Debian packages fixing CVE-2009-0022 are available
bubulle at debian.org
Tue Jan 6 06:09:15 GMT 2009
Quoting Karolin Seeger (kseeger at samba.org):
> o CVE-2009-0022
> In Samba 3.2.0 to 3.2.6, in setups with registry shares enabled,
> access to the root filesystem ("/") is granted
> when connecting to a share called "" (empty string)
> using old versions of smbclient (before 3.0.28).
The Debian Samba packaging team uploaded 2:3.2.5-3 packages yesterday
in Debian unstable. They include the fix for CVE-2009-0022.
These packages should enter Debian lenny (the next-to-come Debian
release) very soon.
Please note that 3.2.7 packages will not be provided in Debian
lenny. Because of the freeze in preparation for lenny, we stopped the
counter at 3.2.5.
We however provide *unofficial* packages of 3.2.6 (and soon 3.2.7) as
(again, this is not an official service by Debian, only a courtesy
service by the packagers, on a best effort basis).
More information about the samba-technical