[Pkg-samba-maint] Bug#514151: Bug#514151: Bug#514151: samba: Account locking out doesnt work with an LDAP backend
Diego A. Gomez
diego at dgomez.com.ar
Sat Feb 7 21:05:40 UTC 2009
On Fri, Feb 6, 2009 at 3:41 AM, Christian Perrier <bubulle at debian.org> wrote:
> Quoting Christian Perrier (bubulle at debian.org):
>> Quoting Diego A. Gomez (diego at dgomez.com.ar):
>> > Package: samba
>> > Version: 2:3.2.5-4
>> > Severity: critical
>> > Tags: security
>> > Justification: root security hole
>> >
>> >
>> > This bug make Samba vulnerable to brute-force attack and make possible to gain administrator's domain priviledges.
>>
>>
>> Nothing in the bug log seems to be qualifying that issue as
>> such. Moreover, the fact that upstream didn't issue any security
>> update about this makes me think that both the criticity and the
>> security implications of that bug needs to be discussed.
>
>
> Looking again closer at upstream's bug report, I see that this bug
> summarizes to "bad login counter in the LDAP backend is not
> incremented when a failed login happens"
>
> This is a clear regression from 3.0 and it maybe deserves to be fixed
> in a point release for lenny....maybe even before lenny is released,
> by backporting upstream's fix and do an high urgency upload, provided
> the release team ACK's this.
>
> We have very few time left for this.
>
> I'm still balanced to qualify this as a security issue (which would
> make us go through a security upload).
I think this bug must be fixed before Lenny become Stable.
Account locking after N failed logins attempts isn't a new feature.
Account locking (using LDAP as backend) works right in Etch, so, if
this bug is not fixed, an upgrade from Etch to Lenny will introduce
this bug.
This bug is more than "important", even more, is not good that an
upgrade introduce a bug in a feature that now hasn't.
--
Diego.-
More information about the Pkg-samba-maint
mailing list