Samba 2.2.8a security available for download

Samba 2.2.8a security available for download

Post by Jerr » Tue, 08 Apr 2003 21:02:44



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This release provides an important security fix outlined in the
release notes that follow. This is the latest stable release of
Samba and the version that all production Samba servers should be
running for all current bug-fixes.

The source code can be downloaded from :

    http://download.samba.org/samba/ftp/

in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2.
Both archives have been signed using the Samba Distribution Key
(available in the samba directory on the web server).

Binary packages will be released shortly for major platforms and
can be found at

    http://download.samba.org/samba/ftp/Binary_Packages/

As always, all bugs are our responsibility.

                           --Sincerely
                           The Samba Team

               ****************************************
               * IMPORTANT: Security bugfix for Samba *
               ****************************************

Summary
- -------

Digital Defense, Inc. has alerted the Samba Team to a serious
vulnerability in all stable versions of Samba currently shipping.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the ID CAN-2003-0201 to this defect.

This vulnerability, if exploited correctly, leads to an anonymous
user gaining root access on a Samba serving system. All versions
of Samba up to and including Samba 2.2.8 are vulnerable. An active
exploit of the bug has been reported in the wild. Alpha versions of
Samba 3.0 and above are *NOT* vulnerable.

Credit
- ------

The Samba Team would like to thank Erik Parker and the team at
Digital Defense, Inc. for their efforts spent in the responsible
and timely reporting of this bug.

Patch Availability
- ------------------

The Samba 2.2.8a release contains only updates to address this
security issue. A roll-up patch for release 2.2.7a and 2.0.10
addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained
from http://www.samba.org/samba/ftp/patches/security/.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+kWjmIR7qMdg1EfYRAgJXAKCFXWq0lMKStlsIXBZohdqJQnzmQQCgnmgx
S0bz5z81vQCQMkKFzENtXpU=
=1LJQ
-----END PGP SIGNATURE-----

 
 
 

Samba 2.2.8a security available for download

Post by Jerr » Tue, 08 Apr 2003 21:46:27


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> This release provides an important security fix outlined in the
> release notes that follow. This is the latest stable release of
> Samba and the version that all production Samba servers should be
> running for all current bug-fixes.

> The source code can be downloaded from :

>     http://download.samba.org/samba/ftp/

> in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2.
> Both archives have been signed using the Samba Distribution Key
> (available in the samba directory on the web server).

This is the announcement from Digital Defense that went out to
BUGTRAQ this morning.  

      http://www.digitaldefense.net/labs/advisories/DDI-1013.txt

I will remind people that there is a published exploit for
this bug so patching your servers should be top priority today.  
Our apologies for the past two security issues.

cheers, jerry
 ----------------------------------------------------------------------
 Hewlett-Packard            ------------------------- http://www.hp.com
 SAMBA Team                 ---------------------- http://www.samba.org
 GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
 "You can never go home again, Oatman, but I guess you can shop there."  
                            --John Cusack - "Grosse Point Blank" (1997)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+kXMlIR7qMdg1EfYRAq4cAKCens31U9NBqo+zW8GzmwlHs3G8eQCg8g7l
KA+fvNYaHfukJ0sJGi94P4w=
=pY2g
-----END PGP SIGNATURE-----

 
 
 

1. Upgrade to 2.2.8a from older 2.2.X breaks printing with XP

Hi:

Due to some intermittent issues with file-sharing performance from FreeBSD
to XP, I decided to upgrade to the latest port in the FreeBSD collection.
The result is that my printing is completely busted, and I cannot get any
logging to tell me what is happening.  I've tried increasing the log level
in the smb.conf file to no avail.

Symptom:

Trying to reinstall a printer from scratch, the connection comes back on
Windows as a failure.  I noticed that a spawned smbd is running and
apparently hanging:

root     3988  0.0  3.3  4060 3112  ??  Is   12:22AM   0:00.01
/usr/local/sbin/smbd -D
clint    4032  0.0  3.4  4460 3236  ??  T    12:27AM   0:00.04
/usr/local/sbin/smbd -D

The process spawns every time I try to connect to a printer from windows.
I've searched through the docs on the Samba.org website.  Any additional
suggestions would be much appreciated.

Thanks,

-Clint

2. VS.NET 2003 Namespace issue

3. Win2k can not see shares on SAMBA 2.2.8a/WINS

4. CAOS/2 - astronomy program early beta

5. Slow Browsing with FreeBSD 5-RELEASE & Samba 2.2.8a

6. SQL*Plus replacement?

7. Denied Connection: Samba 2.2.8a & FreeBSD 4.8

8. Remote AD authentication using JNDI

9. Printing with Samba 2.2.8a on Solaris 2.6

10. error running smbstatus 2.2.8a in FreeBSD 4.8

11. ./configure reports "No locking available" in conjunction with Samba 2.2.1a

12. Problem bei Update von Samba 2.2.3a auf 2.2.7a bei SuSE 8.0

13. Samba 2.2.1a security question