samba - Feb 2015 - [Announce] Samba 4.1.17, 4.0.25 and 3.6.25 Available for Download

Release Announcements
---------------------

Samba 4.1.17, 4.0.25 and 3.6.25 have been issued as security releases in order
to address CVE-2015-0240 (Unexpected code execution in smbd.). For the sake of
completeness, Samba 4.2.0rc5 including a fix for this defect will follow soon,
but it won't be a dedicated security release and will therefore address
other
bug fixes also.

o  CVE-2015-0240:
   All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
   unexpected code execution vulnerability in the smbd file server
   daemon.

   A malicious client could send packets that may set up the stack in
   such a way that the freeing of memory in a subsequent anonymous
   netlogon packet could allow execution of arbitrary code. This code
   would execute with root privileges.


Samba 3.6.25 also includes a fix for CVE-2014-0178 (Malformed
FSCTL_SRV_ENUMERATE_SNAPSHOTS response).

o  CVE-2014-0178:
   In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
   or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
   Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
   response field. The uninitialized buffer is sent back to the client.

   A non-default VFS module providing the get_shadow_copy_data_fn() hook
   must be explicitly enabled for Samba to process the aforementioned
   client requests. Therefore, only configurations with "shadow_copy"
or
   "shadow_copy2" specified for the "vfs objects" parameter
are vulnerable.


For more details and a patch for Samba 3.5.22, please see
  http://www.samba.org/samba/history/security.html


Changes:
=======
o   Jeremy Allison <jra at samba.org>
    * BUG 11077: CVE-2015-0240: talloc free on uninitialized stack pointer
      in netlogon server could lead to security vulnerability.


o   Ji?? ?a?ek <jiri.sasek at oracle.com>
    * BUG 10549: CVE-2014-0178: Fix malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS
      response.


o   Andreas Schneider <asn at samba.org>
    * BUG 11077: CVE-2015-0240: s3-netlogon: Make sure we do not deference
      a NULL pointer./auth: Make sure that creds_out is initialized with NULL.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba correct product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

        http://download.samba.org/samba/ftp/stable/

The release notes are available online at:

	http://www.samba.org/samba/history/samba-4.1.17.html
	http://www.samba.org/samba/history/samba-4.0.25.html
	http://www.samba.org/samba/history/samba-3.6.25.html

Binary packages will be made available on a volunteer basis from

        http://download.samba.org/samba/ftp/Binary_Packages/

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team