** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public ** The upcoming Version of Samba (scheduled June 16) will fix a vulnerability in function chain_reply() in source\smbd\process.c. 3.4.X and upwards are not affected
Created attachment 235183 [details, diff] Patch for 3.0
Created attachment 235185 [details, diff] patch for 3.3
Patrick, please prepare ebuilds using the patches and attach them to the bug for testing, but do not commit anything to the tree yet. ** Please note that this issue is confidential at the moment and no information should be disclosed until it is made public **
Opening this bug, since it went public today, see $URL. Samba team, there is still 3.0.37 in the tree, which is vulnerable and the only stable version for some arches. Please provide an ebuild with the patches or update to the newer version.
*** Bug 324271 has been marked as a duplicate of this bug. ***
I'll take a look at those patches. Actually autoconf is failing miserably with samba 3.2.15
This have been fixed in samba-3.2.15-r1 and samba-3.0.37-r1 @security : please proceed
Thanks, Victor. What stabilization guidelines do you use here? Do you want arches that have 3.4.x stable to stabilize the older, fixed versions as well? Please call for arches the way you want. :)
(In reply to comment #8) > Thanks, Victor. What stabilization guidelines do you use here? Do you want > arches that have 3.4.x stable to stabilize the older, fixed versions as well? > Please call for arches the way you want. :) For x86 I would like it with both versions stabilised.
(In reply to comment #9) > (In reply to comment #8) > > Thanks, Victor. What stabilization guidelines do you use here? Do you want > > arches that have 3.4.x stable to stabilize the older, fixed versions as well? > > Please call for arches the way you want. :) > > For x86 I would like it with both versions stabilised. Correction (sorry for the bugspam): Only for the 3.0 series, as we have no 3.2 version stable.
x86 stable
amd64 done but I don't quite see the point here since 3.4.6 is already stabled
alpha/arm/ia64/s390/sh/sparc stable
@Maintainers, security: Please spare us arch devs from having to deduce what to do from all the clues spread through several comments, finding out what comments are actually authoritative and finally surmising what amounts to something like this: Arch teams, please test and mark stable: =net-fs/samba-3.0.37-r1 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" =net-fs/samba-3.2.15-r1 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
(In reply to comment #14) > @Maintainers, security: > > Please spare us arch devs from having to deduce what to do from all the clues > spread through several comments, finding out what comments are actually > authoritative and finally surmising what amounts to something like this: > > Arch teams, please test and mark stable: > =net-fs/samba-3.0.37-r1 > Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" > =net-fs/samba-3.2.15-r1 > Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86" > Sorry for being late guys, the history is as follows: samba-3.0.37-r1 needs to be stabilized, because there is a previously stable and vulnerable ebuild for samba-3.0.37 . samba-3.2.15-r1 does not need to be stabilized, because samba-3.2.15 is not stable. I'm looking forward to stabilize samba-3.5.x series, but a bit of work needs to be done before that, and of course, that is another history and another bug. In simple words, what is needed to be done for THIS bug is: =net-fs/samba-3.0.37-r1 Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
ppc64 done
A newer version (3.4.6) was marked stable for ppc, so removing us. If we still need to do something, please let us know.
HPPA, please go on with stabilizing 3.4.8 in bug 332063.
This issue was resolved and addressed in GLSA 201206-22 at http://security.gentoo.org/glsa/glsa-201206-22.xml by GLSA coordinator Sean Amoss (ackle).
