[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

Jeremy Allison jra at samba.org
Wed May 28 18:45:07 GMT 2008


On Wed, May 28, 2008 at 06:07:32PM +0200, Christian Perrier wrote:
> Quoting Gerald (Jerry) Carter (jerry at samba.org):
> 
> > The time line is as follows:
> > 
> > * May 15, 2008: Initial report to security at samba.org.
> > * May 15, 2008: First response from Samba developers confirming
> >   the bug along with a proposed patch.
> > * May 28, 2008: Public security advisory made available.
> 
> Please understand this as a constructive remark, but was there a reason
> to unveil the issue to "vendors" (including /me and Debian coworkers)
> as late as May 27th?
> 
> For the previous security issues, a few months ago, the time we had to
> develop updates was slightly longer....which is pretty important for
> volunteers..:-)
> 
> Of course, and again, no finger pointing here. I have a too deep
> respect for the work of the Samba Team and the great communication we
> have with you people...I know there is certainly a reason for the late
> unveil and would just like to hear about it.

This was discussed immediately it was reported on vendor-sec at lst.de.
Are you on that list ?

Jeremy.


More information about the samba-technical mailing list