[Pkg-samba-maint] Bug#514151: Bug#514151: Bug#514151: samba: Account locking out doesnt work with an LDAP backend
Christian Perrier
bubulle at debian.org
Fri Feb 6 05:41:49 UTC 2009
Quoting Christian Perrier (bubulle at debian.org):
> Quoting Diego A. Gomez (diego at dgomez.com.ar):
> > Package: samba
> > Version: 2:3.2.5-4
> > Severity: critical
> > Tags: security
> > Justification: root security hole
> >
> >
> > This bug make Samba vulnerable to brute-force attack and make possible to gain administrator's domain priviledges.
>
>
> Nothing in the bug log seems to be qualifying that issue as
> such. Moreover, the fact that upstream didn't issue any security
> update about this makes me think that both the criticity and the
> security implications of that bug needs to be discussed.
Looking again closer at upstream's bug report, I see that this bug
summarizes to "bad login counter in the LDAP backend is not
incremented when a failed login happens"
This is a clear regression from 3.0 and it maybe deserves to be fixed
in a point release for lenny....maybe even before lenny is released,
by backporting upstream's fix and do an high urgency upload, provided
the release team ACK's this.
We have very few time left for this.
I'm still balanced to qualify this as a security issue (which would
make us go through a security upload).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20090206/dc6d6187/attachment.pgp
More information about the Pkg-samba-maint
mailing list