[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB
responses
Steve Langasek
vorlon at debian.org
Fri May 30 01:50:37 GMT 2008
On Wed, May 28, 2008 at 11:45:07AM -0700, Jeremy Allison wrote:
> On Wed, May 28, 2008 at 06:07:32PM +0200, Christian Perrier wrote:
> > Quoting Gerald (Jerry) Carter (jerry at samba.org):
> > > The time line is as follows:
> > > * May 15, 2008: Initial report to security at samba.org.
> > > * May 15, 2008: First response from Samba developers confirming
> > > the bug along with a proposed patch.
> > > * May 28, 2008: Public security advisory made available.
> > Please understand this as a constructive remark, but was there a reason
> > to unveil the issue to "vendors" (including /me and Debian coworkers)
> > as late as May 27th?
> > For the previous security issues, a few months ago, the time we had to
> > develop updates was slightly longer....which is pretty important for
> > volunteers..:-)
> > Of course, and again, no finger pointing here. I have a too deep
> > respect for the work of the Samba Team and the great communication we
> > have with you people...I know there is certainly a reason for the late
> > unveil and would just like to hear about it.
> This was discussed immediately it was reported on vendor-sec at lst.de.
> Are you on that list ?
No. The policies of vendor-sec are such that only the Debian security team
are on that list; it doesn't allow for per-upstream distro packagers to
subscribe (and most of the traffic would be noise to the Debian Samba
maintainers anyway).
So while the Debian Security Team will eventually be able to provide a
security update based on this information, it generally makes a big
difference to the timeliness of our package updates for security issues if
the Debian Samba maintainers receive advanced notification (something that
has worked quite well via the samba-pkg-sec list, aside from the present
case).
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the samba-technical
mailing list