Samba-TNG-0.3.2 released ========================== April 07th 2003 Digital Defense, Inc. discovered a security hole in Samba and Samba-TNG. The CVE assigned the vulnerability under CVE ID CAN-2003-0201. We recommend that every Samba-TNG installation be updated immediately. Changes to 0.3.2: ------------------ Samba-TNG 0.3.2 is a security and bugfixed version of 0.3.1 only. o Fix of CAN-2003-0201 o Report the same pipe names as Win2k (Samba 3.0 alpha releases seem to rely on this behavior; Microsoft clients apparently do not care) o Minor compile fix for strict ISO C compilers (like gcc 3.3) Security problem description: ------------------------------- Digital Defense discovered that a string copy operation is performed with an incorrect buffer length check. If an attacker has the ability to open a connection to a Samba-TNG server (even an anonymous connection), he can gain root access to the server. A subsequent audit of the rest of the Samba-TNG codebase turned up a few other similar errors, although these are not believed to be exploitable. All versions of Samba-TNG prior to 0.3.2 are affected by this hole. (Most versions of Samba are vulnerable as well, so if you have Samba servers, you should upgrade those too.) There is no known workaround. Cross References: o Common Vulnerabilities and Exposures (CVE) CAN-2003-0201 o Security Advisory for Samba 2.2.8a at http://de.samba.org/samba/samba.html Downloading Samba-TNG-0.3.2: ------------------------------ The list of available binary packages will be found at the download page: http://www.samba-tng.org/download.html Source via CVS see: cvs -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/cvsroot login When it prompts for a password, use anoncvs cvs -z3 -d :pserver:anoncvs@anoncvs.dcerpc.org:/home/cvsroot co -r release-0-3-2 tng Source tarball: http://www.samba-tng.org/download/tng/samba-tng-0.3.2.tar.gz Size: 3085102 MD5SUM: 1796780d1105f28c4c16a994705e327a Patch files to apply from older releases: http://www.samba-tng.org/download/tng/samba-tng-0.3-0.3.2.diff.gz Size: 36300 MD5SUM: 1a1a8828d7a76087f0c8143afb1a3efc http://www.samba-tng.org/download/tng/samba-tng-0.3.1-0.3.2.diff.gz Size: 4158 MD5SUM: 28e224971ad028b7661321d38c252c7a Credits: ---------- The Samba-TNG Team wishes to thank Digital Defense, Inc. and Jerry Carter for detailed information about the vulnerability, including the Samba patch. With regards, Peter Samuelson for the Samba-TNG Team