[SAMBA] CVE-2008-1105 - Boundary failure when parsing
Gerald (Jerry) Carter
jerry at samba.org
Wed May 28 18:53:39 GMT 2008
-----BEGIN PGP SIGNED MESSAGE-----
Christian Perrier wrote:
> Quoting Gerald (Jerry) Carter (jerry at samba.org):
>> The time line is as follows:
>> * May 15, 2008: Initial report to security at samba.org.
>> * May 15, 2008: First response from Samba developers confirming
>> the bug along with a proposed patch.
>> * May 28, 2008: Public security advisory made available.
> Please understand this as a constructive remark, but was there a reason
> to unveil the issue to "vendors" (including /me and Debian coworkers)
> as late as May 27th?
> For the previous security issues, a few months ago, the time we had to
> develop updates was slightly longer....which is pretty important for
> Of course, and again, no finger pointing here. I have a too deep
> respect for the work of the Samba Team and the great communication we
> have with you people...I know there is certainly a reason for the late
> unveil and would just like to hear about it.
My fault for now sending it to the samba-pkg-sec security list before
then but like Jeremy said, the discussion on the vendor security list
included a public release date and patch.
So I'll take the blame for not contacting you personally. But this
is a good reason to have a fall back. Certainly the debian security
team knew about this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the samba-technical