[SAMBA] CVE-2008-1105 - Boundary failure when parsing
SMB responses
Gerald (Jerry) Carter
jerry at samba.org
Wed May 28 18:53:39 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Christian Perrier wrote:
> Quoting Gerald (Jerry) Carter (jerry at samba.org):
>
>> The time line is as follows:
>>
>> * May 15, 2008: Initial report to security at samba.org.
>> * May 15, 2008: First response from Samba developers confirming
>> the bug along with a proposed patch.
>> * May 28, 2008: Public security advisory made available.
>
> Please understand this as a constructive remark, but was there a reason
> to unveil the issue to "vendors" (including /me and Debian coworkers)
> as late as May 27th?
>
> For the previous security issues, a few months ago, the time we had to
> develop updates was slightly longer....which is pretty important for
> volunteers..:-)
>
> Of course, and again, no finger pointing here. I have a too deep
> respect for the work of the Samba Team and the great communication we
> have with you people...I know there is certainly a reason for the late
> unveil and would just like to hear about it.
My fault for now sending it to the samba-pkg-sec security list before
then but like Jeremy said, the discussion on the vendor security list
included a public release date and patch.
So I'll take the blame for not contacting you personally. But this
is a good reason to have a fall back. Certainly the debian security
team knew about this.
cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIPaozIR7qMdg1EfYRAiCSAJ9Z0S0WOcG0BRs34a4Er2ZnYJ0fbQCfc3xd
bL72n8pKQ3cUWIg1HAlb5kA=
=nNnQ
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list