oss-sec mailing list archives

Re: Samba symlink 0day flaw

From: Ludwig Nussel <ludwig.nussel () suse de>
Date: Fri, 5 Mar 2010 08:56:16 +0100

Josh Bressers wrote:

As many of you have probably seen, there was a supposed Samba 0day flaw
posted to full-disclosure and youtube.

Samba has a response to this:
http://marc.info/?l=samba-technical&m=126539387432412&w=2

I'm not sure if this should get a CVE id. It is documented behavior.
Somewhat unexpected though. I think changing the default is the right way
to go, but it may be more of a hardening measure than a security fix.

Thoughts Steve?


Any update on this? I think unexpected insecure default
configurations that surprise admins did get CVE numbers in the past.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)

Current thread:

Samba symlink 0day flaw Josh Bressers (Feb 05)
- Re: Samba symlink 0day flaw Nico Golde (Feb 05)
  - Re: Samba symlink 0day flaw Michael Gilbert (Feb 05)
  - Re: Samba symlink 0day flaw Simo Sorce (Feb 05)
    - Re: Samba symlink 0day flaw Nico Golde (Feb 06)
    - Re: Samba symlink 0day flaw Yves-Alexis Perez (Feb 06)
    - Re: Samba symlink 0day flaw Nico Golde (Feb 07)
- Re: Samba symlink 0day flaw Eren Türkay (Feb 06)
- Re: Samba symlink 0day flaw Ludwig Nussel (Mar 04)
  - Re: Samba symlink 0day flaw Steven M. Christey (Mar 05)