samba - Apr 2016 - Debian release version numbers for the April 2016 sec release

On Fri, 2016-04-15 at 15:31 +0100, Rowland penny wrote:
> On 15/04/16 14:54, L.P.H. van Belle wrote:
> > Yeah, i have an output of log level 10 while i do a wbinfo -u.
> > 
> > As for the packages below.
> > 4.1.17, yes, im upgrading these as we speak, but now on hold due to
> > this problem.
> > 
> > 4.2.20 .. error typo, is Version 4.2.10-Debian
> > 
> > 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package
> > version debian used for the latest CVE fixes.
> 
> OK, just who in Debian cannot read ??? :-D
Rowland, please take more care in your statements.
> If you look here: https://www.samba.org/samba/history/
> 
> It clearly says 'samba-4.3.7 (do not use)' .
> 
> Not to say this is the problem, but it cannot be helping.
This is entirely and totally unrelated.

The regression fixed in the 4.3.8 package is in a patch already
included in Debian's 4.3.7, as they were substantially prepared before
the new tarballs were provided.  Given deadlines and workload before a
fixed embargo release time, the of the *eight* packages released
(including backports of tdb, talloc, ldb and tevent), the three Samba
package for which a late re-release was made were deliberately not re
-made with the new version number.

I hope this clarifies things.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 15/04/16 21:06, Andrew Bartlett wrote:
> On Fri, 2016-04-15 at 15:31 +0100, Rowland penny wrote:
>> On 15/04/16 14:54, L.P.H. van Belle wrote:
>>> Yeah, i have an output of log level 10 while i do a wbinfo -u.
>>>
>>> As for the packages below.
>>> 4.1.17, yes, im upgrading these as we speak, but now on hold due to
>>> this problem.
>>>
>>> 4.2.20 .. error typo, is Version 4.2.10-Debian
>>>
>>> 4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the package
>>> version debian used for the latest CVE fixes.
>> OK, just who in Debian cannot read ??? :-D
> Rowland, please take more care in your statements.
OK, now I must take you to task Andrew, I was confused, the Samba 
history web page clearly says 'do not use' but debian seems to be using 
the versions that have that epitath, so I said ( in a jocular way, there 
is a laughing smiley at the end) 'OK, just who in Debian cannot read 
???' if that upsets you, well sorry, but it was not meant in that tone.

A quick post to the Samba mailing explaining everything just after the 
CVE release was all that was required, but it seems that you had to A) 
confuse me and then B) get upset yourself by my jocular comment before 
you released the info.

Again I apologise if I have upset you in any way, but before your posts 
tonight, I was very confused by the fact that debian seemed to be using 
versions it shouldn't.

Rowland
>
>> If you look here: https://www.samba.org/samba/history/
>>
>> It clearly says 'samba-4.3.7 (do not use)' .
>>
>> Not to say this is the problem, but it cannot be helping.
> This is entirely and totally unrelated.
>
> The regression fixed in the 4.3.8 package is in a patch already
> included in Debian's 4.3.7, as they were substantially prepared before
> the new tarballs were provided.  Given deadlines and workload before a
> fixed embargo release time, the of the *eight* packages released
> (including backports of tdb, talloc, ldb and tevent), the three Samba
> package for which a late re-release was made were deliberately not re
> -made with the new version number.
>
> I hope this clarifies things.
>
> Andrew Bartlett
>

On Fri, 15 Apr 2016, Rowland penny wrote:
> On 15/04/16 21:06, Andrew Bartlett wrote:
>>  On Fri, 2016-04-15 at 15:31 +0100, Rowland penny wrote:
>> >  On 15/04/16 14:54, L.P.H. van Belle wrote:
>> > >  As for the packages below.
>> > >  4.1.17, yes, im upgrading these as we speak, but now on hold
due to
>> > >  this problem.
>> > > 
>> > >  4.2.20 .. error typo, is Version 4.2.10-Debian
>> > > 
>> > >  4.3.7.. yeah, but 4.3.8 is not in debian, the 4.3.7 is the
package
>> > >  version debian used for the latest CVE fixes.
>> >  OK, just who in Debian cannot read ??? :-D
>>  Rowland, please take more care in your statements.
>
> OK, now I must take you to task Andrew, I was confused, the Samba history
web
> page clearly says 'do not use' but debian seems to be using the
versions that
> have that epitath
FWIW, Redhat seems to have done the same thing.  I installed their 
badblock-patched samba-4.2.10-6.el7_2.x86_64 yesterday (which was an 
update from 4.2.3 on EL7, and an optional 4.0.0 on EL6).