similar to: [Announce] Samba 3.0.37 Security Release Available

Release Announcements ===================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.

Release Announcements ===================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.

Release Announcements ===================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.

Release Announcements ===================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.

Release Announcements ===================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.

Release Announcements ===================== This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906. o CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Since we now have a fix of sorts for CVE-2012-1586, it seems like as good a time as any to do a new release. Go forth, download and build cifs-utils-5.4. Highlights: * the "rootsbindir" can now be specified at configure time * mount.cifs now supports the -s option by passing "sloppy" to the kernel in the options string *

Release Announcements ===================== This is a security release in order to address CVE-2009-1886 and CVE-2009-1888. o CVE-2009-1886: In Samba 3.2.0 to 3.2.12 (inclusive), the smbclient commands dealing with file names treat user input as a format string to asprintf. With a maliciously crafted file name smbclient can be made to execute code triggered by the server.

Release Announcements ===================== This is a security release in order to address CVE-2009-1886 and CVE-2009-1888. o CVE-2009-1886: In Samba 3.2.0 to 3.2.12 (inclusive), the smbclient commands dealing with file names treat user input as a format string to asprintf. With a maliciously crafted file name smbclient can be made to execute code triggered by the server.

We've had a number of changes since the last release, and we have some other upcoming kernel changes that might require corresponding cifs-utils changes. So it's probably as good a time as any for a new release. Highlights: + fix for a minor security issue that can corrupt the mtab + new getcifsacl/setcifsacl tools that allow you to fetch and set raw Windows ACLs via an xattr. + a

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Time for another cifs-utils release! Nothing terribly earth shattering here. Some distros (like Fedora) are moving krb5 credcaches out of /tmp by default. Users of these distros will definitely want to upgrade. Highlights: * Fixes for mounting with '/' in usernames with sec=krb5 * Support for DIR: type krb5 ccaches * support for

Release Announcements --------------------- This are security releases in order to address the following defects: o CVE-2022-2127:? When winbind is used for NTLM authentication, a maliciously ????????????????? crafted request can trigger an out-of-bounds read in winbind ????????????????? and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347:? SMB2

Release Announcements --------------------- This are security releases in order to address the following defects: o CVE-2022-2127:? When winbind is used for NTLM authentication, a maliciously ????????????????? crafted request can trigger an out-of-bounds read in winbind ????????????????? and possibly crash it. https://www.samba.org/samba/security/CVE-2022-2127.html o CVE-2023-3347:? SMB2

Release Announcements --------------------- Samba 4.1.6, 4.0.16 and 3.6.23 have been issued as security releases in order to address CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake). Please note that Samba 3.6.23 is not affected by CVE-2013-6442. o CVE-2013-4496: Samba versions 3.4.0 and above

Release Announcements --------------------- Samba 4.1.6, 4.0.16 and 3.6.23 have been issued as security releases in order to address CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake). Please note that Samba 3.6.23 is not affected by CVE-2013-6442. o CVE-2013-4496: Samba versions 3.4.0 and above

Hi folks. We were made aware of a MITRE CVE assignment on OpenSSH for a remote DoS in sftp, described as: The (1) remote_glob function in sftp-glob.c and the (2) process_put function in sftp.c in OpenSSH 5.8 and earlier, as used in FreeBSD 7.3 and 8.1, NetBSD 5.0.2, OpenBSD 4.7, and other products, allow remote authenticated users to cause a denial of service (CPU and memory consumption) via

libvorbis 1.3.6 has been released. This release fixes several vulnerabilities, including CVE-2018-5146, that could allow code execution from a specially crafted Ogg Vorbis file. * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding. * Fix CVE-2017-14632 - free() on unitialized data * Fix CVE-2017-14633 - out-of-bounds read * Fix bitrate metadata parsing. * Fix out-of-bounds read in

libvorbis 1.3.6 has been released. This release fixes several vulnerabilities, including CVE-2018-5146, that could allow code execution from a specially crafted Ogg Vorbis file. * Fix CVE-2018-5146 - out-of-bounds write on codebook decoding. * Fix CVE-2017-14632 - free() on unitialized data * Fix CVE-2017-14633 - out-of-bounds read * Fix bitrate metadata parsing. * Fix out-of-bounds read in

Release Announcements ===================== Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT). o CVE-2011-2522: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 3.5.9 are affected by a cross-site request forgery. o CVE-2011-2694:

Release Announcements ===================== Samba 3.5.10, 3.4.14 and 3.3.16 are security releases in order to address CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT). o CVE-2011-2522: The Samba Web Administration Tool (SWAT) in Samba versions 3.0.x to 3.5.9 are affected by a cross-site request forgery. o CVE-2011-2694: