Package: samba Version: 2:4.2.10+dfsg-0+deb8u1 Severity: Normal Hello,
the just released security fix and thus upgrade from Samba 4.1 to 4.2 in Jessie introduces another potential security problem. Consider this (fairly common) scenario: Server isn't running samba at all, but nagios-plugins-standard was installed to monitor (NRPE) other services. nagios-plugins-standard pulls in samba-common (to get smbclient). So far so good, until now this didn't do anything dangerous and people most likely allowed all the dependencies/recommendations to be installed. However this latest version of samba requires the actual samba package to be installed as well if samba-common is present, which of course will install the daemon binaries and start them, potentially exposing the server in question to attacks. A quick workaround is of course to un-install samba if one didn't need the functionality in the first place. But a re-packaging in the previous style or at least a stern warning when pulling in samba into a system that only had samba-common before would be the correct way forward. Regards, Christian -- Christian Balzer Network/Systems Engineer ch...@gol.com Global OnLine Japan/Rakuten Communications http://www.gol.com/