[Samba] Debian packages fixing CVE-2009-0022 are available

Christian Perrier bubulle at debian.org
Tue Jan 6 06:09:15 GMT 2009

Quoting Karolin Seeger (kseeger at samba.org):

>    o CVE-2009-0022
>      In Samba 3.2.0 to 3.2.6, in setups with registry shares enabled,
>      access to the root filesystem ("/") is granted
>      when connecting to a share called "" (empty string)
>      using old versions of smbclient (before 3.0.28).

The Debian Samba packaging team uploaded 2:3.2.5-3 packages yesterday
in Debian unstable. They include the fix for CVE-2009-0022.

These packages should enter Debian lenny (the next-to-come Debian
release) very soon.

Please note that 3.2.7 packages will not be provided in Debian
lenny. Because of the freeze in preparation for lenny, we stopped the
counter at 3.2.5. 

We however provide *unofficial* packages of 3.2.6 (and soon 3.2.7) as
announced in
(again, this is not an official service by Debian, only a courtesy
service by the packagers, on a best effort basis).

More information about the samba mailing list