Quoting Christian Perrier (bubu...@debian.org): > Quoting Diego A. Gomez (di...@dgomez.com.ar): > > Package: samba > > Version: 2:3.2.5-4 > > Severity: critical > > Tags: security > > Justification: root security hole > > > > > > This bug make Samba vulnerable to brute-force attack and make possible to > > gain administrator's domain priviledges. > > > Nothing in the bug log seems to be qualifying that issue as > such. Moreover, the fact that upstream didn't issue any security > update about this makes me think that both the criticity and the > security implications of that bug needs to be discussed.
Looking again closer at upstream's bug report, I see that this bug summarizes to "bad login counter in the LDAP backend is not incremented when a failed login happens" This is a clear regression from 3.0 and it maybe deserves to be fixed in a point release for lenny....maybe even before lenny is released, by backporting upstream's fix and do an high urgency upload, provided the release team ACK's this. We have very few time left for this. I'm still balanced to qualify this as a security issue (which would make us go through a security upload).
signature.asc
Description: Digital signature
