Fix for CVE-2013-4475 missing in Samba-3.5 series
Andrew Bartlett
abartlet at samba.org
Mon Jan 27 13:24:55 MST 2014
On Mon, 2014-01-20 at 15:23 -0800, Jeremy Allison wrote:
> On Fri, Jan 17, 2014 at 07:44:48AM +0000, V S, Nagendra (Nonstop Filesystems Team) wrote:
> > Hi,
> > I was porting the recent samba CVE (CVE-2013-4408) to NonStop, while at it observed that fix for CVE-2013-4475 was not present in Samba-3.5.22 version. Can you please let me know if this is intentional? (i.e CVE-2013-4475 is not applicable to 3.5 series)
>
> 3.5.22 was released before CVE-2013-4408 was discovered.
>
> 3.5.x is out of maintenance, so we won't be releasing
> a 3.5.23 for this. The patch against 3.5.22 is available
> on the bug report, if you need to create a product using
> 3.5.x.
The bug report isn't public, but the patches are published to
https://www.samba.org/samba/history/security.html
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list