[Pkg-samba-maint] (forw) [Samba-pkg-sec] [Fwd: [SAMBA] GETDC mailslot processing buffer overrun in nmbd]
vorlon at debian.org
Sat Nov 17 09:02:39 UTC 2007
On Fri, Nov 16, 2007 at 11:01:53AM -0800, Steve Langasek wrote:
> On Fri, Nov 16, 2007 at 10:56:51AM +0000, Steve Kemp wrote:
> > On Thu Nov 15, 2007 at 14:10:15 -0800, Steve Langasek wrote:
> > > Christian ran out of time today to upload packages build with the revised
> > > patch, so I've gone ahead with building the etch packages here as well. The
> > > diff is attached, and these packages are also on their way to
> > > security-master now.
> > Thanks, I'll release it once it is all built.
> FYI, there's a regression reported upstream as a result of the DoS fix
> (in spite of my noting the riskiness of the code change, and upstream
> assuring me they'd done an audit of the affected codepaths, sigh):
> So far this is only reported to affect mounting of shares with the
> deprecated smbfs kernel driver on Linux, so given that it's been bound up
> with the fix for a remote code execution bug in a daemon that runs as root,
> I would recommend going ahead with releasing these security advisories as-is
> and I'll chase them up with a fix from upstream as soon as it's available.
Upstream has made the fixed patch available in
confirmed that adding this patch fixes the regression observed in 3.0.27
with smbfs clients, for 3.0.24; I haven't tested 3.0.14 due to lack of a
convenient test environment for sarge.
Updated packages, source+binary signed, are available at
<http://people.debian.org/~vorlon/samba/>. I'll leave it up to the security
team to decide whether to accept these immediately, or push out the earlier
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
More information about the Pkg-samba-maint