[Samba] [SECURITY] Samba 3.0.1 - 3.0.22: memory exhaustion DoSagainst smbd

Logan Shaw lshaw at emitinc.com
Tue Jul 11 17:24:28 GMT 2006

On Tue, 11 Jul 2006, Gerald (Jerry) Carter wrote:
> Guillermo Gutierrez wrote:

>> (Blond-moment question) I take it then, that this
>> bug doesn't apply to version 3.0.23?

> Actually, you are the second person to ask me this. :-)
> I thought that since both the security and release
> announcement can from me, it would be obvious.

The security bug announcement did say that versions up through
3.0.22 were affected, but there are two possible explanations
for the appearance of that statement:

1.  At the time the security announcement was written, 3.0.23
     had been released and was known not to be affected by the
     security problem, and therefore wasn't included in the
     list of versions affected.

2.  At the time the security announcement was written, 3.0.23
     had not been released and wasn't included in the list of
     versions affected because 3.0.23 did not exist.

In order to figure out which, the reader has to determine
whether whoever wrote the security announcement knew that 3.0.23
existed.  You posted both announcements to the list, but (a)
that doesn't mean you wrote both of them (release announcements
are usually written by the developer, but security advisories
are often written up by some security team and then reposted
all over the place), and (b) that doesn't mean, even if you
wrote the security advisory, that it was written after 3.0.23
was released; maybe they were both written within 10 minutes
of each other because that was when you had time to send out
some e-mail messages.

In practice, maybe an easy way to deal with this is to include
in any security advisory two lists of versions:  those known
to be affected and those known not to be affected.  (ISC does
something like this with their security matrix for BIND.)

   - Logan

More information about the samba mailing list