Re: Installed samba 2.2.2-11 (i386 source all)
There should really be a (non-private) list that allows for discussion
of security issues in debian, for those concerned. debian-security is
too close to debian-user, with people asking iptables questions and
such; debian-private (where it's currently done) doesn't inform
non-developers, and obviously DSAs are only applicable to stable. It
would be nice to have someplace low traffic to discuss vulnerabilities
(like the rsync --daemon hole that SuSE/EnGarde just announced to
bugtraq, which hasn't had any debian discussion yet), possible
solutions/patches (which may affect only unstable, testing, etc), and to
critique how previous security issues were handled (constructively, of
course).
I would really love to know about things like the smbfs local root
exploit (without having to be warned by someone who's got a shell on one
of my boxes first), and what the progress is w/ getting rsync fixed..
debian-vuln?
On Fri, Jan 25, 2002 at 02:01:33PM -0600, Aaron Lehmann wrote:
>
> On Tue, Jan 22, 2002 at 03:08:52PM -0500, Eloy A. Paris wrote:
> > Urgency: low
> ...
> > * smbmount in the smbfs package does not have the setuid bit set.
> > Apparently, smbmount uses libsmb without checking the environment.
> > Thanks to Christian Jaeger <christian.jaeger@sl.ethz.ch> for
> > finding the local root exploit.
>
> Urgency: low is inappropriate for an upload fixing a root exploit.
> The version in testing is sill vulnerable.
>
> Why wasn't the vulnerability even announced publically other than
> in this changelog?
>
>
> --
> To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
"I think a lot of the basis of the open source movement comes from
procrastinating students..."
-- Andrew Tridgell <http://www.linux-mag.com/2001-07/tridgell_04.html>
Reply to: