[Samba] Big problems with 3.0.24-6etch6 Debian packages

Christian Perrier bubulle at debian.org
Fri Nov 30 05:46:15 GMT 2007


Quoting Christian Perrier (bubulle at debian.org):

> > I saw a security announce yesterday by Steve Kemp, but it's a bit 
> > confusing, for Etch it lists some 6etch6 packages and some 6etch7 others.
> > Are the current packages broken?
> 
> 3.0.24-6etch5 is the first roll-up of packages fixing CVE-2007-5398 and
> CVE-2007-4572
> 
> 3.0.24-6etch6 fixes a regression introduced in -etch5 (indeed introduced in
> upstream's initial published fixes). That regression affects those
> people who use smbfs only.
> 
> Apparently, however, another regression which seems to affect long
> directory listings is present in -etch6 and might lead to -etch7 packages.


New packages have been rolled out which claim to fix the long
directory listings regression. It turned out that a chunk from
upstreams fixes for other regressions was unfortunately forgotten in
-etch6 and -etch7 packages (as well as 3.0.14a-3sarge8 and -sarge9 for
Debian sare).

As I'm writing this, Debian mirrors should now (soon) have the
3.0.14a-3sarge10 and 3.0.24-6etch8 packages.

A new DSA (Debian Security Advisory) was issued yesterday about this: 
DSA-1409-3 for CVE-2007-4572 and CVE-2007-5398 (note the "-3").

Feedback about these packages is currently quite low so I would suggest
people to run them carefully on their production servers. They
*should* be OK....but former versions should have been as well....:-|




More information about the samba mailing list