[Samba] [Announce] Samba 4.0.8, 3.6.17 and 3.5.22 Security Releases Available for Download

Karolin Seeger kseeger at samba.org
Mon Aug 5 03:05:06 MDT 2013


Release Announcements
---------------------

Samba 4.0.8, 3.6.17 and 3.5.22 have been issued as security releases in order
to address CVE-2013-4124 (Denial of service - CPU loop and memory allocation).

o  CVE-2013-4124:
   All current released versions of Samba are vulnerable to a denial of
   service on an authenticated or guest connection. A malformed packet
   can cause the smbd server to loop the CPU performing memory
   allocations and preventing any further service.

   A connection to a file share, or a local account is needed to exploit
   this problem, either authenticated or unauthenticated if guest
   connections are allowed.

   This flaw is not exploitable beyond causing the code to loop
   allocating memory, which may cause the machine to exceed memory
   limits.


Changes:
========

o   Jeremy Allison <jra at samba.org>
    * BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list
      reading can cause server to loop with DOS.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.0 product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================

================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

        http://download.samba.org/samba/ftp/stable/

The release notes are available online at:

	http://www.samba.org/samba/history/samba-4.0.8.html
	http://www.samba.org/samba/history/samba-3.6.17.html
	http://www.samba.org/samba/history/samba-3.5.22.html

Binary packages will be made available on a volunteer basis from

        http://download.samba.org/samba/ftp/Binary_Packages/

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team


More information about the samba mailing list