[Fwd: Samba 2.0.8 security fix]

StyX styx at mailbox.as
Wed Apr 18 06:16:08 PDT 2001

Just in case... ;)

tridge at SAMBA.ORG wrote:
> I've just released Samba 2.0.8. This release fixes a significant
> security vulnerability that allows local users to corrupt local
> devices (such as raw disks).
> For most users the Samba Team recommends Samba 2.2.0 which has just
> been released. Version 2.2.0 has all the security fixes plus many new
> features and other bug fixes. Version 2.0.8 is meant for very
> conservative sites that want a absolutely minimal security fix rather
> than a large update.
> The security hole was found by Marcus Meissner
> (Marcus.Meissner at caldera.de) during a routine security audit of the
> Samba source code. Many thanks to Marcus and Caldera for taking the
> time to audit the code. The hole involved an incorrect usage of
> temporary files and can be exploited by a local user with a shell
> account on the Samba server to destroy data on a local device, such as
> /dev/hda. The exploit is relatively easy to perform so all sites with
> untrusted local users should update immediately to either version
> 2.0.8 or version 2.2.0.
> The 2.0.8 release is available at
>     ftp://ftp.samba.org/pub/samba/samba-2.0.8.tar.gz
> the patch is available at:
>     ftp://ftp.samba.org/pub/samba/patches/samba-2.0.7-2.0.8.diffs.gz
> The 2.2.0 release is available at:
>     ftp://ftp.samba.org/pub/samba/samba-2.2.0.tar.gz
> We do not plan on doing any more releases of Samba 2.0.x.
> Distribution vendors have been notified about the security fix and
> will be doing new releases shortly.
> Cheers, Tridge


Joachim Blaabjerg
alias StyX
styx at mailbox.as

Version: 3.1
GCM/CS/CC/IT d?>d s:>s++:++ a? C++>C++++$ UL++++ 
P+>P+++++ L++>L+++++$ E--- W++>$ N++ w--- PS PE Y+ 
PGP>PGP+++ t+ 5 X+ R+ tv+ b+ D-- G++ e->e+++++ h-->h++ y?

More information about the lfs-security mailing list