svn commit: samba-web r1226 - in trunk: . history security
kseeger at samba.org
kseeger at samba.org
Wed Aug 27 15:05:53 GMT 2008
Author: kseeger
Date: 2008-08-27 15:05:52 +0000 (Wed, 27 Aug 2008)
New Revision: 1226
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1226
Log:
-Announce Samba 3.2.3
-Fix link to 3.0.32
Karolin
Added:
trunk/history/samba-3.2.3.html
trunk/security/CVE-2008-3789.html
Modified:
trunk/header_columns.html
trunk/history/security.html
trunk/index.html
Changeset:
Modified: trunk/header_columns.html
===================================================================
--- trunk/header_columns.html 2008-08-27 09:02:05 UTC (rev 1225)
+++ trunk/header_columns.html 2008-08-27 15:05:52 UTC (rev 1226)
@@ -130,14 +130,14 @@
<div class="releases">
<h4>Current Stable Release</h4>
<ul>
- <li><a href="/samba/ftp/stable/samba-3.2.2.tar.gz">Samba 3.2.2 (gzipped)</a></li>
- <li><a href="/samba/history/samba-3.2.2.html">Release Notes</a></li>
- <li><a href="/samba/ftp/stable/samba-3.2.2.tar.asc">Signature</a></li>
+ <li><a href="/samba/ftp/stable/samba-3.2.3.tar.gz">Samba 3.2.3 (gzipped)</a></li>
+ <li><a href="/samba/history/samba-3.2.3.html">Release Notes</a></li>
+ <li><a href="/samba/ftp/stable/samba-3.2.3.tar.asc">Signature</a></li>
</ul>
<h4>Historical</h4>
<ul>
- <li><a href="/samba/ftp/stable/samba-3.0.31.tar.gz">Samba 3.0.32 (gzipped)</a></li>
+ <li><a href="/samba/ftp/stable/samba-3.0.32.tar.gz">Samba 3.0.32 (gzipped)</a></li>
<li><a href="/samba/history/samba-3.0.32.html">Release Notes</a></li>
<li><a href="/samba/ftp/stable/samba-3.0.32.tar.asc">Signature</a></li>
</ul>
Added: trunk/history/samba-3.2.3.html
===================================================================
--- trunk/history/samba-3.2.3.html 2008-08-27 09:02:05 UTC (rev 1225)
+++ trunk/history/samba-3.2.3.html 2008-08-27 15:05:52 UTC (rev 1226)
@@ -0,0 +1,48 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.2.3 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 3.2.3
+ August, 27 2008
+ ==============================
+
+This is a security release in order to address CVE-2008-3789 ("Wrong
+permissions of group_mapping.ldb").
+
+ o CVE-2008-3789
+ The file group_mapping.ldb is created with
+ the permissions 0666. That means everyone
+ is able to edit this file and might map any
+ SID to root.
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.2.2
+-------------------
+
+o Andrew Tridgell <tridge at samba.org>
+ * Fix for CVE-2008-3789.
+
+</pre>
+<p>Please refer to the original <a href="/samba/history/samba-3.2.2.html">Samba
+3.2.2 Release Notes</a> for more details regarding changes in
+previous releases.</p>
+</body>
+</html>
Property changes on: trunk/history/samba-3.2.3.html
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/history/security.html
===================================================================
--- trunk/history/security.html 2008-08-27 09:02:05 UTC (rev 1225)
+++ trunk/history/security.html 2008-08-27 15:05:52 UTC (rev 1226)
@@ -21,6 +21,14 @@
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>27 August 2008</td>
+ <td><a href="/samba/ftp/patches/security/samba-3.2.2-CVE-2008-3789-1.patch">patch 1 for Samba 3.2.2</a><a href="/samba/ftp/patches/security/samba-3.2.2-CVE-2008-3789-2.patch">patch 2 for Samba 3.2.2</a></td>
+ <td>Wrong permissions of group_mapping.ldb</td>
+ <td>Samba 3.2.0 - 3.2.2</td>
+ <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3789">CVE-2008-3789</a></td>
+ <td><a href="/samba/security/CVE-2008-3789.html">Announcement</a></td>
+ </tr>
<tr>
<td>29 May 2008</td>
Modified: trunk/index.html
===================================================================
--- trunk/index.html 2008-08-27 09:02:05 UTC (rev 1225)
+++ trunk/index.html 2008-08-27 15:05:52 UTC (rev 1226)
@@ -19,6 +19,24 @@
<h2>Current Release</h2>
+
+ <h4><a name="latest">27 August 2008</a></h4>
+ <p class="headline">Samba 3.2.3 Available for Download</p>
+
+ <p>This is a security release to address CVE-2008-3789. The
+ <a href="/samba/security/CVE-2008-3789.html">original advisory</a>
+ is available online. Patches <a href="/samba/ftp/patches/security/samba-3.2.2-
+ CVE-2008-3789-1.patch">patch 1 for Samba 3.2.2</a> and
+ <a href="/samba/ftp/patches/security/samba-3.2.2-CVE-2008-3789-2.patch">
+ patch 2 for Samba 3.2.2</a> are available. This security
+ advisory is applicable to all Samba 3.2.x releases to date. Past security
+ advisories are available on our <a href="/samba/security/">security page</a>.</p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA). The source code can be
+ <a href="/samba/ftp/stable/samba-3.2.3.tar.gz">downloaded now</a>.
+ See <a href="/samba/history/samba-3.2.3.html">the release notes for more info</a>.</p>
+
<h4><a>26 August 2008</a></h4>
<p class="headline">Samba 3.3.0pre1 Available for Download</p>
@@ -61,7 +79,7 @@
release notes for more info</a>.</p>
- <h4><a name="latest">19 August 2008</a></h4>
+ <h4>19 August 2008</h4>
<p class="headline">Samba 3.2.2 Available for Download</p>
<p>This is the latest bug fix release for Samba 3.2 and is the
Added: trunk/security/CVE-2008-3789.html
===================================================================
--- trunk/security/CVE-2008-3789.html 2008-08-27 09:02:05 UTC (rev 1225)
+++ trunk/security/CVE-2008-3789.html 2008-08-27 15:05:52 UTC (rev 1226)
@@ -0,0 +1,86 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2008-3789: Wrong permissions of group_mapping.ldb</H2>
+
+<p>
+<pre>
+==========================================================
+== Subject: Wrong permissions of group_mapping.ldb
+==
+== CVE ID#: CVE-2008-3789
+==
+== Versions: Samba 3.2.0 - 3.2.2 (inclusive)
+==
+== Summary: The file group_mapping.ldb is created with
+== the permsissions 0666. That means everyone
+== is able to edit this file and might map any
+== SID to root.
+==
+==========================================================
+
+===========
+Description
+===========
+
+The file group_mapping.ldb is created with the permissions 0666. That means
+everyone is able to edit this file and gain additional access rights while
+connecting remotely to the Samba server. By manipulating the SID mappings
+contained in this file, it is also possible to establish a connection that runs
+in the privileged root context.
+
+
+==================
+Patch Availability
+==================
+
+Two patches addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 3.2.3 has been issued as a security
+release to correct the defect. Samba administrators are
+advised to upgrade to 3.2.3 or apply the patch as soon
+as possible.
+
+
+==========
+Workaround
+==========
+
+As a temporary workaround file permissions of the group_mapping.ldb can be set
+to 0600 manually. Note that these permissions are discarded by newly created
+group_mapping.ldb files.
+
+
+=======
+Credits
+=======
+
+This issue was initially reported as a Debian bug #496073.
+
+The time line is as follows:
+
+* August 22, 2008: Initial report at
+ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496073.
+* August 23, 2008: Initial report at http://bugzilla.samba.org.
+* August 25, 2008: First response from Samba developers confirming
+ the bug along with a proposed patch.
+* August 26, 2008: Samba developers added additional patch.
+* August 27, 2008: Public security advisory made available.
+
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
More information about the samba-cvs
mailing list