Re: [Samba] Debian packages for CVE-2008-1105

2008-05-31 Thread Helmut Hullen
Hallo, Nick,

Du (nick.boyce) meintest am 29.05.08:

 I've already prepared packages for 3.0.30, which will be uploaded to
 Debian unstable ASAP.
 [...]
 Packages for Debian etch (which includes 3.0.24) have been built
 without problems.

 [applause] my sincere thanks to the Debian packagers for this effort
 in such a short time window [/applause]

Hmmm - the Samba-3.0.30 slackware packages for slackware 11.0 and  
slackware-current are always available ... applause too?

And I prefer the actual version, no backport.

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Debian packages for CVE-2008-1105

2008-05-29 Thread Christian Perrier
Quoting Gerald (Jerry) Carter ([EMAIL PROTECTED]):
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 ==
 ==
 == Subject: Boundary failure when parsing SMB responses
 ==  can result in a buffer overrun
 ==
 == CVE ID#: CVE-2008-1105

I think that Debian users might benefit from the following:

The maintainers of samba packages in Debian are working on updates wrt
this issue.

A bug has already been reported to track it in Debian BTS and, as all
security issues in Debian, is tracked by the Debian security team.

I've already prepared packages for 3.0.30, which will be uploaded to
Debian unstable ASAP. These packages have a high priority so they
should be built for all architectures in priority by Debian
autobuilders, then enter Debian testing 2 days after the upload (in
theory: some autobuilders are slow).

Packages for Debian etch (which includes 3.0.24) have been built
without problems. We'll do some regression testing (but, as everybody
knows, that's pretty complicated for sambe given the number of
possible use cases) and they'll be uploaded to be reviewed by Debian
security team.

Of course, the usual Debian security announcements will be sent when
things are ready.

*There will not be any official Debian packages for sarge* (which has
3.0.14a). The sarge release is no longer supported by Debian and
Debian security team and users should upgrade to etch. For samba, this
is the first time we won't issue sarge packages (last CVE issues
happened when sarge was still supported).

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Debian packages for CVE-2008-1105

2008-05-29 Thread Nick Boyce
On Thu, May 29, 2008 at 6:34 AM, Christian Perrier [EMAIL PROTECTED] wrote:
 Quoting Gerald (Jerry) Carter ([EMAIL PROTECTED]):
 ==
 ==
 == Subject: Boundary failure when parsing SMB responses
 ==  can result in a buffer overrun
 ==
 == CVE ID#: CVE-2008-1105
[...]
 I've already prepared packages for 3.0.30, which will be uploaded to
 Debian unstable ASAP.
[...]
 Packages for Debian etch (which includes 3.0.24) have been built
 without problems.

[applause] my sincere thanks to the Debian packagers for this effort
in such a short time window [/applause]

Just wondering - given all the improvements (particularly Vista
compatibility) made since 3.0.24 - does anyone know of a backport of
anything later than 3.0.24 for Etch on i386 ?

Cheers
Nick Boyce
-- 
Leave the Olympics in Greece where they belong
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Debian packages for CVE-2008-1105

2008-05-29 Thread Christian Perrier
Quoting Nick Boyce ([EMAIL PROTECTED]):

(please keep applause for the moment we will upload the fixed packages
for etch. I haven't done this yet...3.0.30 is in unstable now, though)

 Just wondering - given all the improvements (particularly Vista
 compatibility) made since 3.0.24 - does anyone know of a backport of
 anything later than 3.0.24 for Etch on i386 ?

Maybe check on backports.org but, IIRC, there is noone maintaining
such backports for samba there.

I think that simply rebuilding the current lenny packages would work:

In /etc/apt/sources.list on an etch machine:

deb-src http://ftp.fr.debian.org/debian sid main contrib non-free

Then:
apt-get update
apt-get source samba
cd samba-3.0.30
dpkg-checkbuilddeps

.../... install all packages needed to build as reported

debuild

If you want to build in a clean environment (recommended if you make
such packages available to other users), you should use pbuilder to
build in a dedicated and clean chroot.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba