thr3ads.net - samba - [Samba] SECURITY: Samba 2.2.12 Available for Download [Sep 2004]

If this information is useful, please help other people find it:
Share via:

Gerald (Jerry) Carter

2004-Sep-30 13:16 UTC

[Samba] SECURITY: Samba 2.2.12 Available for Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

######################## SECURITY RELEASE ########################

Summary:	Potential Arbitrary File Access

Summary:        A remote attacker may be able to gain
		to files which exist outside of the share's
		defined path. Such files must still be readable
		by the account used for the connection.

CVE ID:		CAN-2004-0815
		(http://cve.mitre.org/)

This is the last stable release of the Samba 2.2 code base.
There will be no further Samba 2.2.x releases.

- -------------
CAN-2004-0815
- -------------

A bug in the input validation routines used to convert DOS
path names to path names on the Samba host's file system
may be exploited to gain access to files outside of the
share's path defined by smb.conf.


Protecting Unpatched Servers
- ----------------------------

Samba file shares with 'wide links = no' (a non-default
setting) in the service definition in smb.conf are *not*
vulnerable to this attack.

The Samba Team always encourages users to run the latest stable
release as a defense of against attacks.  However, under certain
circumstances it may not be possible to immediately upgrade
important installations.  In such cases, administrators should
read the "Server Security" documentation found at
http://www.samba.org/samba/docs/server_security.html.


Credits
- --------

Both security issues were reported to Samba developers by
iDEFENSE (http://www.idefense.com/).  Karol Wiesek is
credited with this discovery.

- --

The source code can be downloaded from :

	http://download.samba.org/samba/ftp/

The uncompressed tarball and patch file have been signed
using GnuPG.  The Samba public key is available at

	http://download.samba.org/samba/ftp/samba-pubkey.asc

Binary packages are available at

	http://download.samba.org/samba/ftp/Binary_Packages/

The release notes are also available on-line at

	http://www.samba.org/samba/history/samba-2.2.12.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

				The Samba Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBW95sIR7qMdg1EfYRAneCAKDy4kqR4LAm4qlZPSM+ubRaJxsLmACfeLB7
KCkm8fxaCg8ozy6yB8KUnic=TOJT
-----END PGP SIGNATURE-----

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Sep 2004 - SECURITY: Samba 2.2.12 Available for Download

[Samba] SECURITY: Samba 2.2.12 Available for Download

Apparently Analagous Threads

Wisdom of the Ancients