[csw-users] Security Vulnerabilities in Samba.
dclarke at blastwave.org
Fri Jul 20 19:44:17 CEST 2007
> On 7/20/07, Jens Langner <J.Langner at fzd.de> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> Hi Jeremiah,
>> Jeremiah Johnson schrieb:
>> > Thanks, I appreciate it. Sun and SFW have released updates, but our
>> > maintance policy is a bit odd for installing sun patches which is why
>> > we're using Blastwave.
>> Can you please elaborate where to get those Sun/SFW updates from?
>> Because out of the sunvolve document you have linked us to, I can't see
>> where one can get the SFW updates. In there the issue is still under
>> investigation and not closed.
>> BTW: We also once used the blastwave samba packages instead of the ones
>> from SFW. However, in our large 100+ users environment they proved to be
>> substantly slower (less performant) than the ones supplied by SFW. I
>> dunno why, but perhaps the SFW packages are compiled with a higher
>> optimization enabled.
>> - --
>> Jens Langner Ph: +49-351-2602757
>> Forschungszentrum Dresden-Rossendorf e.V.
>> Institute of Radiopharmacy - PET Center J.Langner at fzd.de
>> Germany http://www.fzd.de/
> I apologize, you are correct, the sunsolve article doesnt give a
> complete resolution yet. But there are SFW packages available at the
> sunfreeware site. I am not sure why Sun is dragging their feet on
> this because as far as I can see the Samba packages included with
> Solaris 10 are just SFW packages.
It is a very confusing relationship to be sure.
The software that comes with Solaris 10 may be one or two different things.
It may be from the defunct Companion CD project. This link :
Will show a whole list of unsupported software that comes on the Companion
CD which is no longer updated. I downloaded the Companion CD for Solaris 10
and then checked to see what is really there. See that list at :
If you do a count you will see 120 names there.
At the bottom you see some links to various places but NOT to the 1690+
software packages at Blastwave. That seems to be a competitive attitude
or perhaps a "Not Invented Here" attitude at Sun. I don't know. I do
know that Steve Christensen over at SunFreeware has been doing this for
a million years and he is paid by Sun. I don't know how many software
titles are over there but it is a bunch to be sure. Maybe 300 or more
and they are all built by him.
The software in Solaris 10 seems to be a mixture of things from SunFreeware
as well as from the Companion CD and that is all I know. I am guessing
really but its probably a good guess.
The software at Blastwave has been built, maintained and delivered to the
Solaris user base, for free, for five years now. It is built by the Solaris
community for the Solaris community and we are doing a pretty good job I
think. Some things do slip through the "up to date" filter however.
Perhaps with some more involvement from the Solaris user community we could
review the current software stack and get all of it into the Subversion
system at Blastwave. See http://svn.blastwave.org for more information on
I will now keep plugging away at the current Samba issue and see if I can
get something out for testing promptly.
More information about the users