Re: [Samba] Debian packages for CVE-2008-1105
Hallo, Nick, Du (nick.boyce) meintest am 29.05.08: I've already prepared packages for 3.0.30, which will be uploaded to Debian unstable ASAP. [...] Packages for Debian etch (which includes 3.0.24) have been built without problems. [applause] my sincere thanks to the Debian packagers for this effort in such a short time window [/applause] Hmmm - the Samba-3.0.30 slackware packages for slackware 11.0 and slackware-current are always available ... applause too? And I prefer the actual version, no backport. Viele Gruesse! Helmut -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Debian packages for CVE-2008-1105
Quoting Gerald (Jerry) Carter ([EMAIL PROTECTED]): -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 == == == Subject: Boundary failure when parsing SMB responses == can result in a buffer overrun == == CVE ID#: CVE-2008-1105 I think that Debian users might benefit from the following: The maintainers of samba packages in Debian are working on updates wrt this issue. A bug has already been reported to track it in Debian BTS and, as all security issues in Debian, is tracked by the Debian security team. I've already prepared packages for 3.0.30, which will be uploaded to Debian unstable ASAP. These packages have a high priority so they should be built for all architectures in priority by Debian autobuilders, then enter Debian testing 2 days after the upload (in theory: some autobuilders are slow). Packages for Debian etch (which includes 3.0.24) have been built without problems. We'll do some regression testing (but, as everybody knows, that's pretty complicated for sambe given the number of possible use cases) and they'll be uploaded to be reviewed by Debian security team. Of course, the usual Debian security announcements will be sent when things are ready. *There will not be any official Debian packages for sarge* (which has 3.0.14a). The sarge release is no longer supported by Debian and Debian security team and users should upgrade to etch. For samba, this is the first time we won't issue sarge packages (last CVE issues happened when sarge was still supported). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Debian packages for CVE-2008-1105
On Thu, May 29, 2008 at 6:34 AM, Christian Perrier [EMAIL PROTECTED] wrote: Quoting Gerald (Jerry) Carter ([EMAIL PROTECTED]): == == == Subject: Boundary failure when parsing SMB responses == can result in a buffer overrun == == CVE ID#: CVE-2008-1105 [...] I've already prepared packages for 3.0.30, which will be uploaded to Debian unstable ASAP. [...] Packages for Debian etch (which includes 3.0.24) have been built without problems. [applause] my sincere thanks to the Debian packagers for this effort in such a short time window [/applause] Just wondering - given all the improvements (particularly Vista compatibility) made since 3.0.24 - does anyone know of a backport of anything later than 3.0.24 for Etch on i386 ? Cheers Nick Boyce -- Leave the Olympics in Greece where they belong -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Debian packages for CVE-2008-1105
Quoting Nick Boyce ([EMAIL PROTECTED]): (please keep applause for the moment we will upload the fixed packages for etch. I haven't done this yet...3.0.30 is in unstable now, though) Just wondering - given all the improvements (particularly Vista compatibility) made since 3.0.24 - does anyone know of a backport of anything later than 3.0.24 for Etch on i386 ? Maybe check on backports.org but, IIRC, there is noone maintaining such backports for samba there. I think that simply rebuilding the current lenny packages would work: In /etc/apt/sources.list on an etch machine: deb-src http://ftp.fr.debian.org/debian sid main contrib non-free Then: apt-get update apt-get source samba cd samba-3.0.30 dpkg-checkbuilddeps .../... install all packages needed to build as reported debuild If you want to build in a clean environment (recommended if you make such packages available to other users), you should use pbuilder to build in a dedicated and clean chroot. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba