[Samba] [Announce] Samba 3.0.37 Security Release Available

Karolin Seeger kseeger at samba.org
Thu Oct 1 07:00:44 MDT 2009


Release Announcements
=====================

This is a security release in order to address CVE-2009-2813, CVE-2009-2948
and CVE-2009-2906.

   o CVE-2009-2813:
     In all versions of Samba later than 3.0.11, connecting to the home
     share of a user will use the root of the filesystem
     as the home directory if this user is misconfigured to have
     an empty home directory in /etc/passwd.

   o CVE-2009-2948:
     If mount.cifs is installed as a setuid program, a user can pass it a
     credential or password path to which he or she does not have access and
     then use the --verbose option to view the first line of that file.
     All known Samba versions are affected.

   o CVE-2009-2906:
     Specially crafted SMB requests on authenticated SMB connections can
     send smbd into a 100% CPU loop, causing a DoS on the Samba server.


######################################################################
Changes
#######

Changes since 3.0.36
--------------------


o   Jeremy Allison <jra at samba.org>
    * BUG 6763: Fix for CVE-2009-2813.
    * BUG 6768: Fix for CVE-2009-2906.


o   Jeff Layton <jlayton at redhat.com>
    * Fix for CVE-2009-2948.


================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

        http://download.samba.org/samba/ftp/

The release notes are available online at:

        http://www.samba.org/samba/ftp/history/samba-3.0.37.html

Binary packages will be made available on a volunteer basis from

        http://download.samba.org/samba/ftp/Binary_Packages/

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20091001/39795e33/attachment.pgp>


More information about the samba mailing list