---------- Forwarded message ---------- Date: Sat, 22 Mar 2003 21:03:11 +0100 (CET) From: Stephan Lauffer <firstname.lastname@example.org> To: email@example.com Subject: [ANNOUNCE] Samba-TNG 0.3.1 Security Release
Mar 22th 2003
Today the Samba-TNG team announces a new version of Samba-TNG with two serious security fixes. We STRONGLY recommend updating to this release.
Samba-TNG-0.3.1 is a security and bugfixed version of 0.3 only. o Security fix of a hole found in Samba by S. Kramer of SuSE. o Security fix of a hole discovered by Elrond in the security context management of Samba-TNG. o Fix some minor bugs in the rpcclient.
In probably all versions of Samba-TNG prior to 0.3.1 there were two remote root escalations discovered.
The first hole was discovered in the Samba package by Sebastian Kramer from SuSE. Cross references: MITRE CVE entry CAN-2003-0085 http://us1.samba.org/samba/whatsnew/samba-2.2.8.html Exploit code for Samba is known to be circulating; it is probably only a matter of time until exploits are adapted for Samba-TNG. Peter Samuelson ported the fix from Samba to this release of Samba-TNG.
The second hole is a bug in the security context management code, discovered by Elrond from Samba-TNG. We believe that this bug does not affect the classic Samba, since their implementation of this functionality is quite different.
If you can get any (including anonymous) connection to TNG, you can become root on the target. Tcpwrappers (a compile option in TNG), the smb.conf parameters "allow host" / "deny host", or firewalls may of course reduce your exposure.
This vulnerability was discovered and fixed internally; we do not believe there are any public exploits at this time.
We don't know of any workarounds for either of the two problems.
The list of available binary packages will be found at the donwload page: http://www.samba-tng.org/download.html
Source via CVS see: cvs -d :pserver:firstname.lastname@example.org:/home/cvsroot login When it prompts for a password, use anoncvs cvs -z3 -d :pserver:email@example.com:/home/cvsroot co -r release-0-3-1 tng
Source tarball: http://www.samba-tng.org/download/tng/samba-tng-0.3.1.tar.gz (3082595 bytes) MD5SUM: 35627e8cfa3453e83586a70a4e175ca4
Patch file to update from 0.3: http://www.samba-tng.org/download/tng/samba-tng-0.3-0.3.1.diff.gz (11399 bytes) MD5SUM: ae55c7ee0ae4f86bb56f0ae5ae8e16a1
With regards, Stephan