[Pkg-samba-maint] upload of samba 4.7.6

Mathieu Parent (Debian) sathieu at debian.org
Wed Mar 14 15:39:36 UTC 2018 

2018-03-14 14:29 GMT+01:00 Andreas Hasenack <andreas at canonical.com>:
>
>
> On Wed, Mar 14, 2018 at 9:51 AM, Mathieu Parent (Debian)
> <sathieu at debian.org> wrote:
>>
>> Hello,
>>
>> 2018-03-14 13:36 GMT+01:00 Andreas Hasenack <andreas at canonical.com>:
>> > Hi guys, (CCing Mathieu because I'm not sure he is in the list, sorry if
>> > you
>> > get dupes, and is listed a lot in d/changelog)
>> >
>> > just checking in to see if you are about to upload 4.7.6 to Debian. I
>> > would
>> > like to do that for Ubuntu, following Andrew's request (and reasoning)
>> > in
>> >
>> > https://bugs.launchpad.net/ubuntu/+source/samba/+bCVE-2018-1057ug/1755059
>> > and
>> >
>> > https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175CVE-2018-10575057.
>> > The secfixes
>> > have patches, but the corruption bug patch is quite big, around 100Kb.
>> >
>> > Unfortunately the orig tarball is a dfsg one, so if I generate one
>> > myself
>> > there is no guarantee that its md5 will match what Debian will generate,
>> > even though the content will be the same (different compression levels
>> > could
>> > cause that md5 to differ, for example).
>> >
>> > To avoid that, my plan is to use a version like
>> > 4.7.6+dfsg~ubuntu-0ubuntu1
>> > for the Ubuntu package, so that when the time comes to merge with Debian
>> > again, the version is different and we would avoid a potential hash
>> > mismatch
>> > between the orig tarballs.
>> >
>> > Since we are in feature freeze mode, I'm starting on that now. These two
>> > version bumps contain only bugfixes, so I can still upload it. But if
>> > you
>> > are just about to upload 4.7.6 yourselves, then I wouldn't have to use
>> > this
>> > odd/long version for the Ubuntu package. I also saw that the delta
>> > between
>> > our packages was greatly reduced in your last 4.7.4 upload, which is
>> > great.
>> >
>> > Cheers!
>> >
>>
>> Why not use 2:4.7.4+dfsg-2 which contains those two fixes?
>
>
> You have the two security fixes (CVE-2018-1050 and CVE-2018-1057), but I
> don't see a fix for https://bugzilla.samba.org/show_bug.cgi?id=13228 which
> Andrew Bartlett filed against Ubuntu as
> https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1755057
>
OK.



-- 
Mathieu Parent

More information about the Pkg-samba-maint mailing list