[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

Christian Perrier bubulle at debian.org
Thu May 29 04:43:54 GMT 2008

Quoting Gerald (Jerry) Carter (jerry at samba.org):

> My fault for now sending it to the samba-pkg-sec security list before
> then but like Jeremy said, the discussion on the vendor security list
> included a public release date and patch.

Thanks for your precisions, Jerry/Jeremy.

Actually, my misunderstanding comes from the confusion between
samba-pkg-sec and vendor-sec. I simply ignored there were two lists.

I ws also confused by the fact that, for CVE-2007-6015, CVE-2007-5398,
CVE-2007-4572, you contacted us in advance, IIRC.

> So I'll take the blame for not contacting you personally.   But this

Well, don't. I certainly don't expect you to maintain a special list
of ppl which you'd need to contact in addition of existing lists..:-)

As said, I really didn't want to put the blame anywhere but better
understand why we had this notification pretty late.

> is a good reason to have a fall back.  Certainly the debian security
> team knew about this.

Correct. So, actually, that seems to be a communication problem
between the Debian sec. team and us. No blame on them, here: they're
volunteers, just like we are, on just like in many areas in Debian
these days, the "human resources" are scarce.

Anyway, no big harm done. I have packages ready for etch now and the
packages for lenny are ready as well (3.0.30 packages in that
case). Our security team confirmed that sarge is no longer supported.

More information about the samba-technical mailing list