Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290633 (CVE-2009-2906) - <net-fs/samba-3.0.37: Denial of Service (CVE-2009-{2906,2948})
Summary: <net-fs/samba-3.0.37: Denial of Service (CVE-2009-{2906,2948})
Status: RESOLVED FIXED
Alias: CVE-2009-2906
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://samba.org/samba/security/CVE-2...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2010-2063
  Show dependency tree
 
Reported: 2009-10-26 21:06 UTC by Tobias Heinlein (RETIRED)
Modified: 2012-06-24 13:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 21:06:00 UTC
CVE-2009-2906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2906):
  smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8,
  and 3.4 before 3.4.2 allows remote authenticated users to cause a
  denial of service (infinite loop) via an unanticipated oplock break
  notification reply packet.
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 21:07:09 UTC
Maintainers, please bump/provide a fixed ebuild.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 21:08:12 UTC
CVE-2009-2948 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2948):
  mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before
  3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root,
  does not properly enforce permissions, which allows local users to
  read part of the credentials file and obtain the password by
  specifying the path to the credentials file and using the --verbose
  or -v option.

Comment 3 Patrick Lauer gentoo-dev 2009-11-02 11:13:02 UTC
All ebuilds are there:
samba-3.0.37.ebuild
samba-3.2.15.ebuild
samba-3.3.9.ebuild (plus split ebuilds)
samba-3.4.3.ebuild (plus split ebuilds)

only stable version was 3.0, so I suggest stabling 3.0.37.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-11-04 02:34:49 UTC
Arches, please test and mark stable:
=net-fs/samba-3.0.37
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Markus Meier gentoo-dev 2009-11-04 11:16:23 UTC
amd64/x86 stable
Comment 6 Markus Meier gentoo-dev 2009-11-04 14:07:36 UTC
arm stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-11-05 16:10:01 UTC
alpha/ia64/s390/sh/sparc stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-05 19:57:39 UTC
Stable for HPPA.
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-11-17 16:47:20 UTC
ppc64 done
Comment 10 nixnut (RETIRED) gentoo-dev 2009-11-21 20:01:03 UTC
ppc stable
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 01:54:04 UTC
Vote: yes.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-12 20:44:13 UTC
Vote: YES, together with the rest.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 13:04:52 UTC
This issue was resolved and addressed in
 GLSA 201206-22 at http://security.gentoo.org/glsa/glsa-201206-22.xml
by GLSA coordinator Sean Amoss (ackle).