Hello, We are currently running SAMBA 2.07 on our AIX 4.3.3 UNIX systems. We just received the following: OpenPKG Security Advisory OpenPKG-SA-2003.028: samba - remote root exploit Does this affect SAMBA 2.07? This is all that I see affected: OpenPKG Security Advisory The OpenPKG Project http://www.openpkg.org/security.html http://www.openpkg.org openpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2003.028 07-Apr-2003 ________________________________________________________________________ Package: samba Vulnerability: remote root exploit OpenPKG Specific: no Affected Releases: Affected Packages: Corrected Packages: OpenPKG CURRENT <= samba-2.2.8-20030405 >= samba-2.2.8a-20030407 OpenPKG 1.2 <= samba-2.2.7a-1.2.1 >= samba-2.2.7a-1.2.2 OpenPKG 1.1 <= samba-2.2.5-1.1.2 >= samba-2.2.5-1.1.3 What are your recommendations? I realize we are downlevel (2.07) but is this level affected by the "remote root exploit"? Should we ugrade, and if so, to which level? 2.2.7? 2.2.8? Is the upgrade transparent(i.e. is this a fairly simple process or involved)? Thank you for your prompt response. Feel free to call me or e-mail me with any questions you may have. - Robert Developer Relations IBM Austin Bldg: 08 8B-065 buckner@us.ibm.com Phone: 512~823~6708 (T/L 793~6708) Cell: 512~632~5791
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday 08 April 2003 22:33, Robert Buckner wrote:> We are currently running SAMBA 2.07 on our AIX 4.3.3 UNIX systems. We just > received the following: > > OpenPKG Security Advisory OpenPKG-SA-2003.028: samba - remote root exploit > > Does this affect SAMBA 2.07? This is all that I see affected:Yes, this bug has been in samba for quite some years.> What are your recommendations? I realize we are downlevel (2.07) but is > this level affected by the "remote root exploit"? Should we ugrade, and if > so, to which level? 2.2.7? 2.2.8? Is the upgrade transparent(i.e. is this > a fairly simple process or involved)?2.0.7 is affected. You should upgrade to 2.0.10 (with 2.0.10a patch), or to 2.2 (though that might break some things and thus require more time to upgrade). Jelmer - -- Jelmer Vernooij <jelmer@nl.linux.org> - http://nl.linux.org/~jelmer/ 22:35:19 up 7:32, 7 users, load average: 0.34, 0.30, 0.27 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+kzLzPa9Uoh7vUnYRAiKGAJ9ewtR43qvlGaDO6nfRmj/CCj1WuACaAkmV N8ccryqNnocg/6vlhCpIyBE=7u6l -----END PGP SIGNATURE-----
On Tue, Apr 08, 2003 at 03:33:52PM -0500, Robert Buckner wrote:> > > > > Hello, > > We are currently running SAMBA 2.07 on our AIX 4.3.3 UNIX systems. We just > received the following: > > OpenPKG Security Advisory OpenPKG-SA-2003.028: samba - remote root exploit > > Does this affect SAMBA 2.07? This is all that I see affected:Yes, it will affect Samba 2.0.7. The patch posted for 2.0.10 may apply reasonably cleanly to 2.0.7 - I'd be interested in your feedback on that. Thanks, Jeremy.
jra@dp.samba.org [mailto:jra@dp.samba.org]> On Tue, Apr 08, 2003 at 03:33:52PM -0500, Robert Buckner wrote: > > Does this affect SAMBA 2.07? This is all that I see affected: > >Yes, it will affect Samba 2.0.7. The patch posted for 2.0.10 >may apply reasonably cleanly to 2.0.7 - I'd be interested in >your feedback on that.I can testify that the patch applies cleanly to 2.0.7. No compilation issues so far, either. Haven't had time to run any execution tests yet. Thanks PG -- Paul Green, Senior Technical Consultant, Stratus Technologies. Voice: +1 978-461-7557; FAX: +1 978-461-3610; Video on request.