diff options
author | Gerald Carter <jerry@samba.org> | 2002-11-20 14:57:31 +0000 |
---|---|---|
committer | Gerald Carter <jerry@samba.org> | 2002-11-20 14:57:31 +0000 |
commit | 49d9fee47223ef9b17bcca62bb65a2953337d0a5 (patch) | |
tree | 0285830b27266ebf24fc5173cceea4197e29186b | |
parent | 1baaf441170c0d8d4892f197738540d41ca081e9 (diff) | |
download | samba-49d9fee47223ef9b17bcca62bb65a2953337d0a5.tar.gz |
new WHATSNEW for 2.2.7
-rw-r--r-- | WHATSNEW.txt | 112 |
1 files changed, 108 insertions, 4 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 80176e27257..418263c6f35 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,8 +1,112 @@ - WHAT'S NEW IN Samba 2.2.6 - 16th October 2002 - ============================================= + WHAT'S NEW IN Samba 2.2.7 - 20th November 2002 + ============================================== -This is the latest stable release of Samba. This is the version that all -production Samba servers should be running for all current bug-fixes. +This is the latest stable release of Samba. This is the version +that all production Samba servers should be running for all current +bug-fixes. + +IMPORTANT: Security bugfix for Samba +------------------------------------ + +Summary +------- + +A security hole has been discovered in versions 2.2.2 through 2.2.6 +of Samba that could potentially allow an attacker to gain root access +on the target machine. The word "potentially" is used because there +is no known exploit of this bug, and the Samba Team has not been able to +craft one ourselves. However, the seriousness of the problem warrants +this immediate 2.2.7 release. + +In addition to addressing this security issue, Samba 2.2.7 also includes +thirteen unrelated improvements. These improvements result from our +process of continuous quality assurance and code review, and are part of +the Samba team's committment to excellence. + +Details +------- + +There was a bug in the length checking for encrypted password change +requests from clients. A client could potentially send an encrypted +password, which, when decrypted with the old hashed password could be +used as a buffer overrun attack on the stack of smbd. The attach would +have to be crafted such that converting a DOS codepage string to little +endian UCS2 unicode would translate into an executable block of code. + +All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable +to this problem. This version of Samba 2.2.7 contains a fix for this +problem. + +Earlier versions of Samba are not vulnerable. + +There is no known exploit or exploit code for this vulnerability, +it was discovered by a code audit by Debian Samba maintainers. + +Credit +------ + +Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris +<peloy@debian.org> for bringing this vulnerability to our notice. + +Patch for Samba versions 2.2.2 to 2.2.6 +--------------------------------------- + +The following patch applies cleanly to the above Samba versions +and will fix the vulnerability for sites that do not wish to upgrade +to 2.2.7 at this time. + + +-------------------------------cut here--------------------------------- +--- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002 ++++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002 +@@ -63,7 +63,7 @@ + if(len > 128) + len = 128; + /* Password must be converted to NT unicode - null terminated. */ +- dos_struni2((char *)wpwd, (const char *)passwd, 256); ++ dos_struni2((char *)wpwd, (const char *)passwd, len); + /* Calculate length in bytes */ + len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16); +-------------------------------cut here--------------------------------- + + + +Changes since 2.2.6 +-------------------- + +See the cvs log for SAMBA_2_2 for more details + +1) ensure we send the notify message in the same way it is expected + to be received by srv_spoolss_receive_message(). +2) attribute matching on truncate only matters when opening truncate + with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open + with current NONE -> SYSTEM | HIDDEN. +3) Fix bug in rpcclient's deldriver command +4) Don't set global_machine_password_needs_changing if + lp_machine_password_timeout() is set to zero +5) don't parse the BUFFER5 if the buffer length is zero +6) fix core dump if pdbedit is run as non-root or smbpasswd file does + not exist +7) Ensure can_delete() returns correct error code +8) correctly return NT_STATUS_DELETE_PENDING from open code +9) fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes +10) check the long_archi name is not null when deleting a printer driver. + fixes core dump in smbd when using rpcclient's deldriver +11) fix fd leak with kernel change notify on Linux 2.4 kernels +12) must add one to the extra_data size to transfer the 0 string + terminator. This was causing "wbinfo --sequence" to access past the + end of malloced memory +13) fix for large systems allowing more than 65536 files open in + NTcreate&X +14) Fix bug in %U expansion + + + ========================================= + +Older releases notes for 2.2.x distributions follow + +----------------------------------------------------------------------------- +The release notes for 2.2.6 follow : There have been several fixes and internal enhancements which include: |