Security problem with Samba on Linux: situation for Debian

Jeremy Allison jra at samba.org
Wed Mar 10 15:55:53 MST 2010 

On Wed, Mar 10, 2010 at 07:07:27AM +0100, Christian PERRIER wrote:
> Quoting Jeremy Allison (jra at samba.org):
> > Security problem with Samba on Linux
> > ------------------------------------
> > 
> > In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
> > was added to fix a problem with Linux asynchronous IO handling.
> 
> Situation for Debian:
> 
> - Debian stable isn't affected by this issue (we have 3.2.5+patches there)
> - Official backports from www.backports.org aren't affected too (we
>   have 3.4.5)
> - Debian unstable has 3.4.7 since yesterday, a few hours after the
>   official annoucement. As it had 3.4.6 earlier, users of
>   Debian unstable *are strongly advised to "apt-get upgrade"*
> - Debian experimental has 3.5.1 since about the same time. Users who
>   follow samba in experimental to have 3.5 should also upgrade
> 
> The most important info:
> ------------------------
> 
> - Debian testing (squeeze) *is* affected as of now. By a very very 
>   infortunate sequence of events, yesterday was the day where 3.4.6
>   packages that were in unstable aged enough to enter testing.
>   And they did. Before I could notice (I happen to do paid work
>   during the day..:-))
> 
>   So, users of Debian testing should either avoid upgrading today if
>   they still have 3.4.5 packages or upgrade their systems ASAP
>   with the packages uploaded yesterday in unstable (you need to do
>   this manually) if they already upgraded to 3.4.6
> 
>   3.4.7 packages were bumped to "high" urgency, which means they will
>   enter testing by Thursday March 11th (I'm unsure about the exact
>   time).
> 
> 
> I don't think that Ubuntu is affected by all this, even the soon to
> come Lucid....but this is unverified information.


Thanks for all the information on the Debian situation.

I fixed "make test" yesterday so it can run as root and
will detect and fail the test if smbd has the DAC_OVERRIDE
problem, so we should be safe from any possible regressions
in future.

Thanks,

Jeremy.

More information about the samba-technical mailing list