Bug#572953: samba: CVE-2010-0296 directory traversal

Sun, 07 Mar 2010 12:53:21 -0800 

forcemerge 568493 572953
thanks

On Sun, Mar 07, 2010 at 03:00:43PM -0500, Michael Gilbert wrote:
> I probably should have mentioned that this is being tracked in unstable
> as bug #568493.

Yes, which means this is a duplicate bug.  Don't open separate bugs for
stable vs unstable!

On Sun, Mar 07, 2010 at 02:56:05PM -0500, Michael Gilbert wrote:
> package: samba
> version: 2:3.2.5-4
> severity: serious
> tags: security , patch

And it's a duplicate bug filed at severity: serious after I've already
downgraded the other bug report to important.

Until you've read and understood
<http://www.debian.org/Bugs/Developer#severities>, stop filing bug reports
at RC severity.

> I have prepared a lenny package for the samba directory traversal. Note
> that this introduces a change in default settings. The package and a
> debdiff are at http://alioth.debian.org/~gilbert-guest/samba.

> These issues are claimed to be fixed in 3.5.0 in ustable, but I have
> not checked.  Please check that.  Please coordinate with the security
> team to release a DSA for lenny.

This bug is neither a privilege escalation nor even a DoS.  If the security
team says they want a DSA for this, I will prepare an update, but I think
it's ridiculous to treat an information leak of world-readable files as a
security vulnerability requiring an update.

On Sat, Feb 06, 2010 at 05:43:23PM +0100, Christian PERRIER wrote:
> Quoting Julien Cristau (jcris...@debian.org):

> > You'd get less snippy emails if you got off your high horse.

> I'm not sure Michael deserves being "bashed" this way. We disagree in
> some way on the course of actions, but he has always been respectful
> for our work as maintainers. I suggest we all cool this down.

I don't think filing ill-researched bugs at RC severity is respectful of
maintainers.  The implication is that the maintainers' highest priority
should be to do the follow-through on a bug that he was unwilling to.  So
far, on packages I maintain or co-maintain, this has amounted to four bugs
filed at RC severity, *all* of which were inflated or invalid, and one of
which was part of an overbroad mass bugfiling where the package dependencies
should have made it obvious that the bug was not present.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

Attachment: signature.asc
Description: Digital signature

Reply via email to