[Bug 137656] Re: Samba Backport Urgently Needed

Ante Karamatić ivoks at grad.hr
Thu Sep 6 21:21:21 BST 2007 

rvjcallanan wrote:

> I detect from your replies some bad karma between Ubuntu and the Samba
> team. It does seem, with the benefit of hindsight, that the onus is more
> on the Samba side.

I really don't know where you got this feeling, but that's not true.
This has nothing to do with Samba, but with idea of long term support.
You can't support something that's always changing.

And, you should do your homework. Security patches in Ubuntu's Samba
3.0.22:

  * SECURITY UPDATE: remote heap overflows, remote command execution.
  * security_ndr-heap-overflows.patch: upstream fixes (CVE-2007-2446)
  * security_remote-command-execution.patch: upstream fixed (CVE-2007-2447)
  * SECURITY UPDATE: priv escalation via crafted AFS share filenames,
    denial of service when renaming a file in deferred open queue.
  * Add 'debian/patches/ubuntu-fix-open-loop.patch': fix infinite loop,
    taken from upstream patch.
    - CVE-2007-0452
  * Add 'debian/patches/ubuntu-fix-afsacl.patch': fix format string
    overflow, taken from upstrem patch.
    - CVE-2007-0454
  * SECURITY UPDATE: Remote DoS.
  * Add debian/patches/track_connection_dos.patch:
    - Limit active connections to 2048 to avoid DoS due to unbound array
      growing when tracking active connections.
    - CVE-2006-3403

These are all patches to default 3.0.22 version. So, we have all
security patches that are included in 3.0.25c, but without new bugs and
features.

What you are asking isn't security problem, but a wish for latest and
greatest. This will not happen in stable release. You could come up with
same question for every single package.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2006-3403

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-0452

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-0454

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-2446

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-2447

-- 
Samba Backport Urgently Needed
https://bugs.launchpad.net/bugs/137656
You received this bug notification because you are a member of Ubuntu
Backporters, which is the bug contact for Dapper Backports.

More information about the ubuntu-backports mailing list