[Pkg-samba-maint] What is blocking the security releases of Samba?

Salvatore Bonaccorso carnil at debian.org
Thu Dec 31 13:40:56 UTC 2015

Hi Andrew,

On Thu, Dec 31, 2015 at 11:05:27PM +1300, Andrew Bartlett wrote:
> The major Samba security release in December still hasn't hit Debian. 
> The remote memory read issue in LDB (via the AD DC LDAP server) is
> quite serious. 
> What are we blocked on?
> o  CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server)
> o  CVE-2015-3223 (Denial of service in Samba Active Directory
>                   server)
> o  CVE-2015-5252 (Insufficient symlink verification in smbd)
> o  CVE-2015-5299 (Missing access control check in shadow copy
>                   code)
> o  CVE-2015-5296 (Samba client requesting encryption vulnerable
>                   to downgrade attack)
> o  CVE-2015-8467 (Denial of service attack against Windows
>                   Active Directory server)
> o  CVE-2015-5330 (Remote memory read in Samba LDAP server)

Work is in progress. The timing was a bit unfortunate due to
vacation/holidays but it's beeing worked on. The jessie-security
packages are completely ready already, the wheezy-security ones can be
previewed here: https://people.debian.org/~carnil/tmp/samba/

In case you spot a problem with these please let me know!


More information about the Pkg-samba-maint mailing list