[Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

Jelmer Vernooij jelmer at jelmer.uk
Fri Mar 24 14:24:33 UTC 2017 

Do you have links to the packages on mentors.debian.net? I don't see them.

Jelmer

On 24 March 2017 11:09:08 GMT+00:00, "L.P.H. van Belle" <belle at bazuin.nl> wrote:
>Done. 
>
>Uploaded : 
>ldb_1.1.29-1.1_amd64.changes  
>samba_4.6.1-1.0_amd64.changes  
>talloc_2.1.9-1.1_amd64.changes  
>tdb_1.3.12-1.1_amd64.changes
>
>The others files are already in debian. 
>
>Thanks
>
>Best regards, 
>
>Louis van Belle
>
>
>> -----Oorspronkelijk bericht-----
>> Van: Jelmer Vernoo?? [mailto:jelmer at jelmer.uk]
>> Verzonden: donderdag 23 maart 2017 20:17
>> Aan: L.P.H. van Belle
>> CC: pkg-samba-maint at lists.alioth.debian.org
>> Onderwerp: Re: [Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7
>and
>> 4.4.12 Security Releases Available for Download
>> 
>> On Thu, Mar 23, 2017 at 01:58:52PM +0100, L.P.H. van Belle wrote:
>> > Hai,
>> >
>> > If someone is interested in a debian 4.6.1.
>> >
>> > https://downloads.van-belle.nl/samba4/samba-4.6.1/
>> >
>> > buildlog changelog dsc are all included and signed by me.
>> >
>> > Im not accepted (yet) but Andrew would like it to have the latest
>> packages in experimental.
>> >
>> > So a checkup would be nice and i'll appriciate any comments. (good
>and
>> bad)
>> Any chance you could upload these to a service like
>mentors.debian.net ?
>> 
>> That makes it a bit easier to review.
>> 
>> Thanks,
>> 
>> Jelmer
>> 
>> > > -----Oorspronkelijk bericht-----
>> > > Van: Pkg-samba-maint [mailto:pkg-samba-maint-
>> > > bounces+belle=bazuin.nl at lists.alioth.debian.org] Namens Mathieu
>Parent
>> > > Verzonden: donderdag 23 maart 2017 11:30
>> > > Aan: debian-lts at lists.debian.org
>> > > CC: Debian Samba Maintainers; Debian Security Team; Salvatore
>> Bonaccorso
>> > > Onderwerp: [Pkg-samba-maint] Fwd: [Announce] Samba 4.6.1, 4.5.7
>and
>> 4.4.12
>> > > Security Releases Available for Download
>> > >
>> > > Hi,
>> > >
>> > > Today samba has released a security fix for a symlink race
>(leading to
>> > > information disclosure).
>> > >
>> > > Salvatore will take care of the jessie upload, I have uploaded
>for
>> > > sid, but we have not done anything on the wheezy side.
>> > >
>> > > See attached the backported patches for 3.6 (those are from the
>samba
>> > > bugzilla which is still embargoed).
>> > >
>> > > Please take care of it.
>> > >
>> > > Thanks
>> > >
>> > > Mathieu Parent
>> > >
>> > >
>> > > ---------- Forwarded message ----------
>> > > From: Karolin Seeger via samba-announce <samba-
>> announce at lists.samba.org>
>> > > Date: 2017-03-23 10:11 GMT+01:00
>> > > Subject: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security
>Releases
>> > > Available for Download
>> > > To: samba-announce at lists.samba.org, samba at lists.samba.org,
>> > > samba-technical at lists.samba.org
>> > >
>> > >
>> > > Release Announcements
>> > > ---------------------
>> > >
>> > > These are a security releases in order to address the following
>> defect:
>> > >
>> > > o  CVE-2017-2619 (Symlink race allows access outside share
>definition)
>> > >
>> > > =======
>> > > Details
>> > > =======
>> > >
>> > > o  CVE-2017-2619:
>> > >    All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are
>vulnerable
>> to
>> > >    a malicious client using a symlink race to allow access to
>areas of
>> > >    the server file system not exported under the share
>definition.
>> > >
>> > >    Samba uses the realpath() system call to ensure when a client
>> requests
>> > >    access to a pathname that it is under the exported share path
>on
>> the
>> > >    server file system.
>> > >
>> > >    Clients that have write access to the exported part of the
>file
>> system
>> > >    via SMB1 unix extensions or NFS to create symlinks can race
>the
>> server
>> > >    by renaming a realpath() checked path and then creating a
>symlink.
>> If
>> > >    the client wins the race it can cause the server to access the
>new
>> > >    symlink target after the exported share path check has been
>done.
>> This
>> > >    new symlink target can point to anywhere on the server file
>system.
>> > >
>> > >    This is a difficult race to win, but theoretically possible.
>Note
>> that
>> > >    the proof of concept code supplied wins the race reliably only
>when
>> > >    the server is slowed down using the strace utility running on
>the
>> > >    server. Exploitation of this bug has not been seen in the
>wild.
>> > >
>> > >
>> > > Changes:
>> > > --------
>> > >
>> > > o  Jeremy Allison <jra at samba.org>
>> > >    * BUG 12496: CVE-2017-2619: Symlink race permits opening files
>> outside
>> > > share
>> > >      directory.
>> > >
>> > > o  Ralph Boehme <slow at samba.org>
>> > >    * BUG 12496: CVE-2017-2619: Symlink race permits opening files
>> outside
>> > > share
>> > >      directory.
>> > >
>> > >
>> > > #######################################
>> > > Reporting bugs & Development Discussion
>> > > #######################################
>> > >
>> > > Please discuss this release on the samba-technical mailing list
>or by
>> > > joining the #samba-technical IRC channel on irc.freenode.net.
>> > >
>> > > If you do report problems then please try to send high quality
>> > > feedback. If you don't provide vital information to help us track
>down
>> > > the problem then you will probably be ignored.  All bug reports
>should
>> > > be filed under the "Samba 4.1 and newer" product in the project's
>> Bugzilla
>> > > database (https://bugzilla.samba.org/).
>> > >
>> > >
>> > >
>======================================================================
>> > > == Our Code, Our Bugs, Our Responsibility.
>> > > == The Samba Team
>> > >
>======================================================================
>> > >
>> > >
>> > >
>> > > ================
>> > > Download Details
>> > > ================
>> > >
>> > > The uncompressed tarballs and patch files have been signed
>> > > using GnuPG (ID 6F33915B6568B7EA).  The source code can be
>downloaded
>> > > from:
>> > >
>> > >         https://download.samba.org/pub/samba/stable/
>> > >
>> > > The release notes are available online at:
>> > >
>> > >         https://www.samba.org/samba/history/samba-4.6.1.html
>> > >         https://www.samba.org/samba/history/samba-4.5.7.html
>> > >         https://www.samba.org/samba/history/samba-4.4.12.html
>> > >
>> > > Our Code, Our Bugs, Our Responsibility.
>> > > (https://bugzilla.samba.org/)
>> > >
>> > >                         --Enjoy
>> > >                         The Samba Team
>> > >
>> > >
>> > > --
>> > > Mathieu
>> > > _______________________________________________
>> > > Pkg-samba-maint mailing list
>> > > Pkg-samba-maint at lists.alioth.debian.org
>> > >
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-
>> maint
>> >
>> >
>> > _______________________________________________
>> > Pkg-samba-maint mailing list
>> > Pkg-samba-maint at lists.alioth.debian.org
>> >
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-maint
>
>
>
>_______________________________________________
>Pkg-samba-maint mailing list
>Pkg-samba-maint at lists.alioth.debian.org
>http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-maint

More information about the Pkg-samba-maint mailing list