[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Mon Aug 5 02:37:09 MDT 2013
The branch, master has been updated
via be8c916 Announce Samba 4.0.8, 3.6.17 and 3.5.22.
from 70b8e7b Announce Samba 4.1.0rc1.
http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit be8c91649d8c43db3d2429d567c48721707b5abf
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Aug 5 10:35:06 2013 +0200
Announce Samba 4.0.8, 3.6.17 and 3.5.22.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
generated_news/latest_10_bodies.html | 57 ++++++++++++++++++------
generated_news/latest_10_headlines.html | 5 +-
generated_news/latest_2_bodies.html | 47 ++++++++++++++------
history/header_history.html | 3 +
history/samba-3.5.22.html | 49 +++++++++++++++++++++
history/samba-3.6.17.html | 49 +++++++++++++++++++++
history/samba-4.0.8.html | 49 +++++++++++++++++++++
history/security.html | 17 +++++++
latest_stable_release.html | 6 +-
security/CVE-2013-4124.html | 73 +++++++++++++++++++++++++++++++
10 files changed, 324 insertions(+), 31 deletions(-)
create mode 100755 history/samba-3.5.22.html
create mode 100755 history/samba-3.6.17.html
create mode 100755 history/samba-4.0.8.html
create mode 100644 security/CVE-2013-4124.html
Changeset truncated at 500 lines:
diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html
index 206cdcf..803edd0 100644
--- a/generated_news/latest_10_bodies.html
+++ b/generated_news/latest_10_bodies.html
@@ -1,3 +1,47 @@
+ <h5><a name="4.0.8">05 August 2013</a></h5>
+ <p class="headline">Samba 4.0.8, 3.6.17 and 3.5.22 <b>Security
+ Releases</b> Available for Download</p>
+ <p>These are security releases in order to address
+ <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124">CVE-2013-4124</a>
+ (Samba 3.0.x to 4.0.7 are affected by a <b>denial of service attack on authenticated
+ or guest connections)</b>.</p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA).</p>
+ <p>
+ The source code can be downloaded here:
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.0.8.tar.gz">download
+ Samba 4.0.8</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.6.17.tar.gz">download
+ Samba 3.6.17</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.5.22.tar.gz">download
+ Samba 3.5.22</a>.</li>
+ </p>
+
+ <p>
+ Patches against the parents are also available:
+ <li><a
+ href="http://samba.org/samba/ftp/patches/patch-4.0.7-4.0.8.diffs.gz">patch
+ Samba 4.0.7/4.0.7</a>,</li>
+ <li><a
+ href="http://samba.org/samba/ftp/patches/patch-3.6.16-3.6.17.diffs.gz">patch
+ Samba 3.6.16/3.6.17</a>,</li>
+ <li><a
+ href="http://samba.org/samba/ftp/patches/patch-3.5.21-3.5.222.diffs.gz">patch
+ Samba 3.5.21/3.5.22</a>.</li>
+</p>
+
+<p>
+Please see the release notes for more info:
+<li><a href="http://samba.org/samba/history/samba-4.0.8.html">release notes
+ Samba 4.0.8</a>,</li>
+<li><a href="http://samba.org/samba/history/samba-3.6.17.html">release notes
+ Samba 3.6.17</a>,</li>
+<li><a href="http://samba.org/samba/history/samba-3.5.22.html">release notes
+ Samba 3.5.22</a>.</li>
+</p>
+
<h5><a name="4.1.0rc1">11 July 2013</a></h5>
<p class="headline">Samba 4.1.0rc1 Available for Download</p>
<p>This is the first release candidate of the upcoming Samba 4.1 release series.</p>
@@ -112,16 +156,3 @@ now</a>. A <a href="http://download.samba.org/samba/ftp/patches/patch-4.0.3-4.0
patch against Samba 4.0.3</a> is also available. See
<a href="http://samba.org/samba/history/samba-4.0.4.html">
the release notes for more info</a>.</p>
-
-
- <h5><a name="3.6.13">18 March 2013</a></h5>
- <p class="headline">Samba 3.6.13 Available for Download</p>
- <p>This is the latest stable release of the Samba 3.6 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-3.6.13.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.12-3.6.13.diffs.gz">
-patch against Samba 3.6.12</a> is also available.
-See <a href="http://samba.org/samba/history/samba-3.6.13.html">
-the release notes for more info</a>.</p>
diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html
index 3dcbebe..476bad9 100644
--- a/generated_news/latest_10_headlines.html
+++ b/generated_news/latest_10_headlines.html
@@ -1,4 +1,7 @@
<ul>
+ <li> 05 August 2013 <a href="#4.0.8">Samba 4.0.8, 3.6.17 and 3.5.22
+ Security Releases Available for Download (CVE-2013-4124)</a></li>
+
<li> 02 July 2013 <a href="#4.0.7">Samba 4.0.7 Available for Download</a></li>
<li> 19 June 2013 <a href="#3.6.16">Samba 3.6.16 Available for Download</a></li>
@@ -16,6 +19,4 @@
<li> 19 March 2013 <a href="#4.0.4">Samba 4.0.4 Available for Download</a></li>
<li> 18 March 2013 <a href="#3.6.13">Samba 3.6.13 Available for Download</a></li>
-
- <li> 05 February 2013 <a href="#4.0.3">Samba 4.0.3 Available for Download</a></li>
</ul>
diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html
index 9343c40..38519a7 100644
--- a/generated_news/latest_2_bodies.html
+++ b/generated_news/latest_2_bodies.html
@@ -1,3 +1,37 @@
+ <h5><a name="4.0.8">05 August 2013</a></h5>
+ <p class="headline">Samba 4.0.8, 3.6.17 and 3.5.22 <b>Security
+ Releases</b> Available for Download</p>
+ <p>These are security releases in order to address
+ <a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124">CVE-2013-4124</a>
+ (Samba 3.0.x to 4.0.7 are affected by a <b>denial of service attack on authenticated
+ or guest connections)</b>.</p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA).</p>
+ <p>
+ The source code can be downloaded here:
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.0.8.tar.gz">download
+ Samba 4.0.8</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.6.17.tar.gz">download
+ Samba 3.6.17</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.5.22.tar.gz">download
+ Samba 3.5.22</a>.</li>
+ </p>
+
+ <p>
+ Patches against the parents are also available:
+ <li><a
+ href="http://samba.org/samba/ftp/patches/patch-4.0.7-4.0.8.diffs.gz">patch
+ Samba 4.0.7/4.0.7</a>,</li>
+ <li><a
+ href="http://samba.org/samba/ftp/patches/patch-3.6.16-3.6.17.diffs.gz">patch
+ Samba 3.6.16/3.6.17</a>,</li>
+ <li><a
+ href="http://samba.org/samba/ftp/patches/patch-3.5.21-3.5.222.diffs.gz">patch
+ Samba 3.5.21/3.5.22</a>.</li>
+</p>
+
<h5><a name="4.1.0rc1">11 July 2013</a></h5>
<p class="headline">Samba 4.1.0rc1 Available for Download</p>
<p>This is the first release candidate of the upcoming Samba 4.1 release series.</p>
@@ -7,16 +41,3 @@ using GnuPG (ID 6568B7EA). The source code can be
<a href="https://download.samba.org/pub/samba/rc/samba-4.1.0rc1.tar.gz">downloaded
now</a>. See <a href="https://download.samba.org/pub/samba/rc/WHATSNEW-4.1.0rc1.txt">the
release notes for more info</a>.</p>
-
-
- <h5><a name="4.0.7">02 July 2013</a></h5>
- <p class="headline">Samba 4.0.7 Available for Download</p>
- <p>This is the latest stable release of the Samba 4.0 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-4.0.7.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.6-4.0.7.diffs.gz">
-patch against Samba 4.0.6</a> is also available. See
-<a href="http://samba.org/samba/history/samba-4.0.7.html"> the release notes
- for more info</a>.</p>
diff --git a/history/header_history.html b/history/header_history.html
index f787afb..dc19f38 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -10,6 +10,7 @@
<li class="navSub">
<ul>
<li><a href="/samba/security/CVE-2013-0454.html">CVE-2013-0454</a></li>
+ <li><a href="samba-4.0.8.html">samba-4.0.8</a></li>
<li><a href="samba-4.0.7.html">samba-4.0.7</a></li>
<li><a href="samba-4.0.6.html">samba-4.0.6</a></li>
<li><a href="samba-4.0.5.html">samba-4.0.5</a></li>
@@ -18,6 +19,7 @@
<li><a href="samba-4.0.2.html">samba-4.0.2</a></li>
<li><a href="samba-4.0.1.html">samba-4.0.1</a></li>
<li><a href="samba-4.0.0.html">samba-4.0.0</a></li>
+ <li><a href="samba-3.6.17.html">samba-3.6.17</a></li>
<li><a href="samba-3.6.16.html">samba-3.6.16</a></li>
<li><a href="samba-3.6.15.html">samba-3.6.15</a></li>
<li><a href="samba-3.6.14.html">samba-3.6.14</a></li>
@@ -35,6 +37,7 @@
<li><a href="samba-3.6.2.html">samba-3.6.2</a></li>
<li><a href="samba-3.6.1.html">samba-3.6.1</a></li>
<li><a href="samba-3.6.0.html">samba-3.6.0</a></li>
+ <li><a href="samba-3.5.22.html">samba-3.5.22</a></li>
<li><a href="samba-3.5.21.html">samba-3.5.21</a></li>
<li><a href="samba-3.5.20.html">samba-3.5.20</a></li>
<li><a href="samba-3.5.19.html">samba-3.5.19</a></li>
diff --git a/history/samba-3.5.22.html b/history/samba-3.5.22.html
new file mode 100755
index 0000000..483cd60
--- /dev/null
+++ b/history/samba-3.5.22.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.5.22 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 3.5.22
+ August 05, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause
+server to loop with DOS).
+
+o CVE-2013-4124:
+ All current released versions of Samba are vulnerable to a denial of
+ service on an authenticated or guest connection. A malformed packet
+ can cause the smbd server to loop the CPU performing memory
+ allocations and preventing any further service.
+
+ A connection to a file share, or a local account is needed to exploit
+ this problem, either authenticated or unauthenticated if guest
+ connections are allowed.
+
+ This flaw is not exploitable beyond causing the code to loop
+ allocating memory, which may cause the machine to exceed memory
+ limits.
+
+
+Changes since 3.5.21:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list
+ reading can cause server to loop with DOS.
+</pre>
+
+</body>
+</html>
diff --git a/history/samba-3.6.17.html b/history/samba-3.6.17.html
new file mode 100755
index 0000000..c68dd0e
--- /dev/null
+++ b/history/samba-3.6.17.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.6.17 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 3.6.17
+ August 05, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause
+server to loop with DOS).
+
+o CVE-2013-4124:
+ All current released versions of Samba are vulnerable to a denial of
+ service on an authenticated or guest connection. A malformed packet
+ can cause the smbd server to loop the CPU performing memory
+ allocations and preventing any further service.
+
+ A connection to a file share, or a local account is needed to exploit
+ this problem, either authenticated or unauthenticated if guest
+ connections are allowed.
+
+ This flaw is not exploitable beyond causing the code to loop
+ allocating memory, which may cause the machine to exceed memory
+ limits.
+
+
+Changes since 3.6.16:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list
+ reading can cause server to loop with DOS.
+</pre>
+
+</body>
+</html>
diff --git a/history/samba-4.0.8.html b/history/samba-4.0.8.html
new file mode 100755
index 0000000..80e67d9
--- /dev/null
+++ b/history/samba-4.0.8.html
@@ -0,0 +1,49 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 4.0.8 Available for Download</H2>
+
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.0.8
+ August 05, 2013
+ =============================
+
+
+This is a security release in order to address
+CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause
+server to loop with DOS).
+
+o CVE-2013-4124:
+ All current released versions of Samba are vulnerable to a denial of
+ service on an authenticated or guest connection. A malformed packet
+ can cause the smbd server to loop the CPU performing memory
+ allocations and preventing any further service.
+
+ A connection to a file share, or a local account is needed to exploit
+ this problem, either authenticated or unauthenticated if guest
+ connections are allowed.
+
+ This flaw is not exploitable beyond causing the code to loop
+ allocating memory, which may cause the machine to exceed memory
+ limits.
+
+
+Changes since 4.0.7:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list
+ reading can cause server to loop with DOS.
+</pre>
+
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index e75a263..d25032d 100755
--- a/history/security.html
+++ b/history/security.html
@@ -22,6 +22,23 @@ link to full release notes for each release.</p>
</tr>
<tr>
+ <td>05 Aug 2013</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.0.7-CVE-2013-4124.patch">
+ patch for Samba 4.0.7</a>
+ <a href="/samba/ftp/patches/security/samba-3.6.16-CVE-2013-4124.patch">
+ patch for Samba 3.6.16</a>
+ <a href="/samba/ftp/patches/security/samba-3.5.21-CVE-2013-4124.patch">
+ patch for Samba 3.5.21</a>
+ <td>Denial of service - CPU loop and memory allocation.</td>
+ <td>3.0.x-4.0.7</td>
+ <td><a
+ href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124">CVE-2013-4124</a>
+ </td>
+ <td><a href="/samba/security/CVE-2013-4124">Announcement</a>
+ </td>
+ </tr>
+
+ <tr>
<td>02 Apr 2013</td>
<td><a href="/samba/ftp/patches/security/samba-3.6-CVE-2013-0454.patch">
patch for Samba 3.6.5</a>
diff --git a/latest_stable_release.html b/latest_stable_release.html
index c23d488..a5bb38f 100644
--- a/latest_stable_release.html
+++ b/latest_stable_release.html
@@ -1,5 +1,5 @@
<p>
- <a href="/samba/ftp/stable/samba-4.0.7.tar.gz">Samba 4.0.7 (gzipped)</a><br>
- <a href="/samba/history/samba-4.0.7.html">Release Notes</a> ·
- <a href="/samba/ftp/stable/samba-4.0.7.tar.asc">Signature</a>
+ <a href="/samba/ftp/stable/samba-4.0.8.tar.gz">Samba 4.0.8 (gzipped)</a><br>
+ <a href="/samba/history/samba-4.0.8.html">Release Notes</a> ·
+ <a href="/samba/ftp/stable/samba-4.0.8.tar.asc">Signature</a>
</p>
diff --git a/security/CVE-2013-4124.html b/security/CVE-2013-4124.html
new file mode 100644
index 0000000..d4753b8
--- /dev/null
+++ b/security/CVE-2013-4124.html
@@ -0,0 +1,73 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2013-4124.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Denial of service - CPU loop and memory allocation.
+==
+== CVE ID#: CVE-2013-4124
+==
+== Versions: Samba 3.0.x - 4.0.7 (inclusive)
+==
+== Summary: Samba 3.0.x to 4.0.7 are affected by a
+== denial of service attack on authenticated
+== or guest connections.
+==
+===========================================================
+
+===========
+Description
+===========
+
+All current released versions of Samba are vulnerable to a denial of
+service on an authenticated or guest connection. A malformed packet
+can cause the smbd server to loop the CPU performing memory
+allocations and preventing any further service.
+
+A connection to a file share, or a local account is needed to exploit
+this problem, either authenticated or unauthenticated if guest
+connections are allowed.
+
+This flaw is not exploitable beyond causing the code to loop
+allocating memory, which may cause the machine to exceed memory
+limits.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 3.5.22, 3.6.17 and 4.0.8 have been issued as
+security releases to correct the defect. Patches against older Samba
+versions are available at http://samba.org/samba/patches/. Samba
+vendors and administrators running affected versions are advised to
+upgrade or apply the patch as soon as possible.
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+This problem was found by an internal audit of the Samba code by
+Jeremy Allison of Google.
+</pre>
+</body>
+</html>
--
Samba Website Repository
More information about the samba-cvs
mailing list