[Pkg-samba-maint] What is blocking the security releases of Samba?
carnil at debian.org
Thu Dec 31 13:40:56 UTC 2015
On Thu, Dec 31, 2015 at 11:05:27PM +1300, Andrew Bartlett wrote:
> The major Samba security release in December still hasn't hit Debian.
> The remote memory read issue in LDB (via the AD DC LDAP server) is
> quite serious.
> What are we blocked on?
> o CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server)
> o CVE-2015-3223 (Denial of service in Samba Active Directory
> o CVE-2015-5252 (Insufficient symlink verification in smbd)
> o CVE-2015-5299 (Missing access control check in shadow copy
> o CVE-2015-5296 (Samba client requesting encryption vulnerable
> to downgrade attack)
> o CVE-2015-8467 (Denial of service attack against Windows
> Active Directory server)
> o CVE-2015-5330 (Remote memory read in Samba LDAP server)
Work is in progress. The timing was a bit unfortunate due to
vacation/holidays but it's beeing worked on. The jessie-security
packages are completely ready already, the wheezy-security ones can be
previewed here: https://people.debian.org/~carnil/tmp/samba/
In case you spot a problem with these please let me know!
More information about the Pkg-samba-maint