[Cerowrt-devel] Security update: CVE-2012-1182

Dave Taht dave.taht at gmail.com
Tue Apr 10 21:31:08 EDT 2012


Software is imperfect.

https://www.samba.org/samba/security/CVE-2012-1182

As I ship samba by default... and the current ipv6 firewall rules are
a little weak re: samba...

people should be aware of this vulnerability and take appropriate measures.

Regrettably I don't have an option for those of you running dev builds
going back a ways except to upgrade to current.

That is now (and entirely untested)

http://huchra.bufferbloat.net/~cero1/3.3/3.3.1-7/

I WAS in the process of finalizing some firewall rules AND there is
quite a lot of new stuff in this build that I was also just beginning
to test when this CVE came out - and I'm done for the day - so here it
is, with the new stuff. Tested a total of 5 minutes.

+ samba36 CVE fix
+ Openwrt Toolchain
+ Openwrt SDK.

I personally never use the SDK, but perhaps those of you out there
that want to fiddle with building your own code would find this easier
than doing it all from scratch. Let me know.

Three patches were queued up for linux 3.3.2 that seemed relevant and
I felt that some benchmarks were showing the tcp rcv size problem, so
they are in there in this 3.3.1 build. For more details see:

patchwork.ozlabs.org/user/bundle/2566/

+ radvd fix for distributing addresses (thx guys on irc)
+ wide-dhcp-pd looks like a winner, not configured yet tho

+ tons of extra packages mentioned earlier today in another email
- no firewall/gui fix (bug # - sorry, ENOTIME, end of the week)
- missing full entropy fixes
- still massive problems with the buildbot machines
- no working aqm script
- no working dhcpv6-pd
- no fixes to dnssec (although I have something that works better)

I'm aiming for a release saturday that should be more worthwhile.
-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net



More information about the Cerowrt-devel mailing list