svn commit: samba-web r1255 - in trunk: . devel history security

kseeger at samba.org kseeger at samba.org
Mon Jan 5 09:28:11 GMT 2009 

Author: kseeger
Date: 2009-01-05 09:28:10 +0000 (Mon, 05 Jan 2009)
New Revision: 1255

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1255

Log:
Announce Samba 3.2.7
Karolin
Added:
   trunk/history/samba-3.2.7.html
   trunk/security/CVE-2009-0022.html
Modified:
   trunk/devel/index.html
   trunk/header_columns.html
   trunk/history/header_history.html
   trunk/history/security.html
   trunk/index.html


Changeset:
Modified: trunk/devel/index.html
===================================================================
--- trunk/devel/index.html	2008-12-18 22:09:22 UTC (rev 1254)
+++ trunk/devel/index.html	2009-01-05 09:28:10 UTC (rev 1255)
@@ -20,8 +20,8 @@
 3.0.x and 2.2.x versions of Samba, which are no longer in active development.
 </p>
 
-<p>The latest production release is <em>Samba 3.2.6</em> (<a
-href="/samba/history/samba-3.2.6.html">release notes</a> and <a
+<p>The latest production release is <em>Samba 3.2.7</em> (<a
+href="/samba/history/samba-3.2.7.html">release notes</a> and <a
 href="/samba/download/">download</a>).</p>
 
 <p>With the release of version 3 of the GPL, the Samba Team has decided to

Modified: trunk/header_columns.html
===================================================================
--- trunk/header_columns.html	2008-12-18 22:09:22 UTC (rev 1254)
+++ trunk/header_columns.html	2009-01-05 09:28:10 UTC (rev 1255)
@@ -130,9 +130,9 @@
   <div class="releases">
     <h4>Current Stable Release</h4>
     <ul>
-    <li><a href="/samba/ftp/stable/samba-3.2.6.tar.gz">Samba 3.2.6 (gzipped)</a></li>
-    <li><a href="/samba/history/samba-3.2.6.html">Release Notes</a></li>
-    <li><a href="/samba/ftp/stable/samba-3.2.6.tar.asc">Signature</a></li>
+    <li><a href="/samba/ftp/stable/samba-3.2.7.tar.gz">Samba 3.2.7 (gzipped)</a></li>
+    <li><a href="/samba/history/samba-3.2.7.html">Release Notes</a></li>
+    <li><a href="/samba/ftp/stable/samba-3.2.7.tar.asc">Signature</a></li>
     </ul>
     
     <h4>Historical</h4>

Modified: trunk/history/header_history.html
===================================================================
--- trunk/history/header_history.html	2008-12-18 22:09:22 UTC (rev 1254)
+++ trunk/history/header_history.html	2009-01-05 09:28:10 UTC (rev 1255)
@@ -77,6 +77,7 @@
   <div class="notes">
     <h6>Release Notes</h6>
     <ul>
+    <li><a href="samba-3.2.7.html">samba-3.2.7</a></li>
     <li><a href="samba-3.2.6.html">samba-3.2.6</a></li>
     <li><a href="samba-3.2.5.html">samba-3.2.5</a></li>
     <li><a href="samba-3.2.4.html">samba-3.2.4</a></li>

Added: trunk/history/samba-3.2.7.html
===================================================================
--- trunk/history/samba-3.2.7.html	2008-12-18 22:09:22 UTC (rev 1254)
+++ trunk/history/samba-3.2.7.html	2009-01-05 09:28:10 UTC (rev 1255)
@@ -0,0 +1,48 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+   <H2>Samba 3.2.7 Available for Download</H2>
+
+<p>
+<pre>
+                   ==============================
+                   Release Notes for Samba 3.2.7
+			 January, 05 2009
+                   ==============================
+
+
+This is a security release in order to address <a
+href="/samba/security/">CVE-2009-0022</a>.
+
+   o CVE-2009-0022
+     In Samba 3.2.0 to 3.2.6, in setups with registry shares enabled,
+     access to the root filesystem ("/") is granted
+     when connecting to a share called "" (empty string)
+     using old versions of smbclient (before 3.0.28).
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+######################################################################
+Changes
+#######
+
+Changes since 3.2.6
+-------------------
+
+
+o   Michael Adam <obnox at samba.org>
+    * Fix for CVE-2009-0022.
+</pre>
+<p>Please refer to the original <a href="/samba/history/samba-3.2.6.html">Samba
+3.2.6 Release Notes</a> for more details regarding changes in
+previous releases.</p>
+</body>
+</html>


Property changes on: trunk/history/samba-3.2.7.html
___________________________________________________________________
Name: svn:executable
   + *

Modified: trunk/history/security.html
===================================================================
--- trunk/history/security.html	2008-12-18 22:09:22 UTC (rev 1254)
+++ trunk/history/security.html	2009-01-05 09:28:10 UTC (rev 1255)
@@ -22,6 +22,15 @@
       </tr>
 
     <tr>
+        <td>05 Jan 2009</td>
+        <td><a href="/samba/ftp/patches/security/samba-3.2.6-CVE-2009-0022.patch">
+	patch for Samba 3.0.6</a>
+        <td>Potential access to "/" in setups with registry shares enabled</td>
+        <td>Samba 3.2.0 - 3.2.6</td>
+        <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0022">CVE-2009-0022</a></td>
+        <td><a href="/samba/security/CVE-2009-0022.html">Announcement</a></td>
+    </tr>
+    <tr>
         <td>27 Nov 2008</td>
         <td><a href="/samba/ftp/patches/security/samba-3.0.32-CVE-2008-4314.patch">
 	patch for Samba 3.0.32</a>

Modified: trunk/index.html
===================================================================
--- trunk/index.html	2008-12-18 22:09:22 UTC (rev 1254)
+++ trunk/index.html	2009-01-05 09:28:10 UTC (rev 1255)
@@ -19,6 +19,22 @@
 
     <h2>Current Release</h2>
 
+    <h4><a name="latest">05 January 2009</a></h4>
+    <p class="headline">Samba 3.2.7 Available for Download</p>
+
+    <p>This is a security release to address CVE-2009-0022.  The
+    <a href="/samba/security/CVE-2009-0022.html">original advisory</a>
+    is available online.  A
+    <a href="/samba/ftp/patches/security/samba-3.2.6-CVE-2009-0022.patch">
+    patch for Samba 3.2.6</a> is available.  This security
+    advisory is applicable from Samba 3.2.0 to 3.2.6. Past security
+    advisories are available on our <a href="/samba/security/">security page</a>.</p>
+
+    <p>The uncompressed tarballs and patch files have been signed
+    using GnuPG (ID 6568B7EA).  The source code can be
+    <a href="/samba/ftp/stable/samba-3.2.7.tar.gz">downloaded now</a>.
+    See <a href="/samba/history/samba-3.2.7.html">the release notes for more info</a>.</p>
+
     <h4>15 December 2008</h4>
     <p class="headline">Samba 3.3.0rc2 Available for Download</p>
 
@@ -46,7 +62,7 @@
     be made available on a volunteer basis and can be found in the
     <a href="/samba/ftp/Binary_Packages/">Binary_Packages download area</a>.</p>
 
-    <h4><a name="latest">10 December 2008</a></h4>
+    <h4>10 December 2008</h4>
     <p class="headline">Samba 3.2.6 Available for Download</p>
 
     <p>This is the latest bug fix release for Samba 3.2 and is the

Added: trunk/security/CVE-2009-0022.html
===================================================================
--- trunk/security/CVE-2009-0022.html	2008-12-18 22:09:22 UTC (rev 1254)
+++ trunk/security/CVE-2009-0022.html	2009-01-05 09:28:10 UTC (rev 1255)
@@ -0,0 +1,82 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2009-0022: Potential access to "/" in setups with registry
+       shares enabled</H2>
+
+<p>
+<pre>
+==========================================================
+== Subject:     Potential access to "/" in setups with
+==		registry shares enabled
+==
+== CVE ID#:    	CVE-2009-0022
+==
+== Versions:    Samba 3.2.0 - 3.2.6 (inclusive)
+==
+== Summary:     In setups with registry shares enabled,
+==		access to the root filesystem ("/") is granted
+==		when connecting to a share called "" (empty string)
+==		using old versions of smbclient.
+==
+==========================================================
+
+===========
+Description
+===========
+
+When connecting to a share called "" (empty string) using an older
+version of smbclient (before 3.0.28) for example with:
+
+      'smbclient //server/ -U user%pass'
+
+access to the root filesystem is granted with the privileges of the
+authenticated user. This only happens in setups with registry shares
+enabled by setting "registry shares = yes" which is implicitly set with
+"include = registry" and "config backend = registry",
+but is not the default.
+
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+  http://www.samba.org/samba/security/
+
+Additionally, Samba 3.2.7 has been issued as a security
+release to correct the defect. Samba administrators are
+advised to upgrade to 3.2.7 or apply the patch as soon
+as possible when "registry shares" is set to "yes".
+
+
+==========
+Workaround
+==========
+
+As a workaround, registry shares can be disabled using "registry shares = no".
+
+
+=======
+Credits
+=======
+
+This issue was found and reported to the Samba Team by
+Gunter Höckel <Gunter.Hoeckel at fujitsu-siemens.com>.
+
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>

More information about the samba-cvs mailing list