[Announce] Samba 3.0.35 Security Release Available for Download
Karolin Seeger
kseeger at samba.org
Mon Jun 29 06:15:02 MDT 2009
Hi Alexander,
On Mon, Jun 29, 2009 at 02:51:42PM +0400, Alexander wrote:
> On Tue, Jun 23, 2009 at 6:41 PM, Karolin Seeger <kseeger at samba.org> wrote:
>
> Release Announcements
> =====================
>
> This is a security release in order to address CVE-2009-1888.
>
> o CVE-2009-1888:
> In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a
> data value can potentially affect access control when "dos filemode"
> is set to "yes".
>
>
> Hello Samba team,
>
> Just wanted to clarify - do I understand it correctly that pre-3.0.31 versions
> are not affected by this?
> I believe yes and checking the source for that function in older releases
> (looked at 3.0.20, 3.0.28 and 3.0.30) shows no "sbuf" structure allocation that
> appeared in 3.0.31 and is initialized properly with a patch now, but could you
> please confirm that?
>
> (looks like my first message to samba-technical at lists.samba.org didn't get
> through, apologize if that would be double-post)
yes, that's correct. This issue was introduced with 3.0.31.
Cheers,
Karolin
--
Samba http://www.samba.org
SerNet http://www.sernet.de
sambaXP http://www.sambaxp.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20090629/e7a344f3/attachment.bin
More information about the samba-technical
mailing list