On Wed, May 16, 2007 at 06:23:38PM +0200, Christian Perrier wrote: > Hmmm, OK, that's enough. There are now enough such issues raised to > prevent us to allow 3.0.25-1 to migrate to testing too quickly, until > all this is examined. > > As a consequence, I raise the severity of this bug report to make it > RC. There are probably very few chances that samba migrates to testing > quickly, because of an untransitioned libc6, but better be careful. > > Other samba maintainers and security team: do you think we should do > somethign for users of testing? They're left without a decent answer > to the recent security issues if 3.0.25-1 does not enter testing, > unless they have the etch security updates listed in their > sources.list
I haven't looked very closely at what's going on, but I bet the problem is related to the fix for CVE-2007-2444, which changes the way in which samba gets root access when it needs it. It switches from become_root_uid_only() to become_root(). The names of those functions suggest that previously the group membership would not change, but now it might. The issue sounds like it must be upstream, not Debian-specific. Have you heard anything from them? I'm not sure what you should do for testing users (or stable, or anybody else), since there currently is no security-fixed version that doesn't break functionality. Figuring out how we can fix this problem in stable is my priority. If we can figure out a way to fix the vulnerabilities without breaking functionality, the secure-testing team ought to be able to help by uploading to testing-security. noah
signature.asc
Description: Digital signature