Hi Adam, On Sat, Sep 10, 2016 at 11:16:00AM +0100, Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > [CC += team@security] > > On Mon, 2016-09-05 at 20:50 +0000, Jelmer Vernooij wrote: > > I'd like to update Samba in jessie to 4.2.14+dfsg. Debdiff is attached. > > This didn't make it to debian-release, most likely due to the size of > the debdiff. > > > The 4 Samba releases since 4.2.10 (currently in jessie) only fix > > important bugs, in particular a CVE (CVE-2016-2119) and various > > regressions introduced by the security fixes from 4.2.10. > > Has the possibility of releasing this via the security archive been > discussed? CVE-2016-2119 isn't marked no-dsa in the Security Tracker > currently and by the sound of it the remaining changes relate to fixes > for issues in the previous security update. Thanks for CC'ing. It's right we haven't marked it as no-dsa (yet). But it's true we asked (originally Andrew Barlett), to have samba updated via a point release to adresss remaining (minor) regressions introduced by the original fixes. Samba upstream has released several updates in meanwhile and the idea was to have the packages exposed to more wider testing via the jessie-proposed-updates before beeing included in stable. If this is not possible at this stage, It would be great to have for the next point release (in that case maybe we can release a targetted update for CVE-2016-2119 only via a DSA, but it would not be high priority). Does this clarify? Our prefered view would be to see samba beeing updated to the latest minor update of the 4.2 series to be included in stable. Regards, Salvatore
Attachment:
signature.asc
Description: PGP signature