[csw-users] Security Vulnerabilities in Samba.

Jeremiah Johnson jeremiah.johnson at gmail.com
Fri Jul 20 18:33:48 CEST 2007 

On 7/20/07, Dennis Clarke <dclarke at blastwave.org> wrote:
>
> > Bogdan,
> >
> > Thanks for pointing that out.  Patches like that are what maintainers
> > are good for.  If there are problems, the maintainer should include
> > that patch and release it.  I personally would rather see more
> > frequent releases that fix problems, than waiting 6+ months for a
> > update.  There is a stable and unstable branch, and afaict the
> > unstable version is still that older version.  I realize that much
> > testing goes into each release, but I also realize that there is only
> > so much testing a volunteer can do.  Without accepting input from the
> > user base at large you'll constantly end up in situations like this.
> > The stable branch is supposed to be updated only every 3 months, and
> > unstable constantly, but I'm not seeing any visible action in unstable
> > with regards to samba.
> >
> > Ken,
> >
> > Thanks, I appreciate it.  Sun and SFW have released updates, but our
> > maintance policy is a bit odd for installing sun patches which is why
> > we're using Blastwave.
> >
>
>   I want to thank you for bring this issue to our attention.  I have always
> wanted to perform a complete package audit just to see what is out of date
> and to what degree.  The very idea makes me shudder because there are
> nearly 1700 software packages at Blastwave now.  We know that 50% of them
> have not been touched in a year.  Possibly longer.
>
>   If you are willing to work with me I am dragging down the stable release
> of samba now.  I have the following sources on hand here now :
>
> # ls -l samba*
> -rw-r--r--   1 fredrik  csw      17542009 Feb 24  2006 samba-3.0.21c.tar.gz
> -rw-r--r--   1 fredrik  csw      17542657 Jun 21  2006 samba-3.0.22.tar.gz
> -rw-r--r--   1 dclarke  other    17677551 Jul 10  2006 samba-3.0.23.tar.gz
> -rw-r--r--   1 dclarke  other    18160223 Jun 26 16:34 samba-3.0.25b.tar.gz
>
> There you see my name on the previous release source kit and the new one. I
> simply wanted to make sure that we have both around here to be compliant
> with the GNU licenses.
>
> I am going to take a first pass build of these new sources and if and when I
> get a package together perhaps you can test it with me.
>
> Thanks for your patience and your understanding in this issue.
>
> Dennis Clarke
> Founder Blastwave.org
> dclarke at opensolaris.org


Sure, let me know when a package is ready and I will start testing it
out.  If you'd like I wouldn't mind taking a look at the entire
package set and seeing whats out of date.  As well as helping
Blastwave to establish a better security response system.

-miah

More information about the users mailing list