On Wed, Mar 10, 2010 at 07:07:27AM +0100, Christian PERRIER wrote:
Quoting Jeremy Allison (j...@samba.org):
Security problem with Samba on Linux
In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
was added to fix a problem with Linux asynchronous IO handling.
Situation for Debian:
- Debian stable isn't affected by this issue (we have 3.2.5+patches there)
- Official backports from www.backports.org aren't affected too (we
have 3.4.5)
- Debian unstable has 3.4.7 since yesterday, a few hours after the
official annoucement. As it had 3.4.6 earlier, users of
Debian unstable *are strongly advised to apt-get upgrade*
- Debian experimental has 3.5.1 since about the same time. Users who
follow samba in experimental to have 3.5 should also upgrade
The most important info:
- Debian testing (squeeze) *is* affected as of now. By a very very
infortunate sequence of events, yesterday was the day where 3.4.6
packages that were in unstable aged enough to enter testing.
And they did. Before I could notice (I happen to do paid work
during the day..:-))
So, users of Debian testing should either avoid upgrading today if
they still have 3.4.5 packages or upgrade their systems ASAP
with the packages uploaded yesterday in unstable (you need to do
this manually) if they already upgraded to 3.4.6
3.4.7 packages were bumped to high urgency, which means they will
enter testing by Thursday March 11th (I'm unsure about the exact
time).
I don't think that Ubuntu is affected by all this, even the soon to
come Lucidbut this is unverified information.
Thanks for all the information on the Debian situation.
I fixed make test yesterday so it can run as root and
will detect and fail the test if smbd has the DAC_OVERRIDE
problem, so we should be safe from any possible regressions
in future.
Thanks,
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
