svn commit: samba r14823 - in branches/SAMBA_3_0_RELEASE: . source
source/nsswitch
jerry at samba.org
jerry at samba.org
Thu Mar 30 14:22:09 GMT 2006
Author: jerry
Date: 2006-03-30 14:22:08 +0000 (Thu, 30 Mar 2006)
New Revision: 14823
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=14823
Log:
committing changes for 3.0.22
Modified:
branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
branches/SAMBA_3_0_RELEASE/source/VERSION
branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_cm.c
Changeset:
Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
===================================================================
--- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-03-30 13:56:25 UTC (rev 14822)
+++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2006-03-30 14:22:08 UTC (rev 14823)
@@ -1,3 +1,42 @@
+ ==============================
+ Release Notes for Samba 3.0.22
+ Mar 30, 2006
+ ==============================
+
+This is a security release of Samba. The Samba 3.0.21 release
+series (including the patch releases a through c) has been
+discovered to expose the clear text of the server's machine
+account credentials in the winbind log files when the log
+level is set to 5 or higher. This defect has been assigned
+the CVE number CAN-2006-1059.
+
+Summary
+=======
+
+The machine trust account password is the secret shared
+between a domain controller and a specific member server.
+Access to the member server machine credentials allows
+an attacker to impersonate the server in the domain and
+gain access to additional information regarding domain
+users and groups.
+
+The winbindd daemon included in Samba 3.0.21 and subsequent
+patch releases (3.0.21a-c) writes the clear text of server's
+machine credentials to its log file at level 5. The winbindd
+log files are world readable by default and often log files
+are requested on open mailing lists as tools used to debug
+server misconfigurations.
+
+This affects servers configured to use domain or ads security
+and possibly Samba domain controllers as well (if configured
+to use winbindd).
+
+=======
+
+Release Notes for older release follow:
+
+ --------------------------------------------------
+
===============================
Release Notes for Samba 3.0.21c
Feb 24, 2006
@@ -3,9 +42,4 @@
===============================
-This is the latest stable release of Samba. This is the version
-that production Samba servers should be running for all current
-bug-fixes. Please read the following important changes in this
-release.
-
Common bugs fixed in 3.0.21c include:
@@ -122,9 +156,6 @@
connection code in winbindd.
-
-Release Notes for older release follow:
-
--------------------------------------------------
===============================
Release Notes for Samba 3.0.21b
Modified: branches/SAMBA_3_0_RELEASE/source/VERSION
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/VERSION 2006-03-30 13:56:25 UTC (rev 14822)
+++ branches/SAMBA_3_0_RELEASE/source/VERSION 2006-03-30 14:22:08 UTC (rev 14823)
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=21
+SAMBA_VERSION_RELEASE=22
########################################################
# If a official release has a serious bug #
@@ -37,7 +37,7 @@
# e.g. SAMBA_VERSION_REVISION=a #
# -> "2.2.8a" #
########################################################
-SAMBA_VERSION_REVISION=c
+SAMBA_VERSION_REVISION=
########################################################
# For 'pre' releases the version will be #
Modified: branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_cm.c
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_cm.c 2006-03-30 13:56:25 UTC (rev 14822)
+++ branches/SAMBA_3_0_RELEASE/source/nsswitch/winbindd_cm.c 2006-03-30 14:22:08 UTC (rev 14823)
@@ -294,7 +294,7 @@
DEBUG(5, ("connecting to %s from %s with username "
"[%s]\\[%s]\n", controller, global_myname(),
- machine_account, machine_password));
+ lp_workgroup(), machine_account));
ads_status = cli_session_setup_spnego(*cli,
machine_account,
More information about the samba-cvs
mailing list