[Pkg-samba-maint] HEADS UP: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

Andrew Bartlett abartlet at samba.org
Fri Jul 14 09:53:12 UTC 2017

On Fri, 2017-07-14 at 10:00 +0200, Yves-Alexis Perez wrote:
> On Fri, 2017-07-14 at 08:10 +1200, Andrew Bartlett wrote:
> > > Hi, thanks for your work on this. The debdiff looks simple and sane enough,
> > > unfortunately I don't think we have a Samba-AD test instance to check it does
> > > work indeed.
> > > 
> > > Besides the upstream build test was there some confirmation it did work?
> > 
> > Yes, I built a reproducer for the core issue and checked it against
> > upstream.  I'll release that in a few days as part of our regression
> > suite. 
> Ok, thank you. Can you upload the packages to security-master? The stretch one
> needs to be built with -sa to include the orig tarball since it's the first
> security upload there.
> I'll review the packages there and release the DSA when possible.

I think Mathieu tried to do that yesterday:


I tried to rebuild as requested, but my gbp foo isn't good enough to
get the flags in the right spot, sorry. 

I tried: 

gbp buildpackage --git-pbuilder --git-dist=stretch --git-builder='debuild -i -I -sa'

But it still didn't include the original source.  In any case it is all
lined up in git:

https://anonscm.debian.org/git/pkg-samba/samba.git stretch

This is the end of my day here in NZ, but I hope you and Mathieu can
sort the rest out.  


Andrew Bartlett
(still a bit green on Debian maintenance, but helps out when things get
tight to ensure Debian isn't caught on the hop by security issues). 

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the Pkg-samba-maint mailing list