[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

Gerald (Jerry) Carter jerry at samba.org
Wed May 28 18:53:39 GMT 2008

Hash: SHA1

Christian Perrier wrote:
> Quoting Gerald (Jerry) Carter (jerry at samba.org):
>> The time line is as follows:
>> * May 15, 2008: Initial report to security at samba.org.
>> * May 15, 2008: First response from Samba developers confirming
>>   the bug along with a proposed patch.
>> * May 28, 2008: Public security advisory made available.
> Please understand this as a constructive remark, but was there a reason
> to unveil the issue to "vendors" (including /me and Debian coworkers)
> as late as May 27th?
> For the previous security issues, a few months ago, the time we had to
> develop updates was slightly longer....which is pretty important for
> volunteers..:-)
> Of course, and again, no finger pointing here. I have a too deep
> respect for the work of the Samba Team and the great communication we
> have with you people...I know there is certainly a reason for the late
> unveil and would just like to hear about it.

My fault for now sending it to the samba-pkg-sec security list before
then but like Jeremy said, the discussion on the vendor security list
included a public release date and patch.

So I'll take the blame for not contacting you personally.   But this
is a good reason to have a fall back.  Certainly the debian security
team knew about this.

cheers, jerry
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba-technical mailing list