> > user testing contraindicated our initial plan), and I don't want to put
> > anything in the package until we have that concrete.
> >
> > In the meantime, I think this is a massive improvement over what we
> > currently have, both by having the security fix, as well as all the
> > other fixes we have made.
>
> As the samba4 package uses GIT, I've reflected my changes back into the
> git checkout and this is the patch. If my package is accepted (or if it
> isn't but someone wants to fix to to be acceptable) this diff should
> help.
>
> To give some safe tracking to the files, I've singed the samba4 package
> and uploaded a sha256 checksum list and signature.
>
> Andrew Bartlett
Jelmer,
I've uploaded new packages based on the git trees you pointed me at, for
samba4, ldb and tdb. http://abartlet.net/samba4-debian/
I've also prepared debdiff files, they are at the above URL because they
seem pretty large for sending by e-mail (but I can if that's better).
git://git.debian.org/pkg-samba/samba4
git://git.debian.org/pkg-samba/ldb
git://git.debian.org/pkg-samba/tdb
The talloc git tree seems to be empty at
git://git.debian.org/pkg-samba/talloc
I've attached the patches for both here.
I hope this means you or Brian can help me get these packages uploaded.
Even just getting the tdb/talloc/tdb changes in would be most helpful.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-New-upstream-release.patch
Type: text/x-patch
Size: 3150 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130215/8ec3c5c0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Release-1.1.15-as-a-NMU.patch
Type: text/x-patch
Size: 4627 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130215/8ec3c5c0/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-releasing-version-4.0.3-dfsg1-1.1.patch
Type: text/x-patch
Size: 7209 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130215/8ec3c5c0/attachment-0002.bin>
More information about the Pkg-samba-maint
mailing list