[Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

L.P.H. van Belle belle at bazuin.nl
Fri Mar 24 11:09:08 UTC 2017 

Done. 

Uploaded : 
ldb_1.1.29-1.1_amd64.changes  
samba_4.6.1-1.0_amd64.changes  
talloc_2.1.9-1.1_amd64.changes  
tdb_1.3.12-1.1_amd64.changes

The others files are already in debian. 

Thanks

Best regards, 

Louis van Belle


> -----Oorspronkelijk bericht-----
> Van: Jelmer Vernoo?? [mailto:jelmer at jelmer.uk]
> Verzonden: donderdag 23 maart 2017 20:17
> Aan: L.P.H. van Belle
> CC: pkg-samba-maint at lists.alioth.debian.org
> Onderwerp: Re: [Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7 and
> 4.4.12 Security Releases Available for Download
> 
> On Thu, Mar 23, 2017 at 01:58:52PM +0100, L.P.H. van Belle wrote:
> > Hai,
> >
> > If someone is interested in a debian 4.6.1.
> >
> > https://downloads.van-belle.nl/samba4/samba-4.6.1/
> >
> > buildlog changelog dsc are all included and signed by me.
> >
> > Im not accepted (yet) but Andrew would like it to have the latest
> packages in experimental.
> >
> > So a checkup would be nice and i'll appriciate any comments. (good and
> bad)
> Any chance you could upload these to a service like mentors.debian.net ?
> 
> That makes it a bit easier to review.
> 
> Thanks,
> 
> Jelmer
> 
> > > -----Oorspronkelijk bericht-----
> > > Van: Pkg-samba-maint [mailto:pkg-samba-maint-
> > > bounces+belle=bazuin.nl at lists.alioth.debian.org] Namens Mathieu Parent
> > > Verzonden: donderdag 23 maart 2017 11:30
> > > Aan: debian-lts at lists.debian.org
> > > CC: Debian Samba Maintainers; Debian Security Team; Salvatore
> Bonaccorso
> > > Onderwerp: [Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7 and
> 4.4.12
> > > Security Releases Available for Download
> > >
> > > Hi,
> > >
> > > Today samba has released a security fix for a symlink race (leading to
> > > information disclosure).
> > >
> > > Salvatore will take care of the jessie upload, I have uploaded for
> > > sid, but we have not done anything on the wheezy side.
> > >
> > > See attached the backported patches for 3.6 (those are from the samba
> > > bugzilla which is still embargoed).
> > >
> > > Please take care of it.
> > >
> > > Thanks
> > >
> > > Mathieu Parent
> > >
> > >
> > > ---------- Forwarded message ----------
> > > From: Karolin Seeger via samba-announce <samba-
> announce at lists.samba.org>
> > > Date: 2017-03-23 10:11 GMT+01:00
> > > Subject: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases
> > > Available for Download
> > > To: samba-announce at lists.samba.org, samba at lists.samba.org,
> > > samba-technical at lists.samba.org
> > >
> > >
> > > Release Announcements
> > > ---------------------
> > >
> > > These are a security releases in order to address the following
> defect:
> > >
> > > o  CVE-2017-2619 (Symlink race allows access outside share definition)
> > >
> > > =======
> > > Details
> > > =======
> > >
> > > o  CVE-2017-2619:
> > >    All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable
> to
> > >    a malicious client using a symlink race to allow access to areas of
> > >    the server file system not exported under the share definition.
> > >
> > >    Samba uses the realpath() system call to ensure when a client
> requests
> > >    access to a pathname that it is under the exported share path on
> the
> > >    server file system.
> > >
> > >    Clients that have write access to the exported part of the file
> system
> > >    via SMB1 unix extensions or NFS to create symlinks can race the
> server
> > >    by renaming a realpath() checked path and then creating a symlink.
> If
> > >    the client wins the race it can cause the server to access the new
> > >    symlink target after the exported share path check has been done.
> This
> > >    new symlink target can point to anywhere on the server file system.
> > >
> > >    This is a difficult race to win, but theoretically possible. Note
> that
> > >    the proof of concept code supplied wins the race reliably only when
> > >    the server is slowed down using the strace utility running on the
> > >    server. Exploitation of this bug has not been seen in the wild.
> > >
> > >
> > > Changes:
> > > --------
> > >
> > > o  Jeremy Allison <jra at samba.org>
> > >    * BUG 12496: CVE-2017-2619: Symlink race permits opening files
> outside
> > > share
> > >      directory.
> > >
> > > o  Ralph Boehme <slow at samba.org>
> > >    * BUG 12496: CVE-2017-2619: Symlink race permits opening files
> outside
> > > share
> > >      directory.
> > >
> > >
> > > #######################################
> > > Reporting bugs & Development Discussion
> > > #######################################
> > >
> > > Please discuss this release on the samba-technical mailing list or by
> > > joining the #samba-technical IRC channel on irc.freenode.net.
> > >
> > > If you do report problems then please try to send high quality
> > > feedback. If you don't provide vital information to help us track down
> > > the problem then you will probably be ignored.  All bug reports should
> > > be filed under the "Samba 4.1 and newer" product in the project's
> Bugzilla
> > > database (https://bugzilla.samba.org/).
> > >
> > >
> > > ======================================================================
> > > == Our Code, Our Bugs, Our Responsibility.
> > > == The Samba Team
> > > ======================================================================
> > >
> > >
> > >
> > > ================
> > > Download Details
> > > ================
> > >
> > > The uncompressed tarballs and patch files have been signed
> > > using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
> > > from:
> > >
> > >         https://download.samba.org/pub/samba/stable/
> > >
> > > The release notes are available online at:
> > >
> > >         https://www.samba.org/samba/history/samba-4.6.1.html
> > >         https://www.samba.org/samba/history/samba-4.5.7.html
> > >         https://www.samba.org/samba/history/samba-4.4.12.html
> > >
> > > Our Code, Our Bugs, Our Responsibility.
> > > (https://bugzilla.samba.org/)
> > >
> > >                         --Enjoy
> > >                         The Samba Team
> > >
> > >
> > > --
> > > Mathieu
> > > _______________________________________________
> > > Pkg-samba-maint mailing list
> > > Pkg-samba-maint at lists.alioth.debian.org
> > > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-
> maint
> >
> >
> > _______________________________________________
> > Pkg-samba-maint mailing list
> > Pkg-samba-maint at lists.alioth.debian.org
> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-maint

More information about the Pkg-samba-maint mailing list