Re: Well - and kernel 2.4.18?
Greetings,
Am Sonntag 03 April 2005 23:16 schrieb Jan Lühr:
> Greetings,
>
> Am Sonntag 03 April 2005 22:57 schrieb Harald Krammer:
> > Hi Jan,
> > I had the same question but this is a while ago. At the moment I use
> > kernel 2.4.27 from backport.org.
> >
> > Here is the link from the old thread:
> > http://lists.debian.org/debian-security/2005/01/threads.html#00201
>
> Me, too ;)
> However, I gave you some *explanation" that time ;-)
> However,
> Btw. I'm quite worried about the Shape of Debian's security.
> Take CAN-2004-1154 "[SECURITY] [DSA 701-1] New samba packages fix
> arbitrary code execution" for instance.
> Fixed in Samba: 15th December 2004 (with 3.0.10 from samba.org)
> Fixed in SuSE: 22th December 2004
> Fixed in Woody: 31st. March 2005
>
> That ain't good.
Furthermore - it might be in important issue:
Is Samba going to be the next mozilla?
The Sama 2.2 tree is obsolete and not provided with upstream fixes.[1]
The recently fixed issue, may be harmful. (Although I haven't seen any public
exploits yet). On securityfocus it is characterized as possible _remote_
_root_ exploit.
"An attacker with access to an SMB share may leverage this issue to overwrite
the heap of the affected process, facilitating code execution with superuser
privileges." [1]
Imho, this ain't very serios - but noticeable serious, 'cause 2004-1154 is the
one and only listed "common bug" for 3.0.10 and apart of two minor changes
3.0.10 is a bugfix-release for 1154 [3]).
Furthermore, Sarge is not freezed yet, thus praising the lord for not coming
up any samba exploits 'till Sarge releases is foolish in my opinion.
So what will Debian do?
Samba is an integral part of many Debian servers out there...
Keep smiling
yanosz
[1] http://us1.samba.org/samba/history/samba-2.2.12.html
[2] http://www.securityfocus.com/bid/11973/discussion/
[3] http://us1.samba.org/samba/history/samba-3.0.13.html
Reply to: