Security problem with Samba on Linux: situation for Debian
Christian PERRIER
bubulle at debian.org
Tue Mar 9 23:07:27 MST 2010
Quoting Jeremy Allison (jra at samba.org):
> Security problem with Samba on Linux
> ------------------------------------
>
> In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
> was added to fix a problem with Linux asynchronous IO handling.
Situation for Debian:
- Debian stable isn't affected by this issue (we have 3.2.5+patches there)
- Official backports from www.backports.org aren't affected too (we
have 3.4.5)
- Debian unstable has 3.4.7 since yesterday, a few hours after the
official annoucement. As it had 3.4.6 earlier, users of
Debian unstable *are strongly advised to "apt-get upgrade"*
- Debian experimental has 3.5.1 since about the same time. Users who
follow samba in experimental to have 3.5 should also upgrade
The most important info:
------------------------
- Debian testing (squeeze) *is* affected as of now. By a very very
infortunate sequence of events, yesterday was the day where 3.4.6
packages that were in unstable aged enough to enter testing.
And they did. Before I could notice (I happen to do paid work
during the day..:-))
So, users of Debian testing should either avoid upgrading today if
they still have 3.4.5 packages or upgrade their systems ASAP
with the packages uploaded yesterday in unstable (you need to do
this manually) if they already upgraded to 3.4.6
3.4.7 packages were bumped to "high" urgency, which means they will
enter testing by Thursday March 11th (I'm unsure about the exact
time).
I don't think that Ubuntu is affected by all this, even the soon to
come Lucid....but this is unverified information.
More information about the samba-technical
mailing list