[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Sun Jan 29 13:14:53 MST 2012
The branch, master has been updated
via 2e6773c Announce Samba 3.6.3.
from 9190d58 Fix release date.
http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 2e6773c8d60f2fce8207429b4fa1b92649700d08
Author: Karolin Seeger <kseeger at samba.org>
Date: Sun Jan 29 21:17:31 2012 +0100
Announce Samba 3.6.3.
Karolin
-----------------------------------------------------------------------
Summary of changes:
generated_news/latest_10_bodies.html | 18 ++++----
generated_news/latest_10_headlines.html | 4 +-
generated_news/latest_2_bodies.html | 18 ++++----
history/header_history.html | 1 +
history/samba-3.6.3.html | 43 +++++++++++++++++
history/security.html | 10 ++++
latest_stable_release.html | 6 +-
security/CVE-2012-0817.html | 78 +++++++++++++++++++++++++++++++
8 files changed, 155 insertions(+), 23 deletions(-)
create mode 100755 history/samba-3.6.3.html
create mode 100644 security/CVE-2012-0817.html
Changeset truncated at 500 lines:
diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html
index 1071ffc..06268ce 100644
--- a/generated_news/latest_10_bodies.html
+++ b/generated_news/latest_10_bodies.html
@@ -1,3 +1,12 @@
+ <h5><a name="3.6.3">29 January 2012</a></h5>
+ <p class="headline">Samba 3.6.3 Security Release Available for Download</p>
+ <p>This is a security release in order to address <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0817">CVE-2012-0817 (Memory leak/Denial of service)</a>.</p>
+
+<p>The uncompressed tarballs and patch files have been signed
+using GnuPG (ID 6568B7EA). The source code can be
+<a href="http://samba.org/samba/ftp/stable/samba-3.6.3.tar.gz">downloaded
+now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.2-3.6.3.diffs.gz">patch against Samba 3.6.2</a> is also available. See the <a href="http://samba.org/samba/history/samba-3.6.3.html">release notes</a> for more info.</p>
+
<h5><a name="3.6.2">25 January 2012</a></h5>
<p class="headline">Samba 3.6.2 Available for Download</p>
<p>This is the latest stable release of the Samba 3.6 series.</p>
@@ -82,12 +91,3 @@ enhanced library components.</p>
using GnuPG (ID 6568B7EA). The source code can be
<a href="http://samba.org/samba/ftp/stable/samba-3.6.0.tar.gz">downloaded
now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.5.11-3.6.0.diffs.gz">patch against Samba 3.5.11</a> is also available. See <a href="http://samba.org/samba/history/samba-3.6.0.html">the release notes for more info</a>.</p>
-
- <h5><a name="3.5.11">04 August 2011</a></h5>
- <p class="headline">Samba 3.5.11 Available for Download</p>
- <p>This is the latest stable release of the Samba 3.5 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-3.5.11.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.5.10-3.5.11.diffs.gz">patch against Samba 3.5.10</a> is also available. See <a href="http://samba.org/samba/history/samba-3.5.11.html">the release notes for more info</a>.</p>
diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html
index 05cf7ba..f8b235c 100644
--- a/generated_news/latest_10_headlines.html
+++ b/generated_news/latest_10_headlines.html
@@ -1,4 +1,6 @@
<ul>
+ <li> 29 January 2012 <a href="#3.6.3">Samba 3.6.3 Security Release Available for Download</a></li>
+
<li> 25 January 2012 <a href="#3.6.2">Samba 3.6.2 Available for Download</a></li>
<li> 17 January 2012 <a href="http://lwn.net/SubscriberLink/475592/8ed5bac474ed9f8a/">A Samba 4 update</a> featured by <a href=http://LWN.net/>LWN.net</a>.</li>
@@ -16,6 +18,4 @@
<li> 09 August 2011 <a href="/samba/news/releases/3.6.0.html">The highlights of Samba 3.6</a></li>
<li> 09 August 2011 <a href="#3.6.0">Samba 3.6.0 Available for Download</a></li>
-
- <li> 04 August 2011 <a href="#3.5.11">Samba 3.5.11 Available for Download</a></li>
</ul>
diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html
index 4ec8153..7376bf6 100644
--- a/generated_news/latest_2_bodies.html
+++ b/generated_news/latest_2_bodies.html
@@ -1,3 +1,12 @@
+ <h5><a name="3.6.3">29 January 2012</a></h5>
+ <p class="headline">Samba 3.6.3 Security Release Available for Download</p>
+ <p>This is a security release in order to address <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0817">CVE-2012-0817 (Memory leak/Denial of service)</a>.</p>
+
+<p>The uncompressed tarballs and patch files have been signed
+using GnuPG (ID 6568B7EA). The source code can be
+<a href="http://samba.org/samba/ftp/stable/samba-3.6.3.tar.gz">downloaded
+now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.2-3.6.3.diffs.gz">patch against Samba 3.6.2</a> is also available. See the <a href="http://samba.org/samba/history/samba-3.6.3.html">release notes</a> for more info.</p>
+
<h5><a name="3.6.2">25 January 2012</a></h5>
<p class="headline">Samba 3.6.2 Available for Download</p>
<p>This is the latest stable release of the Samba 3.6 series.</p>
@@ -6,12 +15,3 @@
using GnuPG (ID 6568B7EA). The source code can be
<a href="http://samba.org/samba/ftp/stable/samba-3.6.2.tar.gz">downloaded
now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.1-3.6.2.diffs.gz">patch against Samba 3.6.1</a> is also available. See <a href="http://samba.org/samba/history/samba-3.6.2.html">the release notes for more info</a>.</p>
-
- <h5><a name="lwn_lca12">17 January 2012</a></h5>
- <p class="headline">LCA: A Samba 4 update</p>
-
-<p>Read what Jonathan Corbet and many others got presented at
-<a href="http://linux.conf.au/">linux.conf.au 2012</a> at the
-<a href="http://lwn.net/SubscriberLink/475592/8ed5bac474ed9f8a/">
-A Samba 4 update</a> talk.
-</p>
diff --git a/history/header_history.html b/history/header_history.html
index d750545..1658d9d 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-3.6.3.html">samba-3.6.3</a></li>
<li><a href="samba-3.6.2.html">samba-3.6.2</a></li>
<li><a href="samba-3.6.1.html">samba-3.6.1</a></li>
<li><a href="samba-3.6.0.html">samba-3.6.0</a></li>
diff --git a/history/samba-3.6.3.html b/history/samba-3.6.3.html
new file mode 100755
index 0000000..6b52f0b
--- /dev/null
+++ b/history/samba-3.6.3.html
@@ -0,0 +1,43 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.6.3 Available for Download</H2>
+
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 3.6.3
+ January 29, 2012
+ =============================
+
+
+This is a security release in order to address
+CVE-2012-0817 (Memory leak/Denial of service).
+
+o CVE-2012-0817:
+ The Samba File Serving daemon (smbd) in Samba versions
+ 3.6.0 to 3.6.2 is affected by a memory leak that can
+ cause a server denial of service.
+
+
+Changes since 3.6.2:
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 8724: Fix memory leak in parent smbd on connection.
+
+
+o Ira Cooper <samba at ira.wakeful.net>
+ * BUG 8724: Fix memory leak in parent smbd on connection.
+</pre>
+
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 70a8695..ab6d93f 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,16 @@ link to full release notes for each release.</p>
</tr>
<tr>
+ <td>29 Jan 2012</td>
+ <td><a href="/samba/ftp/patches/security/samba-3.6.2-CVE-2012-0817.patch">
+ patch for Samba 3.6.2</a>
+ <td>Memory leak/Denial of service</td>
+ <td>3.6.0-3.6.2</td>
+ <td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0817">CVE-2012-0817</a></td>
+ <td><a href="/samba/security/CVE-2012-0817">Announcement</a></td>
+ </tr>
+
+ <tr>
<td>26 Jul 2011</td>
<td><a href="/samba/ftp/patches/security/samba-3.3.15-CVE-2011-2522.patch">
patch for Samba 3.3.15</a>
diff --git a/latest_stable_release.html b/latest_stable_release.html
index 7977a23..631f0c2 100644
--- a/latest_stable_release.html
+++ b/latest_stable_release.html
@@ -1,5 +1,5 @@
<p>
- <a href="/samba/ftp/stable/samba-3.6.2.tar.gz">Samba 3.6.2 (gzipped)</a><br>
- <a href="/samba/history/samba-3.6.2.html">Release Notes</a> ·
- <a href="/samba/ftp/stable/samba-3.6.2.tar.asc">Signature</a>
+ <a href="/samba/ftp/stable/samba-3.6.3.tar.gz">Samba 3.6.3 (gzipped)</a><br>
+ <a href="/samba/history/samba-3.6.3.html">Release Notes</a> ·
+ <a href="/samba/ftp/stable/samba-3.6.3.tar.asc">Signature</a>
</p>
diff --git a/security/CVE-2012-0817.html b/security/CVE-2012-0817.html
new file mode 100644
index 0000000..adf6ad5
--- /dev/null
+++ b/security/CVE-2012-0817.html
@@ -0,0 +1,78 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2012-0817:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Memory leak/Denial of service.
+==
+== CVE ID#: CVE-2012-0817
+==
+== Versions: Samba 3.6.0 - 3.6.2 (inclusive)
+==
+== Summary: The Samba File Serving daemon (smbd) in Samba versions
+== 3.6.0 to 3.6.2 is affected by a memory leak that can
+== cause a server denial of service.
+==
+==
+===========================================================
+
+===========
+Description
+===========
+
+Samba versions 3.6.0 to 3.6.2 inclusive are vulnerable to a memory
+leak that can cause a server denial of service.
+
+The Samba smbd daemon that listens for incoming connections leaks
+a small amount of memory on every connection attempt. Although this
+is a small leak, it happens on every connection even without successful
+authentication. Thus an attacker can simply loop making connection
+requests and cause the listening daemon to ever increase in size.
+
+Eventually the server process will grow enough to either cause memory
+allocations in other processes to fail, or be killed by the system
+as part of its out of memory protection. Either way, denial of service
+would be achieved.
+
+The symptom that caused this issue to be discovered was extreme CPU use
+on an affected system. This was caused by the child processes that were
+forked from the parent attempting to free the leaked memory.
+
+==========
+Workaround
+==========
+
+None.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 3.6.3 has been issued as security release to correct the
+defect. Samba administrators running affected versions are advised to upgrade
+to 3.6.3 or apply the patch as soon as possible.
+
+=======
+Credits
+=======
+
+The vulnerability was discovered and reported to the Samba Team by Youzhong
+Yang and Ira Cooper of MathWorks. Patches were written and tested by Ira
+Cooper of MathWorks and Jeremy Allison of the Samba Team.
+</pre>
+</body>
+</html>
--
Samba Website Repository
More information about the samba-cvs
mailing list