On Fri, Mar 23, 2018 at 07:03:42AM +1300, Andrew Bartlett wrote: > > Since (afaics) there is no known exploit I cannot really test this, but > > I believe 3.6.6-6+deb7u15 is also vulnerable and the ">4.0.0" is only > > claimed to be non-affected because the samba developers don't support > > < 4.0.0 anymore. Is that the case? > No, that isn't how we write our advisories. great! (though I would consider it a valid approach, if clearly stated) > The code does appear to be > in 3.6 so hopefully you get a researched answer to your query on the > bug. > > > What's your recommendation what should be done here? To me it seems we > > should fix 3.6.6 in oldoldstable and then also notify others that <4.0.0 > > is vulnerable, but I have no idea how to best communicate the latter. > > This was always a very minor concern, a DoS in a non-default > configuration. > > The patch still applies but the DoS becomes a self-DoS (kill your own > connection) unless those options are set (which is rare, in my view). ok, its exploitable, just not with default options. So I think its worth fixing. Thanks! -- cheers, Holger
Attachment:
signature.asc
Description: PGP signature