Jump to content
Compatible Support Forums
Sign in to follow this  
Followers 0
news

[Security Announce] [ MDVSA-2009:320 ] samba

By news, in Upcoming News

Recommended Posts

news    28

news
Posted

This is a multi-part message in MIME format...

 

------------=_1260127295-24326-1729

 

 

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

 

_______________________________________________________________________

 

Mandriva Linux Security Advisory MDVSA-2009:320

http://www.mandriva.com/security/

_______________________________________________________________________

 

Package : samba

Date : December 6, 2009

Affected: 2008.0

_______________________________________________________________________

 

Problem Description:

 

Multiple vulnerabilities has been found and corrected in samba:

 

The acl_group_override function in smbd/posix_acls.c in smbd in Samba

3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before

3.3.6, when dos filemode is enabled, allows remote attackers to modify

access control lists for files via vectors related to read access to

uninitialized memory (CVE-2009-1888).

 

The SMB (aka Samba) subsystem in Apple Mac OS X 10.5.8, when Windows

File Sharing is enabled, does not properly handle errors in resolving

pathnames, which allows remote authenticated users to bypass intended

sharing restrictions, and read, create, or modify files, in certain

circumstances involving user accounts that lack home directories

(CVE-2009-2813).

 

smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8,

and 3.4 before 3.4.2 allows remote authenticated users to cause a

denial of service (infinite loop) via an unanticipated oplock break

notification reply packet (CVE-2009-2906).

 

mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before

3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root,

does not properly enforce permissions, which allows local users to

read part of the credentials file and obtain the password by specifying

the path to the credentials file and using the --verbose or -v option

(CVE-2009-2948).

 

The version of samba shipping with Mandriva Linux 2008.0 has been

updated to the latest version (3.0.37) that includes the fixes for

these issues.

_______________________________________________________________________

 

References:

 

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2813

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2906

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2948

http://www.samba.org/samba/security/CVE-2009-2813.html

http://www.samba.org/samba/security/CVE-2009-2906.html

http://www.samba.org/samba/security/CVE-2009-2948.html

_______________________________________________________________________

 

Updated Packages:

 

Mandriva Linux 2008.0:

dd63a83b66113c6868679d69c6465bc3 2008.0/i586/libsmbclient0-3.0.37-0.1mdv2008.0.i586.rpm

93bfb74360ddc2dd279d4e2101f84fbc 2008.0/i586/libsmbclient0-devel-3.0.37-0.1mdv2008.0.i586.rpm

321d998b7db0645174182d55ef20fcf7 2008.0/i586/libsmbclient0-static-devel-3.0.37-0.1mdv2008.0.i586.rpm

be767601a25c3d2f7e3774a5389d4592 2008.0/i586/mount-cifs-3.0.37-0.1mdv2008.0.i586.rpm

b907c06e94f80e049dcd70004f594c02 2008.0/i586/nss_wins-3.0.37-0.1mdv2008.0.i586.rpm

917d9b433270264e4cf3b34f34d2321c 2008.0/i586/samba-client-3.0.37-0.1mdv2008.0.i586.rpm

5708af3868e7285d8236438a86300f6b 2008.0/i586/samba-common-3.0.37-0.1mdv2008.0.i586.rpm

ad4879729e556f3301081783bcaac490 2008.0/i586/samba-doc-3.0.37-0.1mdv2008.0.i586.rpm

4e015a64b77bce05dfa3d867f050d012 2008.0/i586/samba-server-3.0.37-0.1mdv2008.0.i586.rpm

d64cca7a719a74ec788a23fd312e3a99 2008.0/i586/samba-swat-3.0.37-0.1mdv2008.0.i586.rpm

4e24335e02b04cc4c5bdd6ded27fdbe4 2008.0/i586/samba-vscan-icap-3.0.37-0.1mdv2008.0.i586.rpm

c2db429ba1a00044a5e982737d1a182e 2008.0/i586/samba-winbind-3.0.37-0.1mdv2008.0.i586.rpm

3c440be2ff2004d3e3e79c30fd744991 2008.0/SRPMS/samba-3.0.37-0.1mdv2008.0.src.rpm

 

Mandriva Linux 2008.0/X86_64:

11fd683e8881b23604d2087550abf530 2008.0/x86_64/lib64smbclient0-3.0.37-0.1mdv2008.0.x86_64.rpm

64ecceaa599d680b8373efa8ad2a9d8d 2008.0/x86_64/lib64smbclient0-devel-3.0.37-0.1mdv2008.0.x86_64.rpm

57d8e14a11103a828c3159173680ff9c 2008.0/x86_64/lib64smbclient0-static-devel-3.0.37-0.1mdv2008.0.x86_64.rpm

0417912110787278d827193a39ba9e2e 2008.0/x86_64/mount-cifs-3.0.37-0.1mdv2008.0.x86_64.rpm

142d13cb94cb2daba8d7db19b73bd5f8 2008.0/x86_64/nss_wins-3.0.37-0.1mdv2008.0.x86_64.rpm

18e53c0c6376e59454d82e24df113e6b 2008.0/x86_64/samba-client-3.0.37-0.1mdv2008.0.x86_64.rpm

4bc6e0d1b91696270ef591f700a96d10 2008.0/x86_64/samba-common-3.0.37-0.1mdv2008.0.x86_64.rpm

7394ea34d00d1cc231d9755c553bb8c0 2008.0/x86_64/samba-doc-3.0.37-0.1mdv2008.0.x86_64.rpm

d406df053249c2970cd180e4a1501d2d 2008.0/x86_64/samba-server-3.0.37-0.1mdv2008.0.x86_64.rpm

34a7b8af585211e478e32182d7290f2b 2008.0/x86_64/samba-swat-3.0.37-0.1mdv2008.0.x86_64.rpm

31fda5329b280c33c5ea5257af8ffb9e 2008.0/x86_64/samba-vscan-icap-3.0.37-0.1mdv2008.0.x86_64.rpm

15e1b26b58908f28cf82d98f5f074304 2008.0/x86_64/samba-winbind-3.0.37-0.1mdv2008.0.x86_64.rpm

3c440be2ff2004d3e3e79c30fd744991 2008.0/SRPMS/samba-3.0.37-0.1mdv2008.0.src.rpm

_______________________________________________________________________

 

To upgrade automatically use MandrivaUpdate or urpmi. The verification

of md5 checksums and GPG signatures is performed automatically for you.

 

All packages are signed by Mandriva for security. You can obtain the

GPG public key of the Mandriva Security Team by executing:

 

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 

You can view other update advisories for Mandriva Linux at:

 

http://www.mandriva.com/security/advisories

 

If you want to report vulnerabilities, please contact

 

security_(at)_mandriva.com

_______________________________________________________________________

 

Type Bits/KeyID Date User ID

pub 1024D/22458A98 2000-07-10 Mandriva Security Team

 

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (GNU/Linux)

 

iD8DBQFLG9hWmqjQ0CJFipgRAkzjAJ9l9txmIdbMpLFLEDOsZAcRVotVYgCg4eWs

eY4frRg9jJHVk9bBK6TtUoI=

=AOrt

-----END PGP SIGNATURE-----

 

 

------------=_1260127295-24326-1729

Content-Type: text/plain; name="message-footer.txt"

Content-Disposition: inline; filename="message-footer.txt"

Content-Transfer-Encoding: 8bit

 

To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org

with this subject : unsubscribe security-announce

_______________________________________________________

Want to buy your Pack or Services from Mandriva?

Go to http://www.mandrivastore.com

Join the Club : http://www.mandrivaclub.com

_______________________________________________________

 

------------=_1260127295-24326-1729--

 

 

Share this post

Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Upcoming News
×