fixing CVE-2018-1050 in samba 3.3.6

To: pkg-samba-maint@lists.alioth.debian.org
Cc: debian-lts@lists.debian.org
Subject: fixing CVE-2018-1050 in samba 3.3.6
From: Holger Levsen <holger@layer-acht.org>
Date: Wed, 21 Mar 2018 22:01:19 +0000
Message-id: <[🔎] 20180321220119.wivsvptwqypo7svq@layer-acht.org>

Dear samba maintainers,

the fix for CVE-2018-1050 (eg from 4.5.12+dfsg-2+deb9u) applies cleanly
on 3.6.6-6+deb7u15, however CVE-2018-1050 says that only versions >4.0.0
are affected.

Since (afaics) there is no known exploit I cannot really test this, but
I believe 3.6.6-6+deb7u15 is also vulnerable and the ">4.0.0" is only
claimed to be non-affected because the samba developers don't support
< 4.0.0 anymore. Is that the case?

What's your recommendation what should be done here? To me it seems we
should fix 3.6.6 in oldoldstable and then also notify others that <4.0.0
is vulnerable, but I have no idea how to best communicate the latter.

Comments much appreciated.


-- 
cheers,
	Holger

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: fixing CVE-2018-1050 in samba 3.3.6
  - From: Mathieu Parent <math.parent@gmail.com>
- Re: [Pkg-samba-maint] fixing CVE-2018-1050 in samba 3.3.6
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: tiff / CVE-2018-7456
Next by Date: March Report
Previous by thread: Re: Patch for CVE-2018-7490 in uwsgi
Next by thread: Re: fixing CVE-2018-1050 in samba 3.3.6
Index(es):
- Date
- Thread