Sicherheit: Denial of Service in Samba
Aktuelle Meldungen Distributionen
Name: Denial of Service in Samba
ID: SSA:2006-200-01
Distribution: Slackware
Plattformen: Slackware -current, Slackware 10.0, Slackware 10.1, Slackware 10.2
Datum: Mi, 19. Juli 2006, 11:57
Referenzen: Keine Angabe
Applikationen: Samba


Hash: SHA1

[slackware-security] Samba 2.0.23 repackaged (SSA:2006-200-01)

New Samba packages are available for Slackware 10.0, 10.1, 10.2,
and -current.

In Slackware 10.0, 10.1, and 10.2, Samba was evidently picking up
the libdm.so.0 library causing a Samba package issued primarily as
a security patch to suddenly require a library that would only be
present on the machine if the xfsprogs package (from the A series
but marked "optional") was installed. Sorry -- this was not
intentional, though I do know that I'm taking the chance of this
kind of issue when trying to get security related problems fixed
quickly (hopefully balanced with reasonable testing), and when the
fix is achieved by upgrading to a new version rather than with the
smallest patch possible to fix the known issue. However, I tend
to trust that by following upstream sources as much as possible
I'm also fixing some problems that aren't yet public.

So, all of the the 10.0, 10.1, and 10.2 packages have been rebuilt
on systems without the dm library, and should be able to directly
upgrade older samba packages without additional requirements.
Well, unless they are also under /patches. ;-)

All the packages (including -current) have been patched with a
fix from Samba's CVS for some reported problems with winbind.
Thanks to Mikhail Kshevetskiy for pointing me to the patch.

I realize these packages don't really fix security issues, but
they do fix security patch packages that are less than a couple
of days old, so it seems prudent to notify slackware-security
(and any subscribed lists) again. Sorry if it's noise...

Here are the details from the Slackware 10.2 ChangeLog:
Patched a problem in nsswitch/wins.c that caused crashes in the wins
and/or winbind libraries.
Thanks to Mikhail Kshevetskiy for pointing out the issue and offering
a reference to the patch in Samba's source repository.
Also, this version of Samba evidently created a new dependency on libdm.so
(found in the xfsprogs package in non -current Slackware versions). This
additional dependency was not intentional, and has been corrected.

Where to find the new packages:

HINT: Getting slow download speeds from ftp.slackware.com?
Give slackware.osuosl.org a try. This is another primary FTP site
for Slackware that can be considerably faster than downloading
from ftp.slackware.com.

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating additional FTP and rsync hosting
to the Slackware project! :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 10.0:

Updated package for Slackware 10.1:

Updated package for Slackware 10.2:

Updated package for Slackware -current:

MD5 signatures:

Slackware 10.0 package:
4a53b6421b029956fe6081d0d1f03bf2 samba-3.0.23-i486-2_slack10.0.tgz

Slackware 10.1 package:
9efc46b3843a478d834b349cc0d3e61f samba-3.0.23-i486-2_slack10.1.tgz

Slackware 10.2 package:
196783e4e3a6e11afcd015df51a18c34 samba-3.0.23-i486-2_slack10.2.tgz

Slackware -current package:
dcbbfa07f7f4e38d47298af671157c40 samba-3.0.23-i486-2.tgz

Installation instructions:

Upgrade the package as root:
# upgradepkg samba-3.0.23-i486-2_slack10.2.tgz

Restart the Samba services:
# sh /etc/rc.d/rc.samba restart


Slackware Linux Security Team

| To leave the slackware-security mailing list: |
| Send an email to majordomo@slackware.com with this text in the body of |
| the email message: |
| |
| unsubscribe slackware-security |
| |
| You will get a confirmation message back containing instructions to |
| complete the process. Please do not reply to this email address. |

Version: GnuPG v1.2.7 (GNU/Linux)

Unterstützer werden
Neue Nachrichten