[Pkg-samba-maint] fixing CVE-2018-1050 in samba 3.3.6
Holger Levsen
holger at layer-acht.org
Wed Mar 21 22:01:19 UTC 2018
Dear samba maintainers,
the fix for CVE-2018-1050 (eg from 4.5.12+dfsg-2+deb9u) applies cleanly
on 3.6.6-6+deb7u15, however CVE-2018-1050 says that only versions >4.0.0
are affected.
Since (afaics) there is no known exploit I cannot really test this, but
I believe 3.6.6-6+deb7u15 is also vulnerable and the ">4.0.0" is only
claimed to be non-affected because the samba developers don't support
< 4.0.0 anymore. Is that the case?
What's your recommendation what should be done here? To me it seems we
should fix 3.6.6 in oldoldstable and then also notify others that <4.0.0
is vulnerable, but I have no idea how to best communicate the latter.
Comments much appreciated.
--
cheers,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20180321/28717b88/attachment.sig>
More information about the Pkg-samba-maint
mailing list