Quoting Gerald (Jerry) Carter ([EMAIL PROTECTED]): > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ========================================================== > == > == Subject: Boundary failure when parsing SMB responses > == can result in a buffer overrun > == > == CVE ID#: CVE-2008-1105
I think that Debian users might benefit from the following: The maintainers of samba packages in Debian are working on updates wrt this issue. A bug has already been reported to track it in Debian BTS and, as all security issues in Debian, is tracked by the Debian security team. I've already prepared packages for 3.0.30, which will be uploaded to Debian unstable ASAP. These packages have a high priority so they should be built for all architectures in priority by Debian autobuilders, then enter Debian testing 2 days after the upload (in theory: some autobuilders are slow). Packages for Debian etch (which includes 3.0.24) have been built without problems. We'll do some regression testing (but, as everybody knows, that's pretty complicated for sambe given the number of possible use cases) and they'll be uploaded to be reviewed by Debian security team. Of course, the usual Debian security announcements will be sent when things are ready. *There will not be any official Debian packages for sarge* (which has 3.0.14a). The sarge release is no longer supported by Debian and Debian security team and users should upgrade to etch. For samba, this is the first time we won't issue sarge packages (last CVE issues happened when sarge was still supported). -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
