[guru] Fwd: [jerry@samba.org: [ANNOUNCEMENT] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against smbd]
DATE: Mon, 17 Jul 2006 15:57:44 +0200
Hivatalos bejelentés az smbd DoS-olhatóságáról.
A 3.0.22 verzió javítja a hibát.
----- Forwarded message from "Gerald (Jerry) Carter" <jerry@samba.org> -----
Date: Mon, 10 Jul 2006 16:05:00 -0500
From: "Gerald (Jerry) Carter" <jerry@samba.org>
To: bugtraq@securityfocus.com
Subject: [ANNOUNCEMENT] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against
smbd
User-Agent: Thunderbird 1.5.0.4 (X11/20060527)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
==========================================================
==
== Subject: Memory exhaustion DoS against smbd
== CVE ID#: CAN-2006-1059
==
== Versions: Samba Samba 3.0.1 - 3.0.22 (inclusive)
==
== Summary: smbd may allow internal structures
== maintaining state for share connections
== to grow unbounded.
==
==========================================================
===========
Description
===========
The smbd daemon maintains internal data structures used track
active connections to file and printer shares. In certain
circumstances an attacker may be able to continually increase
the memory usage of an smbd process by issuing a large number
of share connection requests. This defect affects all Samba
configurations.
==================
Patch Availability
==================
A patch for Samba 3.0.1 - 3.0.22 has been posted at
http://www.samba.org/samba/security/.
Guidelines for securing Samba hosts are listed at
http://www.samba.org/docs/server_security.html
=======
Credits
=======
This security issue discovered during an internal security
audit of the Samba source code by the Samba Team.
==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEssD8IR7qMdg1EfYRApZgAJ0TgElO/8CofcdUD9U7sbhvEVJdYgCgo41t
OtSz6FWliXOQwhwsacXOwN4=
=LALn
-----END PGP SIGNATURE-----
----- End forwarded message -----
----- Forwarded message from "Gerald (Jerry) Carter" <jerry@samba.org> -----
Date: Mon, 10 Jul 2006 18:47:38 -0500
From: "Gerald (Jerry) Carter" <jerry@samba.org>
To: bugtraq@securityfocus.com
Subject: Re: [ANNOUNCEMENT] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against
smbd
User-Agent: Thunderbird 1.5.0.4 (X11/20060527)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gerald (Jerry) Carter wrote:
> ==========================================================
> ==
> == Subject: Memory exhaustion DoS against smbd
> == CVE ID#: CAN-2006-1059
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ==
> == Versions: Samba Samba 3.0.1 - 3.0.22 (inclusive)
> ==
> == Summary: smbd may allow internal structures
> == maintaining state for share connections
> == to grow unbounded.
> ==
> ==========================================================
This is a cut-n-paste error. The correct CVE # is
CVE-2006-3403. Sorry for any confusion. It has been
updated on the web site as well. All other information
is correct.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFEsucaIR7qMdg1EfYRAiQgAKC/hRB8FFMkKYTUD3P3qSLAxXAo/wCg7n+j
6z+13jxmSlgZaA9WKenkMB0=
=W8Nz
-----END PGP SIGNATURE-----
----- End forwarded message -----