Mailing List Archive

Additional vulnerability in SAMBA <=3.0.7
Hi,
it seems, that samba <=3.0.7 contains an additional, more severe
vulnerability besides the DoS described in
http://www.gentoo.org/security/en/glsa/glsa-200411-21.xml

According to
http://security.e-matters.de/advisories/132004.html ,
samba <=3.0.7 contains a vulnerabilty, that allows remote code injection
and execution.
This has been fixed in samba 3.0.8 as well, but no advisory has been
released, since the samba developers believed the bug to be
non-exploitable.

Marc

--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
Hi,

GLSA 200411-21 will be updated shortly and I think a Samba advisory is coming.

On Monday 15 November 2004 12:14, Marc Ballarin wrote:
> Hi,
> it seems, that samba <=3.0.7 contains an additional, more severe
> vulnerability besides the DoS described in
> http://www.gentoo.org/security/en/glsa/glsa-200411-21.xml
>
> According to
> http://security.e-matters.de/advisories/132004.html ,
> samba <=3.0.7 contains a vulnerabilty, that allows remote code injection
> and execution.
> This has been fixed in samba 3.0.8 as well, but no advisory has been
> released, since the samba developers believed the bug to be
> non-exploitable.
>
> Marc
>
> --
> gentoo-security@gentoo.org mailing list

--
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
Hello list,

Is it me, or does it just seem like there are lots of bugs, vulns, and
problems with Samba 3.x?

I would have preferred to stay with 2 (having no need for the extra features
of 3), but the ebuilds dried up a while ago.

> GLSA 200411-21 will be updated shortly and I think a Samba advisory is
> coming.
>
> On Monday 15 November 2004 12:14, Marc Ballarin wrote:
> > Hi,
> > it seems, that samba <=3.0.7 contains an additional, more severe
> > vulnerability besides the DoS described in
> > http://www.gentoo.org/security/en/glsa/glsa-200411-21.xml
> >
> > According to
> > http://security.e-matters.de/advisories/132004.html ,
> > samba <=3.0.7 contains a vulnerabilty, that allows remote code injection
> > and execution.
> > This has been fixed in samba 3.0.8 as well, but no advisory has been
> > released, since the samba developers believed the bug to be
> > non-exploitable.
> >
> > Marc
> >
> > --
> > gentoo-security@gentoo.org mailing list

--

Random russian saying: A lizard on a cushion will still seek leaves.

jabber: jcalum@umtstrial.co.uk
pgp: http://gk.umtstrial.co.uk/~calum/keys.php
Linux 2.6.7-hardened-r7 12:21:20 up 1 day, 1:54, 1 user, load average: 0.10,
0.15, 0.09

--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Calum a écrit :

| Hello list,
|
| Is it me, or does it just seem like there are lots of bugs, vulns,
| and problems with Samba 3.x?
|
| I would have preferred to stay with 2 (having no need for the extra
| features of 3), but the ebuilds dried up a while ago.
|
This is one of my main question before having Gentoo on my servers.
What is the lifetime of ebuilds? Will I still be able to maintain PHP4
in two years, or will I have to upgrade to PHP5 even if I don't want
new features?

- --
Christophe Garault
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBmKYvJ5Nh3YMYAQsRApi4AJ9sIb2PAO4IwCCHBIJvB5iDF2e4egCfUGc0
yOUXIprhrcBqJMlJYxcNesM=
=cT3x
-----END PGP SIGNATURE-----


--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
On Monday 15 November 2004 12:50, Christophe Garault wrote:
>
> This is one of my main question before having Gentoo on my servers.
> What is the lifetime of ebuilds? Will I still be able to maintain PHP4
> in two years, or will I have to upgrade to PHP5 even if I don't want
> new features?

I wonder the same thing. I am building a server that will be very hard and
expensive for me to access if anything goes wrong with the networking.

I have the same questions - devfs and udev is the one I am asking myself
currently. If I need to upgrade the kernel at some stage due to some exploit,
or whatever, and devfs is dropped, do I trust myself to swap over to udev
remotely, and get the device name changes perfect remotely?

Or do I go for a slightly less mature udev now?

Is there any policy document that says "Gentoo will move to UDEV (or PHP5, or
Samba 4 etc) after 29th April 2005" ?

Calum

--

Random russian saying: A drop hollows out a stone.

jabber: jcalum@umtstrial.co.uk
pgp: http://gk.umtstrial.co.uk/~calum/keys.php
Linux 2.6.7-hardened-r7 12:58:45 up 1 day, 2:31, 1 user, load average: 0.25,
0.09, 0.04

--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christophe Garault wrote:
| Calum a ýcrit :
|
| | Hello list,
| |
| | Is it me, or does it just seem like there are lots of bugs, vulns,
| | and problems with Samba 3.x?
| |
| | I would have preferred to stay with 2 (having no need for the extra
| | features of 3), but the ebuilds dried up a while ago.
| |
| This is one of my main question before having Gentoo on my servers.
| What is the lifetime of ebuilds? Will I still be able to maintain PHP4
| in two years, or will I have to upgrade to PHP5 even if I don't want
| new features?

Hopefully this won't be a problem for long. klieber would be able to elaborate
more, but this is one of goals of GLEP 19[1].

[1] GLEP 19 - Gentoo Stable Portage Tree
~ http://www.gentoo.org/proj/en/glep/glep-0019.html

Cheers
- --
gentoo-security@gentoo.org mailing list



- --
It would be nice to be sure of anything the way some people are of everything.

Aaron Walker < ka0ttic@gentoo.org > http://dev.gentoo.org/~ka0ttic/
Gentoo/BSD | cron | shell-tools http://butsugenjitemple.org/~ka0ttic/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFBmMBkC3poscuANHARAj43AKDXF/GGKx4h8ievbK6c3Sp6BfZPbACfX7mT
wB0rjBwJAREROoAv8EbtaEA=
=6R1T
-----END PGP SIGNATURE-----

--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
On Mon, 15 Nov 2004, Calum wrote:
> On Monday 15 November 2004 12:50, Christophe Garault wrote:
>>
>> This is one of my main question before having Gentoo on my servers.
>> What is the lifetime of ebuilds? Will I still be able to maintain
>> PHP4 in two years, or will I have to upgrade to PHP5 even if I don't
>> want new features?
>
> I wonder the same thing. I am building a server that will be very hard
> and expensive for me to access if anything goes wrong with the
> networking.
>
> I have the same questions - devfs and udev is the one I am asking
> myself currently. If I need to upgrade the kernel at some stage due to
> some exploit, or whatever, and devfs is dropped, do I trust myself to
> swap over to udev remotely, and get the device name changes perfect
> remotely?
>
> Or do I go for a slightly less mature udev now?

Most of the systems that I have encountered in a role where physical
access is limited do not need either devfs or udev - if nobody can get
to it, hotswapping USB/Firewire devices is not going to be a priority,
and devfs/udev isn't actually required even for hotswap (it just makes
it a whole lot easier). Personally, one of my annoyances with Gentoo is
that it complains if you don't have either (but it doesn't require udev
be executed, so I've installed it simply to have less panicy boots.)

On the other hand, my answer on the main question - nowhere near long
enough for any serious use, at the moment. Personally, I think there's
a need for a new set of keywords, for 'enterprise stable'. I don't see
this happening until many of the devs are full-time paid staff, however.
After all, supporting old versions is extra work, and it's not something
the devs are personally interested in doing.

Ed

--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
On Mon, 2004-11-15 at 16:56 +0000, Ed Grimm wrote:
> Personally, one of my annoyances with Gentoo is
> that it complains if you don't have either (but it doesn't require udev
> be executed, so I've installed it simply to have less panicy boots.)
Try adding gentoo=nodevfs to your kernel line. SELinux doesn't support
either of devfs or udev, and I manage just fine without either
installed.


--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
On Monday 15 November 2004 14:21, Calum wrote:
> On Monday 15 November 2004 12:50, Christophe Garault wrote:
> > This is one of my main question before having Gentoo on my servers.
> > What is the lifetime of ebuilds? Will I still be able to maintain
> > PHP4 in two years, or will I have to upgrade to PHP5 even if I don't
> > want new features?
>
> I wonder the same thing. I am building a server that will be very hard
> and expensive for me to access if anything goes wrong with the
> networking.
>
> I have the same questions - devfs and udev is the one I am asking
> myself currently. If I need to upgrade the kernel at some stage due to
> some exploit, or whatever, and devfs is dropped, do I trust myself to
> swap over to udev remotely, and get the device name changes perfect
> remotely?
>
> Or do I go for a slightly less mature udev now?
>
> Is there any policy document that says "Gentoo will move to UDEV (or
> PHP5, or Samba 4 etc) after 29th April 2005" ?

We don't have that kind of policy documents. Unfortunately the way to
operate "enterprise" gentoo is the following:

Create your own tree (from a certain stable point) that you manually copy
security fixes and local changes in. For the rest don't change the tree.
The default gentoo tree is like a moving target.

If you do this you have hit the metadistribution part of gentoo. It gives
the building blocks for your own distribution, and makes it a lot easier,
but does not make it plain simple, or no work at all.

Paul

--
Paul de Vrieze
Gentoo Developer
Mail: pauldv@gentoo.org
Homepage: http://www.devrieze.net
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
On Monday 15 November 2004 13:50, Christophe Garault wrote:
> This is one of my main question before having Gentoo on my servers.
> What is the lifetime of ebuilds? Will I still be able to maintain PHP4
> in two years, or will I have to upgrade to PHP5 even if I don't want
> new features?

We are currently working on implementing GLEP 19 which might be of interest to
you:

http://www.gentoo.org/proj/en/glep/glep-0019.html

--
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
On Tue, 30 Nov 2004 10:09:22 +0100, Sune Kloppenborg Jeppesen
<jaervosz@gentoo.org> wrote:
> On Monday 15 November 2004 13:50, Christophe Garault wrote:
> > This is one of my main question before having Gentoo on my servers.
> > What is the lifetime of ebuilds? Will I still be able to maintain PHP4
> > in two years, or will I have to upgrade to PHP5 even if I don't want
> > new features?
>
> We are currently working on implementing GLEP 19 which might be of interest to
> you:
>
> http://www.gentoo.org/proj/en/glep/glep-0019.html
>

Hi !

I've read the GLEP and I was wondering where I could apply or who to
contact to see if I could be any help to this GLEP. I'm using gentoo
on our production server and I would be glad to help to provide a
stable tree but I do not know who to contact. If anyone would give me
pointers to where to look that would be great.

Thanks

Jean-Francois

P.S. Sorry Sune about the personnal email, I didn't check to see if
gmail was replying to the list but for some weird reason it listed
your email instead of the mailing list.

> --
> Sune Kloppenborg Jeppesen (Jaervosz)
> Operational Manager
> Gentoo Linux Security Team
>
>
>

--
gentoo-security@gentoo.org mailing list
Re: Additional vulnerability in SAMBA <=3.0.7 [ In reply to ]
On Tuesday 30 November 2004 16:03, Jean-Francois Gagnon Laporte wrote:
> Hi !
>
> I've read the GLEP and I was wondering where I could apply or who to
> contact to see if I could be any help to this GLEP. I'm using gentoo
> on our production server and I would be glad to help to provide a
> stable tree but I do not know who to contact. If anyone would give me
> pointers to where to look that would be great.

As I wrote to Jean-Francois personally currently Kurt Lieber
(klieber@gentoo.org) is coordinating our efforts (or at least maintaining our
mail alias) so anyone interested should contact him.

--
Sune Kloppenborg Jeppesen (Jaervosz)
Operational Manager
Gentoo Linux Security Team