On Thu, 4 Feb 2010 23:18:18 -0800, Steve Langasek wrote: > severity 568493 important > thanks > > On Fri, Feb 05, 2010 at 01:07:14AM -0500, Michael Gilbert wrote: > > package: samba > > version: 2:3.4.5~dfsg-1 > > severity: critical > > > hi, a zero-day remote access exploit has been demonstrated using a > > vulnerability in samba [0]. the only info to go on right now is a > > rather blurry video demonstrating the exploit in action as well as the > > code modified. i know this isn't a lot to go on, but hopefully its > > enough info to figure out the problem. > > > mike > > > [0] http://seclists.org/fulldisclosure/2010/Feb/82 > > Why are you presuming to file critical-severity bugs for an unconfirmed > vulnerability if you can't even give a description of what that > vulnerability is?
when issues are disclosed, they should be tracked so they can be fixed; regardless of how much information is presently available, or whether it has been "confirmed", by which i think you actually mean reproduced. the only way to consider this unconfirmed is if the video were faked, which is a possibility. however, we should err on the side of caution and assume that it is real until proven otherwise. debian bug severity critical: [...] or introduces a security hole on systems where you install the package. > you allow untrusted users anonymous access to a Samba share, they can read > any files on the system that your guest user (i.e., user 'nobody') can read. no, if you watch the video closely (also see [0]), you can see that they have read access to pretty much any file on the system (i.e. /etc/passwd) and write access to any location writable by the account they connect under. > That's a bug, it should be fixed, but its impact isn't release-critical. it's your call, but i disagree. mike [0] http://seclists.org/fulldisclosure/2010/Feb/99 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org