Security problem with Samba on Linux: situation for Debian

Christian PERRIER bubulle at debian.org
Tue Mar 9 23:07:27 MST 2010


Quoting Jeremy Allison (jra at samba.org):
> Security problem with Samba on Linux
> ------------------------------------
> 
> In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
> was added to fix a problem with Linux asynchronous IO handling.

Situation for Debian:

- Debian stable isn't affected by this issue (we have 3.2.5+patches there)
- Official backports from www.backports.org aren't affected too (we
  have 3.4.5)
- Debian unstable has 3.4.7 since yesterday, a few hours after the
  official annoucement. As it had 3.4.6 earlier, users of
  Debian unstable *are strongly advised to "apt-get upgrade"*
- Debian experimental has 3.5.1 since about the same time. Users who
  follow samba in experimental to have 3.5 should also upgrade

The most important info:
------------------------

- Debian testing (squeeze) *is* affected as of now. By a very very 
  infortunate sequence of events, yesterday was the day where 3.4.6
  packages that were in unstable aged enough to enter testing.
  And they did. Before I could notice (I happen to do paid work
  during the day..:-))

  So, users of Debian testing should either avoid upgrading today if
  they still have 3.4.5 packages or upgrade their systems ASAP
  with the packages uploaded yesterday in unstable (you need to do
  this manually) if they already upgraded to 3.4.6

  3.4.7 packages were bumped to "high" urgency, which means they will
  enter testing by Thursday March 11th (I'm unsure about the exact
  time).


I don't think that Ubuntu is affected by all this, even the soon to
come Lucid....but this is unverified information.




More information about the samba-technical mailing list