[Pkg-samba-maint] Bug#550423: samba: CVE-2009-2906 dos and CVE-2009-2948 password access
Michael S Gilbert
michael.s.gilbert at gmail.com
Fri Oct 9 22:44:51 UTC 2009
package: samba
version: 3.0.24-6
severity: serious
tags: security , patch
hi,
the following CVEs were issued for samba.
CVE-2009-2906 [0]:
| smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4
| before 3.4.2 allows remote authenticated users to cause a denial of service
| (infinite loop) via an unanticipated oplock break notification reply packet.
CVE-2009-2948 [1]:
| mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and
| 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly
| enforce permissions, which allows local users to read part of the
credentials file
| and obtain the password by specifying the path to the credentials file and
| using the --verbose or -v option.
these are fixed in unstable. patches are available from [2].
mike
[0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2906
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2948
[2] http://www.samba.org/samba/security/
More information about the Pkg-samba-maint
mailing list