[Samba] Debian packages for CVE-2008-1105

Christian Perrier bubulle at debian.org
Thu May 29 05:34:36 GMT 2008


Quoting Gerald (Jerry) Carter (jerry at samba.org):
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> ==========================================================
> ==
> == Subject:     Boundary failure when parsing SMB responses
> ==              can result in a buffer overrun
> ==
> == CVE ID#:     CVE-2008-1105

I think that Debian users might benefit from the following:

The maintainers of samba packages in Debian are working on updates wrt
this issue.

A bug has already been reported to track it in Debian BTS and, as all
security issues in Debian, is tracked by the Debian security team.

I've already prepared packages for 3.0.30, which will be uploaded to
Debian unstable ASAP. These packages have a high priority so they
should be built for all architectures in priority by Debian
autobuilders, then enter Debian testing 2 days after the upload (in
theory: some autobuilders are slow).

Packages for Debian etch (which includes 3.0.24) have been built
without problems. We'll do some regression testing (but, as everybody
knows, that's pretty complicated for sambe given the number of
possible use cases) and they'll be uploaded to be reviewed by Debian
security team.

Of course, the usual Debian security announcements will be sent when
things are ready.

*There will not be any official Debian packages for sarge* (which has
3.0.14a). The sarge release is no longer supported by Debian and
Debian security team and users should upgrade to etch. For samba, this
is the first time we won't issue sarge packages (last CVE issues
happened when sarge was still supported).



More information about the samba mailing list