[csw-users] Security Vulnerabilities in Samba.
jeremiah.johnson at gmail.com
Fri Jul 20 18:33:48 CEST 2007
On 7/20/07, Dennis Clarke <dclarke at blastwave.org> wrote:
> > Bogdan,
> > Thanks for pointing that out. Patches like that are what maintainers
> > are good for. If there are problems, the maintainer should include
> > that patch and release it. I personally would rather see more
> > frequent releases that fix problems, than waiting 6+ months for a
> > update. There is a stable and unstable branch, and afaict the
> > unstable version is still that older version. I realize that much
> > testing goes into each release, but I also realize that there is only
> > so much testing a volunteer can do. Without accepting input from the
> > user base at large you'll constantly end up in situations like this.
> > The stable branch is supposed to be updated only every 3 months, and
> > unstable constantly, but I'm not seeing any visible action in unstable
> > with regards to samba.
> > Ken,
> > Thanks, I appreciate it. Sun and SFW have released updates, but our
> > maintance policy is a bit odd for installing sun patches which is why
> > we're using Blastwave.
> I want to thank you for bring this issue to our attention. I have always
> wanted to perform a complete package audit just to see what is out of date
> and to what degree. The very idea makes me shudder because there are
> nearly 1700 software packages at Blastwave now. We know that 50% of them
> have not been touched in a year. Possibly longer.
> If you are willing to work with me I am dragging down the stable release
> of samba now. I have the following sources on hand here now :
> # ls -l samba*
> -rw-r--r-- 1 fredrik csw 17542009 Feb 24 2006 samba-3.0.21c.tar.gz
> -rw-r--r-- 1 fredrik csw 17542657 Jun 21 2006 samba-3.0.22.tar.gz
> -rw-r--r-- 1 dclarke other 17677551 Jul 10 2006 samba-3.0.23.tar.gz
> -rw-r--r-- 1 dclarke other 18160223 Jun 26 16:34 samba-3.0.25b.tar.gz
> There you see my name on the previous release source kit and the new one. I
> simply wanted to make sure that we have both around here to be compliant
> with the GNU licenses.
> I am going to take a first pass build of these new sources and if and when I
> get a package together perhaps you can test it with me.
> Thanks for your patience and your understanding in this issue.
> Dennis Clarke
> Founder Blastwave.org
> dclarke at opensolaris.org
Sure, let me know when a package is ready and I will start testing it
out. If you'd like I wouldn't mind taking a look at the entire
package set and seeing whats out of date. As well as helping
Blastwave to establish a better security response system.
More information about the users