Samba 2.2.0a and Samba 2.0.10 security bugfixes released.

John E. Malmberg malmberg at
Wed Jun 27 21:25:52 GMT 2001

Could some one fix either the webservers or the HTML pages for the
SAMBA home pages?

The links to the files of the .diffs.gz are set with meta-tags saying that
they are plain text files, and not application octet streams as they
should be.  This makes it impossible to use them on browsers like
NETSCAPE that actually use the meta-tags instead of the file extension of

The .tar.gz file links work correctly to allow downloads.  Just the
.diff.gz ones are broken.

Of course this may only be on the U.S. Mirrors, such as

On Sat, 23 Jun 2001, Jeremy Allison wrote:

> New releases of Samba to fix the security hole described at :

Small correction, OpenVMS ports are not easily vulnerable with the tools
that users have readily available or common knowlege of.

It would appear that the true fix for these exploits are:

1. Do not allow non-privileged users write access to /var/log/*

I do not know if this can be done with the UNIX security model.  It is
not difficult with ACLs.

2. When opening a file with SETUID/SETEUID as root privileges on behalf of
   a user request, make sure that the user really has the access

wb8tyw at
Personal Opinion Only

More information about the samba-technical mailing list