Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#12714 - samba security update

Attached to Project: Arch Linux
Opened by Cristian C. (ckristi) - Thursday, 08 January 2009, 23:06 GMT
Last edited by Aaron Griffin (phrakture) - Thursday, 22 January 2009, 21:31 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Medium
Priority Normal
Reported Version None
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
There's a new version of samba launched with a security update (3.2.7).
Backport of the patch is available for samba-3.2.6.

Additional info:
* Vulnerable packages: 3.2.x, where x < 7
* Patch for 3.2.6 available here:
http://us5.samba.org/samba/ftp/patches/security/samba-3.2.6-CVE-2009-0022.patch

Steps to reproduce:
When connecting to a share called "" (empty string) using an older
version of smbclient (before 3.0.28) for example with:

'smbclient //server/ -U user%pass'

access to the root filesystem is granted with the privileges of the
authenticated user. This only happens in setups with registry shares
enabled by setting "registry shares = yes" which is implicitly set with
"include = registry" and "config backend = registry",
but is not the default.
This task depends upon

Closed by  Aaron Griffin (phrakture)
Thursday, 22 January 2009, 21:31 GMT
Reason for closing:  Implemented
Comment by Cristian C. (ckristi) - Thursday, 08 January 2009, 23:13 GMT
I created a PKGBUILD with slight changes from the original, to apply the patch for the 3.2.6 version.
Comment by Glenn Matthys (RedShift) - Friday, 09 January 2009, 08:34 GMT
No need to apply a patch, 3.2.7 has been released that includes fixing this security issue.
Comment by Cristian C. (ckristi) - Friday, 09 January 2009, 08:39 GMT
Well, I think the 3.2.7 contains only this bugfix. But at that point, I wanted to break as little things as possible on my home fileserver, that's why I've chosen to apply the patch for 3.2.6.

Loading...