Quoting Moritz Muehlenhoff ([email protected]): > Package: smbfs > Severity: grave > Tags: security > > This is CVE-2009-3297: > https://bugzilla.samba.org/show_bug.cgi?id=6853 > > /usr/share/doc/smbfs/TODO.Debian states: > There is concern about the setuid status of binaries in this package. > The audit status of the concerned binaries is unclear. We should > figure out whether it is reasonable to provide the flexible user mount > capabilities or whether a more restricted setup is better, at least by > default. > > Given that Jeremy Allison writes in the bug above you should probably > drop the setuid for Squeeze:
My concern here is that it would definitely be a regression for users who rely on user mounting of CIFS volumes. A compromise could be a debconf question about adding the setuid bit to mount.cifs (with a default to False, of course). Steve, your advice?
signature.asc
Description: Digital signature
