FS#12714 - samba security update
Attached to Project:
Arch Linux
Opened by Cristian C. (ckristi) - Thursday, 08 January 2009, 23:06 GMT
Last edited by Aaron Griffin (phrakture) - Thursday, 22 January 2009, 21:31 GMT
Opened by Cristian C. (ckristi) - Thursday, 08 January 2009, 23:06 GMT
Last edited by Aaron Griffin (phrakture) - Thursday, 22 January 2009, 21:31 GMT
|
Details
Description:
There's a new version of samba launched with a security update (3.2.7). Backport of the patch is available for samba-3.2.6. Additional info: * Vulnerable packages: 3.2.x, where x < 7 * Patch for 3.2.6 available here: http://us5.samba.org/samba/ftp/patches/security/samba-3.2.6-CVE-2009-0022.patch Steps to reproduce: When connecting to a share called "" (empty string) using an older version of smbclient (before 3.0.28) for example with: 'smbclient //server/ -U user%pass' access to the root filesystem is granted with the privileges of the authenticated user. This only happens in setups with registry shares enabled by setting "registry shares = yes" which is implicitly set with "include = registry" and "config backend = registry", but is not the default. |
This task depends upon
Closed by Aaron Griffin (phrakture)
Thursday, 22 January 2009, 21:31 GMT
Reason for closing: Implemented
Thursday, 22 January 2009, 21:31 GMT
Reason for closing: Implemented
Comment by Cristian C. (ckristi) -
Thursday, 08 January 2009, 23:13 GMT
Comment by Glenn Matthys (RedShift) -
Friday, 09 January 2009, 08:34 GMT
Comment by Cristian C. (ckristi) -
Friday, 09 January 2009, 08:39 GMT
I created a PKGBUILD with slight changes from the original, to
apply the patch for the 3.2.6 version.
No need to apply a patch, 3.2.7 has been released that includes
fixing this security issue.
Well, I think the 3.2.7 contains only this bugfix. But at that
point, I wanted to break as little things as possible on my home
fileserver, that's why I've chosen to apply the patch for 3.2.6.