Hi, there was an announcement of a security lack in samba. Does somebody know something about a SuSE samba rpm or a patch? Reinhard.
Hello Reinhard, there is a patch on the SuSE FTP-servers since yesterday. I assume there will be a security announcement today or tomorrow if it is an important bug. Anyway, just run Yast Online-Update and you will get the newest rpm. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hi
there was an announcement of a security lack in samba. Does somebody know something about a SuSE samba rpm or a patch?
Reinhard.
Yes - but only for the Enterprise products at this time I assume. -------- Original-Nachricht -------- Betreff: Maintenance Support Information {285f090d92ca61da35ead9977cfe9f0e} Datum: Tue, 18 Mar 2003 19:27:27 +0100 Von: maintenance-info@suse.de Title: Security update for Samba (package samba) http://sdb.suse.de/en/psdb/html/285f090d92ca61da35ead9977cfe9f0e.html _______________________________________________________ Applies to Product(s): SuSE Linux Enterprise Server 7 for IA32, SuSE Linux Office Server Package: samba Release: 20030318 Obsoletes: none Indications This patch should be applied to all systems with the Samba file and print services installed. Contraindications None. Problem description The SuSE Security Team performed a security audit of parts of the Samba package and discovered various bugs. Among these bugs an exploitable buffer overflow in the packet fragment re-assembly code has been found. It can be used by a remote attacker to gain root privileges. This strongly recommended update fixes these problems. Samba would also handle long passwords incorrectly, resulting in a buffer overflow. For this reason this version also restricts the password length to a maximum of 128 characters. Solution Please install the updates provided at the location noted below. Remember to update the package samba-classic as described in acticle "Security update for Samba (package samba-classic)" (http://sdb.suse.de/en/psdb/html/200e6de175ab5bb0464bfa94fb9346a9.html) or samba-ldap as described in article "Security update for Samba (package samba-ldap)" (http://sdb.suse.de/en/psdb/html/105d6d20f33108cfb380c9edbb4852a0.html) (depending on your setup) as well. Installation notes This update is provided as an RPM package that can easily be installed onto a running system by using this command: rpm -Fhv samba.rpm _______________________________________________________ Please use the following links to download the packages: SuSE Linux Enterprise Server 7 for IA32 (i386): http://sdb.suse.de/download/i386/update/SuSE-SLES/7/rpm/samba-20030318.rpm SuSE Linux Office Server (i386): http://sdb.suse.de/download/i386/update/SuSE-SLOS/1.0/rpm/samba-20030318.rpm
there was an announcement of a security lack in samba. Does somebody know something about a SuSE samba rpm or a patch?
Reinhard.
Yes - but only for the Enterprise products at this time I assume.
Nono. All packages should be available now. Marc Heuse will send the announcement in 2 hours. This is business as usual, so no worries. Roman.
But, why it takes so long (4-5 days)? This is serious security update. Is there some extra work after recompiling? -- Ivan Gustin
there was an announcement of a security lack in samba. Does somebody know something about a SuSE samba rpm or a patch?
Reinhard.
Yes - but only for the Enterprise products at this time I assume.
Nono. All packages should be available now. Marc Heuse will send the announcement in 2 hours. This is business as usual, so no worries.
Roman.
But, why it takes so long (4-5 days)? This is serious security update. Is there some extra work after recompiling? Not all packages can be compiled at once for all architectures and all suse versions. When the announcement is released, all of them (or at least most) have been built (because the MD5 sums are in the announcement). I guess, newer and more common versions are built before sparc or older suse release packages. SuSE puts up the packages as soon as they are built, and you can usually find them using YOU or fou4s a few days before
On Mar 19, Ivan Gustin
But, why it takes so long (4-5 days)? This is serious security update. Is there some extra work after recompiling? Not all packages can be compiled at once for all architectures and all suse versions. When the announcement is released, all of them (or at least most) have been built (because the MD5 sums are in the announcement). I guess, newer and more common versions are built before sparc or older suse release packages. SuSE puts up the packages as soon as they are built, and you can usually find them using YOU or fou4s a few days before the announcement.
The packages are actually built in parallel on all architectures. Time
gets lost with preparing the packages and testing them. There are more
products than SuSE Linux, and many of them have a samba package. Now if a
package has a malfunction, you must extrapolate the effect of the defect.
There were some oddities that had to be checked out before we release the
packages, and testing took us a long long time.
Basically, we were ahead of the schedule (and we basically still are).
It's just that the samba people checked in a (disguised) patch to their
public CVS, and that caused exploits to pop up like mushrooms. So they had
to go public earlier, and we were not ready yet.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
I love the transparancy guys Regards, Michael Sim SLI MIS Central Phone: 32 16 800 369 Fax: 32 16 800 398 -----Original Message----- From: Roman Drahtmueller [mailto:draht@suse.de] Sent: Wednesday, March 19, 2003 10:45 AM To: Markus Gaugusch Cc: SuSE-Security Subject: Re: [suse-security] Samba 2.2.8
But, why it takes so long (4-5 days)? This is serious security update. Is there some extra work after recompiling? Not all packages can be compiled at once for all architectures and all suse versions. When the announcement is released, all of them (or at least most) have been built (because the MD5 sums are in the announcement). I guess, newer and more common versions are built before sparc or older suse release packages. SuSE puts up the packages as soon as they are built, and you can usually find them using YOU or fou4s a few days before the announcement.
The packages are actually built in parallel on all architectures. Time
gets lost with preparing the packages and testing them. There are more
products than SuSE Linux, and many of them have a samba package. Now if a
package has a malfunction, you must extrapolate the effect of the defect.
There were some oddities that had to be checked out before we release the
packages, and testing took us a long long time.
Basically, we were ahead of the schedule (and we basically still are).
It's just that the samba people checked in a (disguised) patch to their
public CVS, and that caused exploits to pop up like mushrooms. So they had
to go public earlier, and we were not ready yet.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
Usually the version of a software is not upgraded in a SuSE (and most other distributions), but the security fixes are backported to the version that was in the stable release (of SuSE). I guess SuSE will run some internal tests if the software package still works and then put the updated package and anoucement to public. I consider 4 days not too bad compared with other distributions (ok debian only needed around one day for an updated package). peace (well sigh), Tom Ivan Gustin wrote:
But, why it takes so long (4-5 days)? This is serious security update. Is there some extra work after recompiling?
-- Ivan Gustin
On Mar 19, Michael Rauter
there was an announcement of a security lack in samba. Does somebody know something about a SuSE samba rpm or a patch? Yes - but only for the Enterprise products at this time I assume. No, fou4s found and downloaded samba updates for all my SuSE machines (at least 8.1 and 7.2), I installed them this morning.
Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus@gaugusch.at X Against HTML Mail / \
participants (8)
-
+ACI-Habichtsberg, R.+ACI-
-
Armin Schoech
-
Ivan Gustin
-
Markus Gaugusch
-
Michael Rauter
-
Mike Sim
-
Roman Drahtmueller
-
Thomas Seliger