Re: UNS: Re: [SECURITY] [DSA 1409-2] New samba packages fix several vulnerabilities

[Steve Kemp]

On Tue Nov 27, 2007 at 12:00:05 +1300, Ewen McNeill wrote:
> In message <[EMAIL PROTECTED]>, Steve Kemp writes:
> >Package: samba
> >Vulnerability  : several
> >Problem type   : remote
> >Debian-specific: no
> >CVE Id(s)  : CVE-2007-4572, CVE-2007-5398
> >[...]
> >For the stable distribution (etch), these problems have been fixed in
> >version 3.0.24-6etch7.
> 
> There doesn't appear to be a i386 package for Samba version
> 3.0.24-6etch7 on any of the security.debian.org servers.  Only a
> 3.0.24-6etch6 package.  AMD64 and most other architectures seem to have
> 3.0.24-6etch7 and not 3.0.24-6etch6 packages.


> According to the change log this means that one regression is missing
> in the i386 packages (6etch6):

  That is correct.

  I've build a package now, and will be uploading shortly.  In the
 meantime you can find it here:

http://people.debian.org/~skx/samba/

  I'm not entirely sure whether this fixes all known regressions there
 seem to be mixed reports, but it is the best we have and the most
 current elsewhere.

Steve
-- 


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: [SECURITY] [DSA 1409-2] New samba packages fix several vulnerabilities

[Ewen McNeill]

In message <[EMAIL PROTECTED]>, Steve Kemp writes:
>Package: samba
>Vulnerability  : several
>Problem type   : remote
>Debian-specific: no
>CVE Id(s)  : CVE-2007-4572, CVE-2007-5398
>[...]
>For the stable distribution (etch), these problems have been fixed in
>version 3.0.24-6etch7.

There doesn't appear to be a i386 package for Samba version
3.0.24-6etch7 on any of the security.debian.org servers.  Only a
3.0.24-6etch6 package.  AMD64 and most other architectures seem to have
3.0.24-6etch7 and not 3.0.24-6etch6 packages.

According to the change log this means that one regression is missing
in the i386 packages (6etch6):

-=- cut here -=-
samba (3.0.24-6etch7) stable-security; urgency=low

  * Fix for one final regression related to the fix for CVE-2007-4572,
pulled from upstream.  Thanks to Santiago Garcia Mantinan
<[EMAIL PROTECTED]> for catching this.

 -- Steve Langasek <[EMAIL PROTECTED]>  Sat, 24 Nov 2007 02:17:06 -0800
-=- cut here -=-

For example:

-=- cut here -=-
ftp> cd debian-security/pool/updates/main/s/samba/
250 Directory successfully changed.
ftp> ls samba-common*etch*i386*
227 Entering Passive Mode (128,31,0,36,95,228)
150 Here comes the directory listing.
-rw-rw-r--1 1176 1176  2381022 May 30 10:30 
samba-common_3.0.24-6etch4_i386.deb
-rw-rw-r--1 1176 1176  2381196 Nov 15 22:35 
samba-common_3.0.24-6etch5_i386.deb
-rw-rw-r--1 1176 1176  2381264 Nov 23 13:25 
samba-common_3.0.24-6etch6_i386.deb
226 Directory send OK.
ftp> ls samba-common*etch*amd64*
227 Entering Passive Mode (128,31,0,36,172,122)
150 Here comes the directory listing.
-rw-rw-r--1 1176 1176  2596688 Jun 01 07:00 
samba-common_3.0.24-6etch4_amd64.deb
-rw-rw-r--1 1176 1176  2595582 Nov 22 20:45 
samba-common_3.0.24-6etch5_amd64.deb
-rw-rw-r--1 1176 1176  2597004 Nov 24 11:05 
samba-common_3.0.24-6etch7_amd64.deb
226 Directory send OK.
ftp> 
-=- cut here -=-

(But the same thing seems to be true for the entire samba suite.)

Will new i386 packages be built?  Or does that regression not affect i386?

Ewen


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]