Input string vunerability in smbclient

remembered reading about this a few weeks ago, expecting a update to roll out eventually,

Samba - Security Announcement Archive

is there going to be a security update, or should we apply the patch available?

There was an update to samba-client on 14 July, did you not get it? This is the top of the changelog:

  • Tue Jun 23 2009 jmcdonough @ suse.de
  • Uninitialized read of a data value; CVE-2009-1888 (bnc#515479).
  • Samba 3.2.0 - 3.2.12 smbclient commands dealing with file names treat user
    input as a format string to asprintf; CVE-2009-1886; (bnc#513360);
    (bso#6478).

my apologies for needlessly having to verify this, i see it has been patched already, just as i was about to do if v3.2.13 was not forthcoming.

I’m sure there were good reasons for that, :).

Thanks.