Yikes! FreeBSD samba-3.0.26a_2, 1 is forbidden: "Remote Code Execution...

Ted Mittelstaedt tedm at toybox.placo.com
Fri Dec 14 14:33:40 PST 2007

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of W. D.
> Sent: Friday, December 14, 2007 8:37 AM
> To: samba at lists.samba.org
> Cc: Remko Lodder; Timur at freebsd.org; FreeBSD-Questions at freebsd.org
> Subject: Re: Yikes! FreeBSD samba-3.0.26a_2,1 is forbidden: "Remote Code
> Execution...
> I neet to get a fileserver going right away.  I would like
> to use Samba.  Perhaps I should just load Windows on it?

Samba is a VERY EASY package to manually compile.  It is NOT
necessary to use the FreeBSD ports system to install it.  It
would probably be a good idea to look at the FreeBSD samba port
and see what dependencies it calls for, then install those,
before compiling Samba.  But, you just follow the instructions
in the Samba distribution and it will work fine.

This happens from time to time with the FreeBSD ports system, and
there isn't any way to avoid it.  Most open source software
today is written to depend on other open source software
packages.  People don't like spending programming time
reinventing the wheel.  As a result you have a large dependency
list which has deep roots as the dependent programs themselves
have even more dependencies.  If just one single program in
that mess gets updated it will affect entire trees and many
other programs.

This really isn't any different with commercial software.  Most
commercial software today uses many commercial libraries.  When
one of those libraries has a security hole, all the commercial
programs that are built with that library now have that same
security hole.  That is why it is so easy to crack into Windows
systems, because most of the time those commercial software
developers don't "mark their stuff forbidden" like the Open Source
community does.  Money is at stake.  Instead they just quietly
release "updates" that close those holes months after the fact.
In the meantime the spammers have been having a field day
breaking into Windows systems and setting them up as zombies.

> It seems to me that leaving a port broken like this is
> very "unprofessional".  I would expect more from the folks
> maintaing FreeBSD.

It is much more "unprofessional" to do as the "professionals"
do and simply pretend the problem doesen't exist, then release
an update when they get around to it.

I will close by saying that the crackers and criminals out there
who find and exploit these security holes are the real ones
causing the problem, they are the real people you should be
"expecting more" from.  They don't have your server schedule
in mind when they release cracking scripts.  If your a real
IT manager, you should be very aware of this already, and be
used to it.  Railing against a bunch of wannabe criminals
that break into things doesen't help, nor does bitching about
the results of those criminal's actions to people who are
trying to protect your ass from being exposed to them.  All
you can do is just sit back, wait for the dust to clear, and
proceed forward when the fight between the black and white hats
is over with for the moment.

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.503 / Virus Database: 269.17.2/1184 - Release Date: 12/14/2007
11:29 AM

More information about the freebsd-questions mailing list