[Samba] Big problems with 3.0.24-6etch6 Debian packages
Christian Perrier
bubulle at debian.org
Fri Nov 30 05:46:15 GMT 2007
Quoting Christian Perrier (bubulle at debian.org):
> > I saw a security announce yesterday by Steve Kemp, but it's a bit
> > confusing, for Etch it lists some 6etch6 packages and some 6etch7 others.
> > Are the current packages broken?
>
> 3.0.24-6etch5 is the first roll-up of packages fixing CVE-2007-5398 and
> CVE-2007-4572
>
> 3.0.24-6etch6 fixes a regression introduced in -etch5 (indeed introduced in
> upstream's initial published fixes). That regression affects those
> people who use smbfs only.
>
> Apparently, however, another regression which seems to affect long
> directory listings is present in -etch6 and might lead to -etch7 packages.
New packages have been rolled out which claim to fix the long
directory listings regression. It turned out that a chunk from
upstreams fixes for other regressions was unfortunately forgotten in
-etch6 and -etch7 packages (as well as 3.0.14a-3sarge8 and -sarge9 for
Debian sare).
As I'm writing this, Debian mirrors should now (soon) have the
3.0.14a-3sarge10 and 3.0.24-6etch8 packages.
A new DSA (Debian Security Advisory) was issued yesterday about this:
DSA-1409-3 for CVE-2007-4572 and CVE-2007-5398 (note the "-3").
Feedback about these packages is currently quite low so I would suggest
people to run them carefully on their production servers. They
*should* be OK....but former versions should have been as well....:-|
More information about the samba
mailing list