[ Thanks to Vance Lankhaar for
this link. ]
This release provides an important security fix outlined in the
release notes that follow. This is the latest stable release of
Samba and the version that all production Samba servers should be
running for all current bug-fixes.
The source code can be downloaded from :
in the file samba-2.2.8a.tar.gz or samba-2.2.8a.tar.bz2. Both
archives have been signed using the Samba Distribution Key
(available in the samba directory on the web server).
Binary packages will be released shortly for major platforms and
can be found at
As always, all bugs are our responsibility.
–Sincerely
The Samba Team
****************************************
* IMPORTANT: Security bugfix for Samba *
****************************************
Summary
- -------
Digital Defense, Inc. has alerted the Samba Team to a serious
vulnerability in all stable versions of Samba currently shipping.
The Common Vulnerabilities and Exposures (CVE) project has assigned
the ID CAN-2003-0201 to this defect.
This vulnerability, if exploited correctly, leads to an anonymous
user gaining root access on a Samba serving system. All versions
of Samba up to and including Samba 2.2.8 are vulnerable. An active
exploit of the bug has been reported in the wild. Alpha versions of
Samba 3.0 and above are *NOT* vulnerable.
Credit
- ------
The Samba Team would like to thank Erik Parker and the team at
Digital Defense, Inc. for their efforts spent in the responsible
and timely reporting of this bug.
Patch Availability
- ------------------
The Samba 2.2.8a release contains only updates to address this
security issue. A roll-up patch for release 2.2.7a and 2.0.10
addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained
from http://www.samba.org/samba/ftp/patches/security/.