Samba Issue

Perez, Eugenio eugenio.perez at hp.com
Thu Apr 22 05:11:17 MDT 2010 

Hi Volker

Thank you for the quick response. Appreciate your honesty regarding the matter. In a kind note, It is really an unprofessional behaviour for Intevydis not to release info on this matter. Anyway, I am sure you are more equipped, skilled and professional in resolving this and future vulnerabilities.


Cheers

Eugenio Perez
Technology Consultant
IE - GM AP
HP Enterprise Services
Telephone +64 9 4872202
Email: eugenio.perez at hp.com
74 Taharoto Road 
Level2 Smales Farm
Takapuna
Auckland, NZ 0622




-----Original Message-----
From: Volker Lendecke [mailto:Volker.Lendecke at SerNet.DE] 
Sent: Thursday, 22 April 2010 10:16 p.m.
To: Perez, Eugenio
Cc: samba-technical at lists.samba.org; Gutteridge, Stuart
Subject: Re: Samba Issue

On Thu, Apr 22, 2010 at 01:36:41AM +0000, Perez, Eugenio wrote:
> I was wondering if you have a patch available for the vulnerability 
> mentioned below or maybe you can direct me to some site that can help 
> to find the available patches that address this vulnerabilities:
> 
> Platforms: AIX, HP-UX, Solaris 9,10 and SuSE
> 
> Samba Versions affected: v 3.0.13, v 3.0.28, v 3.0.32,
> v3.0.34
> 
> Your help on this  matter is greatly appreciated. Thank you in 
> advance.
> 
> http://www.securityfocus.com/bid/36250/discuss
> 
> Samba 3.x Multiple Unspecified Remote Vulnerabilities
> 
> Samba is prone to multiple unspecified remote vulnerabilities, 
> including:

We are very sorry but we can not. We have tried really hard to get more information about the vulnerabilities Intevydis claims in their announcements. But it is not possible to get any information about them without signing a very strict contract with that company which prevents the people having access to their information to provide us (the Samba Team) with sufficient information to fix the issues.

Believe us, this situation is very, very uncomfortable for us but the Intevydis policy to us seems to have the primary goal to keep those vulnerabilities open for as long as possible, thus to force people to enter contracts with them.

We have looked over the list they posted once on their website, and some of the vulnerabilities they claim look very similar to problems we have fixed in later releases, but we can not be sure because the information they publish is very sparse.

Older versions of Samba do have known vulnerabilities, please see http://www.samba.org/samba/history/security.html
for a timeline of our security fixes.

For the current versions of Samba, 3.5.2, 3.4.7, 3.3.12,
3.2.15 and 3.0.37 we are not aware of any security issues.

If you have any more information about any vulnerability, please contact us at security at samba.org. We will do our very best to fix this as soon as possible!

Thanks,

Volker

More information about the samba-technical mailing list