[Pkg-samba-maint] fixing CVE-2018-1050 in samba 3.3.6
Mathieu Parent
math.parent at gmail.com
Thu Mar 22 15:40:15 UTC 2018
2018-03-21 23:01 GMT+01:00 Holger Levsen <holger at layer-acht.org>:
> Dear samba maintainers,
Hello,
> the fix for CVE-2018-1050 (eg from 4.5.12+dfsg-2+deb9u) applies cleanly
> on 3.6.6-6+deb7u15, however CVE-2018-1050 says that only versions >4.0.0
> are affected.
>
> Since (afaics) there is no known exploit I cannot really test this, but
> I believe 3.6.6-6+deb7u15 is also vulnerable and the ">4.0.0" is only
> claimed to be non-affected because the samba developers don't support
> < 4.0.0 anymore. Is that the case?
>
> What's your recommendation what should be done here? To me it seems we
> should fix 3.6.6 in oldoldstable and then also notify others that <4.0.0
> is vulnerable, but I have no idea how to best communicate the latter.
>
> Comments much appreciated.
Have you seen my mail at:
https://lists.debian.org/debian-lts/2018/03/msg00047.html
I agree that a fix is needed for wheezy-lts.
I've added a comment in the bug about 3.6 being affected:
https://bugzilla.samba.org/show_bug.cgi?id=11343#c32
Regards
--
Mathieu Parent
More information about the Pkg-samba-maint
mailing list