Need to upgrade to the latest Samba 3.0.5, i'm currently working on an ebuild ------------- CAN-2004-0600 ------------- Affected Versions: Samba 3.0.2 and later The internal routine used by the Samba Web Administration Tool (SWAT v3.0.2 and later) to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. It is recommended that all Samba v3.0.2 or later installations running SWAT either (a) upgrade to v3.0.5, or (b) disable the swat administration service as a temporary workaround. This same code is used internally to decode the sambaMungedDial attribute value when using the ldapsam passdb backend. While we do not believe that the base64 decoding routines used by the ldapsam passdb backend can be exploited, sites using an LDAP directory service with Samba are strongly encouraged to verify that the DIT only allows write access to sambaSamAccount attributes by a sufficiently authorized user. The Samba Team would like to heartily thank Evgeny Demidov for analyzing and reporting this bug. ------------- CAN-2004-0686 ------------- Affected Versions: Samba 3.0.0 and later A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. Affected Samba 3 installations can avoid this possible security bug by using the default hash2 mangling method. Server installations requiring the hash mangling method are encouraged to upgrade to Samba 3.0.5. Reproducible: Always Steps to Reproduce: 1. 2. 3.
ebuild commited to cvs
Arches: please mark net-fs/samba-3.0.5 stable
*** Bug 58019 has been marked as a duplicate of this bug. ***
*** Bug 58018 has been marked as a duplicate of this bug. ***
I'll draft it
amd64, ppc : please mark >=3.0.5 stable so that the GLSA can go out. arm, ia64, mips, s390 : please mark stable to benefit from the GLSA.
I found that samba 3.0.5 wouldn't build on my mips machines. However, it is quite possibly a gcc 3.4 problem. Can anyone confirm this with gcc 3.3.x? If so, it shouldn't be stable on mips at all, security issue or not.
stable on amd64
3.0.5 stable on mips.
stable on ppc now
stable on the arm !
Ready for GLSA publication. ia64, s390 : don't forget to mark stable to benefit from the GLSA.
glsa 200407-21