[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB
vorlon at debian.org
Fri May 30 01:50:37 GMT 2008
On Wed, May 28, 2008 at 11:45:07AM -0700, Jeremy Allison wrote:
> On Wed, May 28, 2008 at 06:07:32PM +0200, Christian Perrier wrote:
> > Quoting Gerald (Jerry) Carter (jerry at samba.org):
> > > The time line is as follows:
> > > * May 15, 2008: Initial report to security at samba.org.
> > > * May 15, 2008: First response from Samba developers confirming
> > > the bug along with a proposed patch.
> > > * May 28, 2008: Public security advisory made available.
> > Please understand this as a constructive remark, but was there a reason
> > to unveil the issue to "vendors" (including /me and Debian coworkers)
> > as late as May 27th?
> > For the previous security issues, a few months ago, the time we had to
> > develop updates was slightly longer....which is pretty important for
> > volunteers..:-)
> > Of course, and again, no finger pointing here. I have a too deep
> > respect for the work of the Samba Team and the great communication we
> > have with you people...I know there is certainly a reason for the late
> > unveil and would just like to hear about it.
> This was discussed immediately it was reported on vendor-sec at lst.de.
> Are you on that list ?
No. The policies of vendor-sec are such that only the Debian security team
are on that list; it doesn't allow for per-upstream distro packagers to
subscribe (and most of the traffic would be noise to the Debian Samba
So while the Debian Security Team will eventually be able to provide a
security update based on this information, it generally makes a big
difference to the timeliness of our package updates for security issues if
the Debian Samba maintainers receive advanced notification (something that
has worked quite well via the samba-pkg-sec list, aside from the present
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
More information about the samba-technical