I was a little shocked to realise that the package in Wheezy hasn't had the CVE-2013-0172 fix applied.
What I've done is test in a git tree with a backported set of patches, using the test we designed to check this issue. I've then bundled these patches into a debian package, and built it. The source and binary packages are at: http://abartlet.net/samba4-debian/ I've also installed them and watched the (very nice thankyou) auto-configuration just work. I've then run the same test to prove the security issue is fixed, so what I'm looking for from where is some help getting this into Debian. If I've done this all correctly, then I'll rev the experimental package from 4.0.0 to 4.0.3, catching both the security fix and our first maintenance release. Finally, someone will need to port these across to Ubuntu, so I've CC'ed the ubuntu-motu list in the hope that someone can pick this up, or at least be aware of the issue. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- Ubuntu-motu mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-motu
