Karolin Seeger
2014-Mar-11 18:11 UTC
[Samba] [Announce] Samba 4.1.6, 4.0.16 and 3.6.23 Security Releases Available
Release Announcements
---------------------
Samba 4.1.6, 4.0.16 and 3.6.23 have been issued as security releases in order
to address CVE-2013-4496 (Password lockout not enforced for SAMR password
changes) and CVE-2013-6442 (smbcacls can remove a file or directory ACL by
mistake). Please note that Samba 3.6.23 is not affected by CVE-2013-6442.
o CVE-2013-4496:
Samba versions 3.4.0 and above allow the administrator to implement
locking out Samba accounts after a number of bad password attempts.
However, all released versions of Samba did not implement this check for
password changes, such as are available over multiple SAMR and RAP
interfaces, allowing password guessing attacks.
For more details, please refer to
http://www.samba.org/samba/security/CVE-2013-4496.
o CVE-2013-6442:
Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
smbcacls is used with the "-C|--chown name" or "-G|--chgrp
name"
command options it will remove the existing ACL on the object being
modified, leaving the file or directory unprotected.
For more details, please refer to
http://www.samba.org/samba/security/CVE-2013-6442.
Changes:
=======
o Jeremy Allison <jra at samba.org>
* BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when
setting owner or group owner.
o Andrew Bartlett <abartlet at samba.org>
* BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
changes.
o Stefan Metzmacher <metze at samba.org>
* BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
changes.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the proper product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA). The source code can be downloaded
from:
http://download.samba.org/samba/ftp/stable/
The release notes are available online at:
http://www.samba.org/samba/history/samba-4.1.6.html
http://www.samba.org/samba/history/samba-4.0.16.html
http://www.samba.org/samba/history/samba-3.6.23.html
Binary packages will be made available on a volunteer basis from
http://download.samba.org/samba/ftp/Binary_Packages/
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
Raymond
2014-Mar-12 06:51 UTC
[Samba] [Announce] Samba 4.1.6, 4.0.16 and 3.6.23 Security Releases Available
Aaaahh! This is good news!! Just what I was waiting for! Now we can
implement samba 4.
Thank you guys
Ray
-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Karolin Seeger
Sent: 11 March 2014 08:11 PM
To: samba-announce at samba.org; samba at samba.org; samba-technical at
samba.org
Subject: [Samba] [Announce] Samba 4.1.6, 4.0.16 and 3.6.23 Security Releases
Available
Release Announcements
---------------------
Samba 4.1.6, 4.0.16 and 3.6.23 have been issued as security releases in
order to address CVE-2013-4496 (Password lockout not enforced for SAMR
password
changes) and CVE-2013-6442 (smbcacls can remove a file or directory ACL by
mistake). Please note that Samba 3.6.23 is not affected by CVE-2013-6442.
o CVE-2013-4496:
Samba versions 3.4.0 and above allow the administrator to implement
locking out Samba accounts after a number of bad password attempts.
However, all released versions of Samba did not implement this check for
password changes, such as are available over multiple SAMR and RAP
interfaces, allowing password guessing attacks.
For more details, please refer to
http://www.samba.org/samba/security/CVE-2013-4496.
o CVE-2013-6442:
Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
smbcacls is used with the "-C|--chown name" or "-G|--chgrp
name"
command options it will remove the existing ACL on the object being
modified, leaving the file or directory unprotected.
For more details, please refer to
http://www.samba.org/samba/security/CVE-2013-6442.
Changes:
=======
o Jeremy Allison <jra at samba.org>
* BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when
setting owner or group owner.
o Andrew Bartlett <abartlet at samba.org>
* BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
changes.
o Stefan Metzmacher <metze at samba.org>
* BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
changes.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality feedback. If
you don't provide vital information to help us track down the problem then
you will probably be ignored. All bug reports should be filed under the
proper product in the project's Bugzilla database
(https://bugzilla.samba.org/).
======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed using GnuPG (ID
6568B7EA). The source code can be downloaded
from:
http://download.samba.org/samba/ftp/stable/
The release notes are available online at:
http://www.samba.org/samba/history/samba-4.1.6.html
http://www.samba.org/samba/history/samba-4.0.16.html
http://www.samba.org/samba/history/samba-3.6.23.html
Binary packages will be made available on a volunteer basis from
http://download.samba.org/samba/ftp/Binary_Packages/
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>email-banner</title>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1" />
</head>
<body bgcolor="#FFFFFF" leftmargin="0"
topmargin="0" marginwidth="0" marginheight="0">
</br>
<a href="http://www.joburgtheatre.com"><img
src="http://www.showbusiness.co.za/emailbanner/banner.jpg"
width="660" height="165" />
<!-- ImageReady Slices (banner4web.jpg) --><!-- End ImageReady Slices
--></a></br>
</body>
</html>