[csw-users] Security Vulnerabilities in Samba.

Dennis Clarke dclarke at blastwave.org
Fri Jul 20 17:40:02 CEST 2007


> Bogdan,
>
> Thanks for pointing that out.  Patches like that are what maintainers
> are good for.  If there are problems, the maintainer should include
> that patch and release it.  I personally would rather see more
> frequent releases that fix problems, than waiting 6+ months for a
> update.  There is a stable and unstable branch, and afaict the
> unstable version is still that older version.  I realize that much
> testing goes into each release, but I also realize that there is only
> so much testing a volunteer can do.  Without accepting input from the
> user base at large you'll constantly end up in situations like this.
> The stable branch is supposed to be updated only every 3 months, and
> unstable constantly, but I'm not seeing any visible action in unstable
> with regards to samba.
>
> Ken,
>
> Thanks, I appreciate it.  Sun and SFW have released updates, but our
> maintance policy is a bit odd for installing sun patches which is why
> we're using Blastwave.
>

  I want to thank you for bring this issue to our attention.  I have always
wanted to perform a complete package audit just to see what is out of date
and to what degree.  The very idea makes me shudder because there are
nearly 1700 software packages at Blastwave now.  We know that 50% of them
have not been touched in a year.  Possibly longer.

  If you are willing to work with me I am dragging down the stable release
of samba now.  I have the following sources on hand here now :

# ls -l samba*
-rw-r--r--   1 fredrik  csw      17542009 Feb 24  2006 samba-3.0.21c.tar.gz
-rw-r--r--   1 fredrik  csw      17542657 Jun 21  2006 samba-3.0.22.tar.gz
-rw-r--r--   1 dclarke  other    17677551 Jul 10  2006 samba-3.0.23.tar.gz
-rw-r--r--   1 dclarke  other    18160223 Jun 26 16:34 samba-3.0.25b.tar.gz

There you see my name on the previous release source kit and the new one. I
simply wanted to make sure that we have both around here to be compliant
with the GNU licenses.

I am going to take a first pass build of these new sources and if and when I
get a package together perhaps you can test it with me.

Thanks for your patience and your understanding in this issue.

Dennis Clarke
Founder Blastwave.org
dclarke at opensolaris.org



More information about the users mailing list