I am trying to do some research on two Samba Vulnerabilities; Samba MS-RPC Request Parsing Heap Buffer Overflows (CVE-2007-2446) and Samba Remote Command Injection Vulnerability (CVE-2007-2447). In reading the documentation for these vulnerabilities, it appears that the available patches, to fix the problems, are for version 3.0.24. I am currently running version 3.0.21, on Solaris 10. Does that mean that the vulnerability does not relate to my version? If not, is there somewhere that I can download the patch for version 3.0.21? If not, and the only way to resolve the vulnerability is to upgrade, are there upgrade documents somewhere? I have installation, but not upgrade documentation. Thanks Pati M "UNIX is user friendly. It's just picky about who it's friends with." This email may contain material that is confidential, privileged, and/or attorney work product for the sole use of the intended recipient. Any review, reliance, or distribution by others or forwarding without express permission is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Moss, Patricia wrote:> I am trying to do some research on two Samba Vulnerabilities; Samba > MS-RPC Request Parsing Heap Buffer Overflows (CVE-2007-2446) and Samba > Remote Command Injection Vulnerability (CVE-2007-2447). In reading the > documentation for these vulnerabilities, it appears that the available > patches, to fix the problems, are for version 3.0.24. I am currently > running version 3.0.21, on Solaris 10. Does that mean that the > vulnerability does not relate to my version? If not, is there somewhere > that I can download the patch for version 3.0.21? If not, and the only > way to resolve the vulnerability is to upgrade, are there upgrade > documents somewhere? I have installation, but not upgrade > documentation. ThanksAll of the security announcements indicate the versions which are impacted. Generally we provide patches for the current release (at the time) and rely upon vendors to backport to their versions. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFISA3lIR7qMdg1EfYRAl4eAJ9S+c+VEXut3VJpsFhbIgEYNZQ8WwCfazUi mgm5M/SYqjO2cLqP9n04U9U=e2JA -----END PGP SIGNATURE-----