Release Announcements
====================
This is a security release in order to address CVE-2009-2813, CVE-2009-2948
and CVE-2009-2906.
o CVE-2009-2813:
In all versions of Samba later than 3.0.11, connecting to the home
share of a user will use the root of the filesystem
as the home directory if this user is misconfigured to have
an empty home directory in /etc/passwd.
o CVE-2009-2948:
If mount.cifs is installed as a setuid program, a user can pass it a
credential or password path to which he or she does not have access and
then use the --verbose option to view the first line of that file.
All known Samba versions are affected.
o CVE-2009-2906:
Specially crafted SMB requests on authenticated SMB connections can
send smbd into a 100% CPU loop, causing a DoS on the Samba server.
######################################################################
Changes
#######
Changes since 3.3.7
-------------------
o Jeremy Allison <jra@samba.org>
* BUG 6763: Fix for CVE-2009-2813.
* BUG 6768: Fix for CVE-2009-2906.
o Jeff Layton <jlayton@redhat.com>
* Fix for CVE-2009-2948.
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA). The source code can be downloaded
from:
http://download.samba.org/samba/ftp/
The release notes are available online at:
http://www.samba.org/samba/ftp/history/samba-3.3.8.html
Binary packages will be made available on a volunteer basis from
http://download.samba.org/samba/ftp/Binary_Packages/
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
Karolin Seeger
2009-Oct-01 12:58 UTC
[Samba] [Announce] Samba 3.3.8 Security Release Available
Release Announcements
====================
This is a security release in order to address CVE-2009-2813, CVE-2009-2948
and CVE-2009-2906.
o CVE-2009-2813:
In all versions of Samba later than 3.0.11, connecting to the home
share of a user will use the root of the filesystem
as the home directory if this user is misconfigured to have
an empty home directory in /etc/passwd.
o CVE-2009-2948:
If mount.cifs is installed as a setuid program, a user can pass it a
credential or password path to which he or she does not have access and
then use the --verbose option to view the first line of that file.
All known Samba versions are affected.
o CVE-2009-2906:
Specially crafted SMB requests on authenticated SMB connections can
send smbd into a 100% CPU loop, causing a DoS on the Samba server.
######################################################################
Changes
#######
Changes since 3.3.7
-------------------
o Jeremy Allison <jra at samba.org>
* BUG 6763: Fix for CVE-2009-2813.
* BUG 6768: Fix for CVE-2009-2906.
o Jeff Layton <jlayton at redhat.com>
* Fix for CVE-2009-2948.
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA). The source code can be downloaded
from:
http://download.samba.org/samba/ftp/
The release notes are available online at:
http://www.samba.org/samba/ftp/history/samba-3.3.8.html
Binary packages will be made available on a volunteer basis from
http://download.samba.org/samba/ftp/Binary_Packages/
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20091001/9b5281f7/attachment.pgp>