Release Announcements ==================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd. o CVE-2009-2948: If mount.cifs is installed as a setuid program, a user can pass it a credential or password path to which he or she does not have access and then use the --verbose option to view the first line of that file. All known Samba versions are affected. o CVE-2009-2906: Specially crafted SMB requests on authenticated SMB connections can send smbd into a 100% CPU loop, causing a DoS on the Samba server. ###################################################################### Changes ####### Changes since 3.2.14 -------------------- o Jeremy Allison <jra@samba.org> * BUG 6763: Fix for CVE-2009-2813. * BUG 6768: Fix for CVE-2009-2906. o Jeff Layton <jlayton@redhat.com> * Fix for CVE-2009-2948. ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.2.15.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team
Karolin Seeger
2009-Oct-01 12:59 UTC
[Samba] [Announce] Samba 3.2.15 Security Release Available
Release Announcements ==================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd. o CVE-2009-2948: If mount.cifs is installed as a setuid program, a user can pass it a credential or password path to which he or she does not have access and then use the --verbose option to view the first line of that file. All known Samba versions are affected. o CVE-2009-2906: Specially crafted SMB requests on authenticated SMB connections can send smbd into a 100% CPU loop, causing a DoS on the Samba server. ###################################################################### Changes ####### Changes since 3.2.14 -------------------- o Jeremy Allison <jra at samba.org> * BUG 6763: Fix for CVE-2009-2813. * BUG 6768: Fix for CVE-2009-2906. o Jeff Layton <jlayton at redhat.com> * Fix for CVE-2009-2948. ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/ The release notes are available online at: http://www.samba.org/samba/ftp/history/samba-3.2.15.html Binary packages will be made available on a volunteer basis from http://download.samba.org/samba/ftp/Binary_Packages/ Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20091001/38a32469/attachment.pgp>