Re: samba woody

To: Matt Zimmerman <mdz@debian.org>
Cc: debian-security@lists.debian.org, <peloy@debian.org>
Subject: Re: samba woody
From: Boldizsar BENCSATH <bencsath@datacontact.hu>
Date: Tue, 1 Jul 2003 12:47:36 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.4.44.0307011239280.18219-100000@datacontact.hu>
In-reply-to: <[🔎] 20030701024342.GF1090@alcor.net>

What about something like this 5-minutes-change?:

Template: samba/security_warning
Type: boolean
Default: false
Description: Warning! Serious Warning!
 This version of samba contains remotely exploitable SERIOUS
vulnerabilities!
 If you continue the install You will be definetly target of CRACKING
activity!
 DO NOT INSTALL THIS VERSION OF SAMBA UNLESS YOU KNOW WHAT YOU ARE DOING!
 If You don't know why are you going to install this version, you should
check
 your debian version and security fixes lists (e.g. /etc/apt/sources.list)
and
 Debian Security announcements! Do not use testing release if You cannot
afford
 to keep up with the latest news!!!
 Are You really-really want to install this vulnerable version of samba?

and some db_get samba/security_warning  in preinst script...

BTW, It could be standardized throughout the packages that dpkg would
invoke such a dialog for every package marked with some notes.

I know Your reasons not to include a bad version, but some reasons from
the practical side:

-Many users do not read security mailing lists
-Many users have some reasons to use unstable/testing distribution (e.g.
libc6 compatibility issues with some not-debian-software)
-They also need to be secure
-Or at least, we should push some warning for them
-Or at least, we should maintain some "extra" security effort to the
following packages:
exim,sendmail,apache,php,mysql,samba,ftpd,proftpd,pop3's. These are the
main packages and if they have a _remotely_ exploitable security hole,
then it is a bad policy to leave these packages in -even the unstable-
distro.
boldizsar

On Mon, 30 Jun 2003, Matt Zimmerman wrote:

> On Tue, Jul 01, 2003 at 12:39:29AM +0200, Bencsath Boldizsar wrote:
>
> > Do You (We) really surely want to include buggy samba 2.2.3a-12, more than
> > half year old in 'testing' release?
> > I already know one guy with a 1 week old 'testing' debian hacked through
> > samba. (I know, it's -12.3 on security for stable, and samba is not secure at
> > all, but I think this one needs an upgrade ASAP...)
>
> I am pleased to hear of your interest in helping to improve Debian testing.
> Here are some links to get you started in your efforts to help get a new
> version of samba into testing:
>
> http://buildd.debian.org/fetch.php?&pkg=samba&ver=3.0.0beta1-1&arch=arm&stamp=1055147113&file=log&as=raw
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkg&data=slapd&sev-inc=critical&sev-inc=grave&sev-inc=serious
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?which=pkg&data=acl&sev-inc=critical&sev-inc=grave&sev-inc=serious
>
> All of those things need to be fixed in order to get a new samba into
> testing.
>
> --
>  - mdz
>
>

Reply to:

Follow-Ups:
- Re: samba woody
  - From: Matt Zimmerman <mdz@debian.org>

References:
- Re: samba woody
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: samba woody
Next by Date: Re: OT: An Idea for an IDS
Previous by thread: Re: samba woody
Next by thread: Re: samba woody
Index(es):
- Date
- Thread