Summary: | <net-fs/samba-{4.1.22,4.2.7,4.3.3} - <sys-libs/ldb-1.1.24: Multiple vulnerabilities (CVE-2015-{3223,5252,5296,5299,5330,7540,8467}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Brian Evans (RETIRED) <grknight> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | samba |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 578498 | ||
Bug Blocks: |
Description
Brian Evans (RETIRED)
2015-12-16 13:43:25 UTC
commit c0a1144a4485149c25782a5b3b4dfddaca79dbcd Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Dec 16 14:57:40 2015 sys-libs/ldb: Security bump to version 1.1.24 (bug #568432). Package-Manager: portage-2.2.26 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> commit 066e135c8b38e4d7960abbfbf446e43775c792f6 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Wed Dec 16 15:17:47 2015 net-fs/samba: Security bump to versions 4.1.22, 4.2.7 and 4.3.3 See also bug #568432 Package-Manager: portage-2.2.26 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> Okay guys... we're now at that very unpleaseant point where we must decide how to further handle samba packages: As this bug report clearly states that all of our stable samba packages are affected by one or more of these CVEs. Thus we need to get some 4.x samba version stable or we remove(/mask?) all stable samba packages and thus won't provide any samba package for stable users anymore. I have neither the time nor the technical samba background knowledge to handle the task of stabilizing such an unthankful and complex package samba unfortuantely is. We can stabilize the libraries for now, and we will see what to do with samba later. Arches, please test and mark stable: =sys-libs/ldb-1.1.24 =sys-libs/talloc-2.1.5 =sys-libs/tevent-0.9.26 =sys-libs/tdb-1.3.8 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86" amd64 stable x86 stable Why exactly is it that samba 4 cannot go stable? (In reply to Jeroen Roovers from comment #5) > Why exactly is it that samba 4 cannot go stable? Let's make it stable (In reply to Víctor Ostorga from comment #6) > (In reply to Jeroen Roovers from comment #5) > > Why exactly is it that samba 4 cannot go stable? > > Let's make it stable If you want to cause more problems like https://forums.gentoo.org/viewtopic-t-1036156.html then go ahead. Sorry that I cannot add anything constructive here but when we stabilize samba-4 before it got multilib support we are going to make a lot of users even more unhappy. (In reply to Lars Wendler (Polynomial-C) from comment #7) > (In reply to Víctor Ostorga from comment #6) > > (In reply to Jeroen Roovers from comment #5) > > > Why exactly is it that samba 4 cannot go stable? > > > > Let's make it stable > > If you want to cause more problems like > > https://forums.gentoo.org/viewtopic-t-1036156.html > > then go ahead. Sorry that I cannot add anything constructive here but when > we stabilize samba-4 before it got multilib support we are going to make a > lot of users even more unhappy. There will always be problems, that's why we are here, to fix them. Multilib is still on work, I am reaching upstream to check how to fix it, but right now some samba software was not created with multilib on mind. I vote to make samba 4 stable, even with the problems that would arise. Samba 3 is dead upstream. ppc stable ppc64 stable arm stable ia64 stable alpha stable sparc stable (In reply to Lars Wendler (Polynomial-C) from comment #7) > (In reply to Víctor Ostorga from comment #6) > > (In reply to Jeroen Roovers from comment #5) > > > Why exactly is it that samba 4 cannot go stable? > > > > Let's make it stable > > If you want to cause more problems like <vague forum reference> I thought we had a bug tracker for tracking bugs. In this case we should have an additional tracker bug to track those, maybe? Stable for HPPA. Following up on this bug. Version 3.6.25 is vulnerable unless I missed some patching. 4.X still makes for bug-fixing. @ Security: Please vote! GLSA Vote: No(In reply to Yury German from comment #17) > Following up on this bug. > Version 3.6.25 is vulnerable unless I missed some patching. 4.X still makes > for bug-fixing. As Yury mentioned 3.6.25 is vulnerable. @maintainers, now that 4.2.11 is stable can 3.6.25 be removed? GLSA Vote: No This issue was resolved and addressed in GLSA 201612-47 at https://security.gentoo.org/glsa/201612-47 by GLSA coordinator Aaron Bauman (b-man). |