Gerald (Jerry) Carter
2004-Jul-22 11:15 UTC
[Samba] Security Release - Samba 3.0.5 and 2.2.10
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Summary: Potential Buffer Overruns in Samba 3.0 and Samba 2.2 CVE ID: CAN-2004-0600, CAN-2004-0686 ~ (http://cve.mitre.org/) - ------------- CAN-2004-0600 - ------------- Affected Versions: >= v3.0.2 The internal routine used by the Samba Web Administration Tool (SWAT v3.0.2 and later) to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. It is recommended that all Samba v3.0.2 or later installations running SWAT either (a) upgrade to v3.0.5, or (b) disable the swat administration service as a temporary workaround. This same code is used internally to decode the sambaMungedDial attribute value when using the ldapsam passdb backend. While we do not believe that the base64 decoding routines used by the ldapsam passdb backend can be exploited, sites using an LDAP directory service with Samba are strongly encouraged to verify that the DIT only allows write access to sambaSamAccount attributes by a sufficiently authorized user. The Samba Team would like to heartily thank Evgeny Demidov for analyzing and reporting this bug. - ------------- CAN-2004-0686 - ------------- Affected Versions: >= v2.2.9, >= v3.0.0 A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter in Samba 3 is 'mangling method = hash2' and therefore not vulnerable. Affected Samba installations can avoid this possible security bug by using the hash2 mangling method. Server installations requiring the hash mangling method are encouraged to upgrade to Samba 3.0.5 (or 2.2.10). ~ -------------------------------------- Samba 3.0.5 and 2.2.10 are identical to the previous release in each respective series with the exception of fixing these issues. Samba 3.0.5rc1 has been removed from the download area on Samba.org and 3.0.6rc2 will be available later this week. The source code can be downloaded from : ~ http://download.samba.org/samba/ftp/ The uncompressed tarball and patch file have been signed using GnuPG. The Samba public key is available at ~ http://download.samba.org/samba/ftp/samba-pubkey.asc Binary packages are available at ~ http://download.samba.org/samba/ftp/Binary_Packages/ The release notes are also available on-line at ~ http://www.samba.org/samba/whatsnew/samba-3.0.5.html ~ http://www.samba.org/samba/whatsnew/samba-2.2.10.html Our code, Our bugs, Our responsibility. (Samba Bugzilla -- https://bugzilla.samba.org/) ~ -- The Samba Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA/6G8IR7qMdg1EfYRAjySAKDgG2EIRMOFDG/HYJtSdIEqJNLsxQCfQfqR fpFwiWnP4CRaJS4AyFGTCTw=4RK8 -----END PGP SIGNATURE-----
Gerald (Jerry) Carter
2004-Jul-22 11:27 UTC
[Samba] Security Release - Samba 3.0.5 and 2.2.10
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gerald (Jerry) Carter wrote: | Summary: Potential Buffer Overruns in Samba 3.0 and Samba 2.2 | CVE ID: CAN-2004-0600, CAN-2004-0686 | (http://cve.mitre.org/) | ... | Samba 3.0.5 and 2.2.10 are identical to the previous release | in each respective series with the exception of fixing these | issues. Samba 3.0.5rc1 has been removed from the download area | on Samba.org and 3.0.6rc2 will be available later this week. | I should clarify that the bug fixes in ~ http://samba.org/~jerry/patches/post-3.0.4/ have *not* been incorporated into 3.0.5. I'm sure there will be debate as to whether or not this was a good idea. But a security release should only contain security fixes (minimal amount of change necessary). So if you needed this patch before, you will need to replly it again to 3.0.5. For those running 3.0.5pre1 or 3.0.5rc1, these have effectively been bumped to 3.0.6. We'll get 3.0.6rc2 out later this week hopefully. cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "...a hundred billion castaways looking for a home." ----------- Sting -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA/6R1IR7qMdg1EfYRAvUpAJ9XSDTjtoHvxR96E2USGTvextiaYACbBi5B gZ3kARTXUHzjbtDE6j3cFxE=fxIu -----END PGP SIGNATURE-----