Samba-TNG 0.3.1 Security Release (fwd)

Type securityvulns
Reporter Securityvulns
Modified 2003-03-24T00:00:00


---------- Forwarded message ---------- Date: Sat, 22 Mar 2003 21:03:11 +0100 (CET) From: Stephan Lauffer <> To: Subject: [ANNOUNCE] Samba-TNG 0.3.1 Security Release

Samba-TNG-0.3.1 released

Mar 22th 2003

Today the Samba-TNG team announces a new version of Samba-TNG with two serious security fixes. We STRONGLY recommend updating to this release.

Changes to 0.3:

Samba-TNG-0.3.1 is a security and bugfixed version of 0.3 only. o Security fix of a hole found in Samba by S. Kramer of SuSE. o Security fix of a hole discovered by Elrond in the security context management of Samba-TNG. o Fix some minor bugs in the rpcclient.

Security problem description:

In probably all versions of Samba-TNG prior to 0.3.1 there were two remote root escalations discovered.

The first hole was discovered in the Samba package by Sebastian Kramer from SuSE. Cross references: MITRE CVE entry CAN-2003-0085 Exploit code for Samba is known to be circulating; it is probably only a matter of time until exploits are adapted for Samba-TNG. Peter Samuelson ported the fix from Samba to this release of Samba-TNG.

The second hole is a bug in the security context management code, discovered by Elrond from Samba-TNG. We believe that this bug does not affect the classic Samba, since their implementation of this functionality is quite different.

If you can get any (including anonymous) connection to TNG, you can become root on the target. Tcpwrappers (a compile option in TNG), the smb.conf parameters "allow host" / "deny host", or firewalls may of course reduce your exposure.

This vulnerability was discovered and fixed internally; we do not believe there are any public exploits at this time.

We don't know of any workarounds for either of the two problems.

Downloading Samba-TNG-0.3.1:

The list of available binary packages will be found at the donwload page:

Source via CVS see: cvs -d login When it prompts for a password, use anoncvs cvs -z3 -d co -r release-0-3-1 tng

Source tarball: (3082595 bytes) MD5SUM: 35627e8cfa3453e83586a70a4e175ca4

Patch file to update from 0.3: (11399 bytes) MD5SUM: ae55c7ee0ae4f86bb56f0ae5ae8e16a1

With regards, Stephan