[Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

L.P.H. van Belle belle at bazuin.nl
Fri Mar 24 15:02:16 UTC 2017


Hai, 

Just checked my other mail, they were rejected key things. 
I corrected my key and uploaded them again. 

You should see them now in a moment. 
I got the message that talloc is was successfully uploaded. 

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: Jelmer Vernooij [mailto:jelmer at jelmer.uk]
> Verzonden: vrijdag 24 maart 2017 15:25
> Aan: pkg-samba-maint at lists.alioth.debian.org; L.P.H. van Belle
> CC: pkg-samba-maint at lists.alioth.debian.org
> Onderwerp: Re: [Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7 and
> 4.4.12 Security Releases Available for Download
> 
> Do you have links to the packages on mentors.debian.net? I don't see them.
> 
> Jelmer
> 
> On 24 March 2017 11:09:08 GMT+00:00, "L.P.H. van Belle" <belle at bazuin.nl>
> wrote:
> >Done.
> >
> >Uploaded :
> >ldb_1.1.29-1.1_amd64.changes
> >samba_4.6.1-1.0_amd64.changes
> >talloc_2.1.9-1.1_amd64.changes
> >tdb_1.3.12-1.1_amd64.changes
> >
> >The others files are already in debian.
> >
> >Thanks
> >
> >Best regards,
> >
> >Louis van Belle
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: Jelmer Vernoo?? [mailto:jelmer at jelmer.uk]
> >> Verzonden: donderdag 23 maart 2017 20:17
> >> Aan: L.P.H. van Belle
> >> CC: pkg-samba-maint at lists.alioth.debian.org
> >> Onderwerp: Re: [Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7
> >and
> >> 4.4.12 Security Releases Available for Download
> >>
> >> On Thu, Mar 23, 2017 at 01:58:52PM +0100, L.P.H. van Belle wrote:
> >> > Hai,
> >> >
> >> > If someone is interested in a debian 4.6.1.
> >> >
> >> > https://downloads.van-belle.nl/samba4/samba-4.6.1/
> >> >
> >> > buildlog changelog dsc are all included and signed by me.
> >> >
> >> > Im not accepted (yet) but Andrew would like it to have the latest
> >> packages in experimental.
> >> >
> >> > So a checkup would be nice and i'll appriciate any comments. (good
> >and
> >> bad)
> >> Any chance you could upload these to a service like
> >mentors.debian.net ?
> >>
> >> That makes it a bit easier to review.
> >>
> >> Thanks,
> >>
> >> Jelmer
> >>
> >> > > -----Oorspronkelijk bericht-----
> >> > > Van: Pkg-samba-maint [mailto:pkg-samba-maint-
> >> > > bounces+belle=bazuin.nl at lists.alioth.debian.org] Namens Mathieu
> >Parent
> >> > > Verzonden: donderdag 23 maart 2017 11:30
> >> > > Aan: debian-lts at lists.debian.org
> >> > > CC: Debian Samba Maintainers; Debian Security Team; Salvatore
> >> Bonaccorso
> >> > > Onderwerp: [Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7
> >and
> >> 4.4.12
> >> > > Security Releases Available for Download
> >> > >
> >> > > Hi,
> >> > >
> >> > > Today samba has released a security fix for a symlink race
> >(leading to
> >> > > information disclosure).
> >> > >
> >> > > Salvatore will take care of the jessie upload, I have uploaded
> >for
> >> > > sid, but we have not done anything on the wheezy side.
> >> > >
> >> > > See attached the backported patches for 3.6 (those are from the
> >samba
> >> > > bugzilla which is still embargoed).
> >> > >
> >> > > Please take care of it.
> >> > >
> >> > > Thanks
> >> > >
> >> > > Mathieu Parent
> >> > >
> >> > >
> >> > > ---------- Forwarded message ----------
> >> > > From: Karolin Seeger via samba-announce <samba-
> >> announce at lists.samba.org>
> >> > > Date: 2017-03-23 10:11 GMT+01:00
> >> > > Subject: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security
> >Releases
> >> > > Available for Download
> >> > > To: samba-announce at lists.samba.org, samba at lists.samba.org,
> >> > > samba-technical at lists.samba.org
> >> > >
> >> > >
> >> > > Release Announcements
> >> > > ---------------------
> >> > >
> >> > > These are a security releases in order to address the following
> >> defect:
> >> > >
> >> > > o  CVE-2017-2619 (Symlink race allows access outside share
> >definition)
> >> > >
> >> > > =======
> >> > > Details
> >> > > =======
> >> > >
> >> > > o  CVE-2017-2619:
> >> > >    All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are
> >vulnerable
> >> to
> >> > >    a malicious client using a symlink race to allow access to
> >areas of
> >> > >    the server file system not exported under the share
> >definition.
> >> > >
> >> > >    Samba uses the realpath() system call to ensure when a client
> >> requests
> >> > >    access to a pathname that it is under the exported share path
> >on
> >> the
> >> > >    server file system.
> >> > >
> >> > >    Clients that have write access to the exported part of the
> >file
> >> system
> >> > >    via SMB1 unix extensions or NFS to create symlinks can race
> >the
> >> server
> >> > >    by renaming a realpath() checked path and then creating a
> >symlink.
> >> If
> >> > >    the client wins the race it can cause the server to access the
> >new
> >> > >    symlink target after the exported share path check has been
> >done.
> >> This
> >> > >    new symlink target can point to anywhere on the server file
> >system.
> >> > >
> >> > >    This is a difficult race to win, but theoretically possible.
> >Note
> >> that
> >> > >    the proof of concept code supplied wins the race reliably only
> >when
> >> > >    the server is slowed down using the strace utility running on
> >the
> >> > >    server. Exploitation of this bug has not been seen in the
> >wild.
> >> > >
> >> > >
> >> > > Changes:
> >> > > --------
> >> > >
> >> > > o  Jeremy Allison <jra at samba.org>
> >> > >    * BUG 12496: CVE-2017-2619: Symlink race permits opening files
> >> outside
> >> > > share
> >> > >      directory.
> >> > >
> >> > > o  Ralph Boehme <slow at samba.org>
> >> > >    * BUG 12496: CVE-2017-2619: Symlink race permits opening files
> >> outside
> >> > > share
> >> > >      directory.
> >> > >
> >> > >
> >> > > #######################################
> >> > > Reporting bugs & Development Discussion
> >> > > #######################################
> >> > >
> >> > > Please discuss this release on the samba-technical mailing list
> >or by
> >> > > joining the #samba-technical IRC channel on irc.freenode.net.
> >> > >
> >> > > If you do report problems then please try to send high quality
> >> > > feedback. If you don't provide vital information to help us track
> >down
> >> > > the problem then you will probably be ignored.  All bug reports
> >should
> >> > > be filed under the "Samba 4.1 and newer" product in the project's
> >> Bugzilla
> >> > > database (https://bugzilla.samba.org/).
> >> > >
> >> > >
> >> > >
> >======================================================================
> >> > > == Our Code, Our Bugs, Our Responsibility.
> >> > > == The Samba Team
> >> > >
> >======================================================================
> >> > >
> >> > >
> >> > >
> >> > > ================
> >> > > Download Details
> >> > > ================
> >> > >
> >> > > The uncompressed tarballs and patch files have been signed
> >> > > using GnuPG (ID 6F33915B6568B7EA).  The source code can be
> >downloaded
> >> > > from:
> >> > >
> >> > >         https://download.samba.org/pub/samba/stable/
> >> > >
> >> > > The release notes are available online at:
> >> > >
> >> > >         https://www.samba.org/samba/history/samba-4.6.1.html
> >> > >         https://www.samba.org/samba/history/samba-4.5.7.html
> >> > >         https://www.samba.org/samba/history/samba-4.4.12.html
> >> > >
> >> > > Our Code, Our Bugs, Our Responsibility.
> >> > > (https://bugzilla.samba.org/)
> >> > >
> >> > >                         --Enjoy
> >> > >                         The Samba Team
> >> > >
> >> > >
> >> > > --
> >> > > Mathieu
> >> > > _______________________________________________
> >> > > Pkg-samba-maint mailing list
> >> > > Pkg-samba-maint at lists.alioth.debian.org
> >> > >
> >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-
> >> maint
> >> >
> >> >
> >> > _______________________________________________
> >> > Pkg-samba-maint mailing list
> >> > Pkg-samba-maint at lists.alioth.debian.org
> >> >
> >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-maint
> >
> >
> >
> >_______________________________________________
> >Pkg-samba-maint mailing list
> >Pkg-samba-maint at lists.alioth.debian.org
> >http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-maint





More information about the Pkg-samba-maint mailing list