svn commit: samba-web r1247 - in trunk: . devel history security
kseeger at samba.org
kseeger at samba.org
Thu Nov 27 10:58:17 GMT 2008
Author: kseeger
Date: 2008-11-27 10:58:16 +0000 (Thu, 27 Nov 2008)
New Revision: 1247
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1247
Log:
Announce Samba 3.0.33 and 3.2.5.
Karolin
Added:
trunk/history/samba-3.0.33.html
trunk/history/samba-3.2.5.html
trunk/security/CVE-2008-4314.html
Modified:
trunk/devel/index.html
trunk/header_columns.html
trunk/history/header_history.html
trunk/history/index.html
trunk/history/security.html
trunk/index.html
Changeset:
Modified: trunk/devel/index.html
===================================================================
--- trunk/devel/index.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/devel/index.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -20,8 +20,8 @@
3.0.x and 2.2.x versions of Samba, which are no longer in active development.
</p>
-<p>The latest production release is <em>Samba 3.2.4</em> (<a
-href="/samba/history/samba-3.2.4.html">release notes</a> and <a
+<p>The latest production release is <em>Samba 3.2.5</em> (<a
+href="/samba/history/samba-3.2.5.html">release notes</a> and <a
href="/samba/download/">download</a>).</p>
<p>With the release of version 3 of the GPL, the Samba Team has decided to
@@ -60,12 +60,13 @@
</li>
<li>
<h4><em>v3-0-test</em></h4>
- <p>This is the current branch for 3.0.x development
+ <p>This is the current branch for 3.0.x maintenance
(critical bugfix and security fixes <em>only</em>).</p>
</li>
<li>
<h4><em>v3-0-stable</em></h4>
- <p>This branch is not used any longer.</p>
+ <p>This is the current branch for 3.0.x maintenance releases.
+ (critical bugfix and security fixes <em>only</em>).</p>
</li>
<li>
<h4><em>v3-2-test</em></h4>
Modified: trunk/header_columns.html
===================================================================
--- trunk/header_columns.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/header_columns.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -130,16 +130,16 @@
<div class="releases">
<h4>Current Stable Release</h4>
<ul>
- <li><a href="/samba/ftp/stable/samba-3.2.4.tar.gz">Samba 3.2.4 (gzipped)</a></li>
- <li><a href="/samba/history/samba-3.2.4.html">Release Notes</a></li>
- <li><a href="/samba/ftp/stable/samba-3.2.4.tar.asc">Signature</a></li>
+ <li><a href="/samba/ftp/stable/samba-3.2.5.tar.gz">Samba 3.2.5 (gzipped)</a></li>
+ <li><a href="/samba/history/samba-3.2.5.html">Release Notes</a></li>
+ <li><a href="/samba/ftp/stable/samba-3.2.5.tar.asc">Signature</a></li>
</ul>
<h4>Historical</h4>
<ul>
- <li><a href="/samba/ftp/stable/samba-3.0.32.tar.gz">Samba 3.0.32 (gzipped)</a></li>
- <li><a href="/samba/history/samba-3.0.32.html">Release Notes</a></li>
- <li><a href="/samba/ftp/stable/samba-3.0.32.tar.asc">Signature</a></li>
+ <li><a href="/samba/ftp/stable/samba-3.0.33.tar.gz">Samba 3.0.33 (gzipped)</a></li>
+ <li><a href="/samba/history/samba-3.0.33.html">Release Notes</a></li>
+ <li><a href="/samba/ftp/stable/samba-3.0.33.tar.asc">Signature</a></li>
</ul>
<h4>Maintenance</h4>
Modified: trunk/history/header_history.html
===================================================================
--- trunk/history/header_history.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/history/header_history.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -77,11 +77,13 @@
<div class="notes">
<h6>Release Notes</h6>
<ul>
+ <li><a href="samba-3.2.5.html">samba-3.2.5</a></li>
<li><a href="samba-3.2.4.html">samba-3.2.4</a></li>
<li><a href="samba-3.2.3.html">samba-3.2.3</a></li>
<li><a href="samba-3.2.2.html">samba-3.2.2</a></li>
<li><a href="samba-3.2.1.html">samba-3.2.1</a></li>
<li><a href="samba-3.2.0.html">samba-3.2.0</a></li>
+ <li><a href="samba-3.0.33.html">samba-3.0.33</a></li>
<li><a href="samba-3.0.32.html">samba-3.0.32</a></li>
<li><a href="samba-3.0.31.html">samba-3.0.31</a></li>
<li><a href="samba-3.0.30.html">samba-3.0.30</a></li>
Modified: trunk/history/index.html
===================================================================
--- trunk/history/index.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/history/index.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -6,8 +6,8 @@
<div class="latest">
<ul>
- <li>Latest Release — <a href="/samba/#latest">Samba 3.2.4</a></li>
- <li>Current Stable Release — <a href="/samba/#latest">Samba 3.2.4</a></li>
+ <li>Latest Release — <a href="/samba/#latest">Samba 3.2.5</a></li>
+ <li>Current Stable Release — <a href="/samba/#latest">Samba 3.2.5</a></li>
<!-- Second link will point to #stable on this page when current release is a development release -->
</ul>
</div>
Added: trunk/history/samba-3.0.33.html
===================================================================
--- trunk/history/samba-3.0.33.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/history/samba-3.0.33.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -0,0 +1,49 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.0.33 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 3.0.33
+ November, 27 2008
+ ==============================
+
+
+This is a security release in order to address <a
+href="/samba/security/">CVE-2008-4314</a> ("Potential leak of
+arbitrary memory contents").
+
+ o CVE-2008-4314
+ Samba 3.0.29 to 3.2.4 can potentially leak
+ arbitrary memory contents to malicious
+ clients.
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.32
+--------------------
+
+
+o Volker Lendecke <vl at samba.org>
+ * Fix for CVE-2008-4314.
+</pre>
+
+<p>Please refer to the original <a href="/samba/history/samba-3.0.33.html">Samba
+3.0.32 Release Notes</a> for more details regarding changes in
+previous releases.</p>
+</body>
+</html>
Property changes on: trunk/history/samba-3.0.33.html
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/history/samba-3.2.5.html
===================================================================
--- trunk/history/samba-3.2.5.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/history/samba-3.2.5.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -0,0 +1,48 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.2.5 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 3.2.5
+ November, 27 2008
+ ==============================
+
+
+This is a security release in order to address <a
+href="/samba/security/">CVE-2008-4314</a> ("Potential leak of
+arbitrary memory contents").
+
+ o CVE-2008-4314
+ Samba 3.0.29 to 3.2.4 can potentially leak
+ arbitrary memory contents to malicious
+ clients.
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.2.4
+-------------------
+
+
+o Volker Lendecke <vl at samba.org>
+ * Fix for CVE-2008-4314.
+</pre>
+<p>Please refer to the original <a href="/samba/history/samba-3.2.4.html">Samba
+3.2.4 Release Notes</a> for more details regarding changes in
+previous releases.</p>
+</body>
+</html>
Property changes on: trunk/history/samba-3.2.5.html
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/history/security.html
===================================================================
--- trunk/history/security.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/history/security.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -22,7 +22,19 @@
</tr>
<tr>
- <td>27 August 2008</td>
+ <td>27 Nov 2008</td>
+ <td><a href="/samba/ftp/patches/security/samba-3.0.32-CVE-2008-4314.patch">
+ patch for Samba 3.0.32</a>
+ <a href="/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch">
+ patch for Samba 3.2.4</a></td>
+ <td>Potential leak of arbitrary memory contents</td>
+ <td>Samba 3.0.29 - 3.2.4</td>
+ <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4314">CVE-2008-4314</a></td>
+ <td><a href="/samba/security/CVE-2008-4314.html">Announcement</a></td>
+ </tr>
+
+ <tr>
+ <td>27 Aug 2008</td>
<td><a href="/samba/ftp/patches/security/samba-3.2.2-CVE-2008-3789-1.patch">
patch 1 for Samba 3.2.2</a>
<a href="/samba/ftp/patches/security/samba-3.2.2-CVE-2008-3789-2.patch">
Modified: trunk/index.html
===================================================================
--- trunk/index.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/index.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -19,7 +19,39 @@
<h2>Current Release</h2>
+ <h4><a name="latest">27 November 2008</a></h4>
+ <p class="headline">Samba 3.2.5 Available for Download</p>
+
+ <p>This is a security release to address CVE-2008-4314. The
+ <a href="/samba/security/CVE-2008-4314">original advisory</a>
+ is available online. A
+ <a href="/samba/ftp/patches/security/samba-3.2.5-CVE-2008-4314.patch">
+ patch for Samba 3.2.4</a> is available. This security
+ advisory is applicable from Samba 3.0.29 to 3.2.4. Past security
+ advisories are available on our <a href="/samba/security/">security page</a>.</p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA). The source code can be
+ <a href="/samba/ftp/stable/samba-3.2.5.tar.gz">downloaded now</a>.
+ See <a href="/samba/history/samba-3.2.5.html">the release notes for more info</a>.</p>
+
+ <h4>27 November 2008</h4>
+ <p class="headline">Samba 3.0.33 Available for Download</p>
+
+ <p>This is a security release to address CVE-2008-4314. The
+ <a href="/samba/security/CVE-2008-4314">original advisory</a>
+ is available online. A
+ <a href="/samba/ftp/patches/security/samba-3.0.32-CVE-2008-4314.patch">
+ patch for Samba 3.0.32</a> is available. This security
+ advisory is applicable from Samba 3.0.29 to 3.2.4. Past security
+ advisories are available on our <a href="/samba/security/">security page</a>.</p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA). The source code can be
+ <a href="/samba/ftp/stable/samba-3.0.33.tar.gz">downloaded now</a>.
+ See <a href="/samba/history/samba-3.0.33.html">the release notes for more info</a>.</p>
<h4>2 October 2008</h4>
+
<p class="headline">Samba 3.3.0pre2 Available for Download</p>
<p>Samba 3.3.0pre2 is now available for download. This is a
@@ -47,7 +79,7 @@
be made available on a volunteer basis and can be found in the
<a href="/samba/ftp/Binary_Packages/">Binary_Packages download area</a>.</p>
- <h4><a name="latest">18 September 2008</a></h4>
+ <h4>18 September 2008</h4>
<p class="headline">Samba 3.2.4 Available for Download</p>
<p>This is the latest bug fix release for Samba 3.2 and is the
Added: trunk/security/CVE-2008-4314.html
===================================================================
--- trunk/security/CVE-2008-4314.html 2008-10-15 19:55:15 UTC (rev 1246)
+++ trunk/security/CVE-2008-4314.html 2008-11-27 10:58:16 UTC (rev 1247)
@@ -0,0 +1,84 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2008-4314: </H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Potential leak of arbitrary memory contents
+==
+== CVE ID#: CVE-2008-4314
+==
+== Versions: Samba 3.0.29 - 3.2.4 (inclusive)
+==
+== Summary: Samba 3.0.29 to 3.2.4 can potentially leak
+== arbitrary memory contents to malicious
+== clients
+==
+===========================================================
+
+===========
+Description
+===========
+
+Samba 3.0.29 and beyond contain a change to deal with gcc 4
+optimizations. Part of the change modified range checking for client-generated
+offsets of secondary trans, trans2 and nttrans requests. These requests are
+used to transfer arbitrary amounts of memory from clients to servers and back
+using small SMB requests and contain two offsets: One offset (A) pointing into
+the PDU sent by the client and one (B) to direct the transferred contents into
+the buffer built on the server side. While the range checking for offset (B) is
+correct, a cut&paste error lets offset (A) pass completely unchecked against
+overflow.
+
+The buffers passed into trans, trans2 and nttrans undergo higher-level
+processing like DCE/RPC requests or listing directories. The missing bounds
+check means that a malicious client can make the server do this higher-level
+processing on arbitrary memory contents of the smbd process handling the
+request. It is unknown if that can be abused to pass arbitrary memory contents
+back to the client, but an important barrier is missing from the affected Samba
+versions.
+
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 3.2.5 and 3.0.33 have been issued as security
+releases to correct the defect. Samba administrators are
+advised to upgrade to 3.2.5 (or 3.0.33) or apply the patch as soon
+as possible.
+
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+This flaw was found during a code review internal to the Samba Team.
+
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
More information about the samba-cvs
mailing list