[opensuse-security] SUSE Security Announcement: samba (SUSE-SA:2007:065)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Announcement
Package: samba
Announcement ID: SUSE-SA:2007:065
Date: Wed, 05 Dec 2007 16:00:00 +0000
Affected Products: SUSE LINUX 10.0
SUSE LINUX 10.1
openSUSE 10.2
openSUSE 10.3
UnitedLinux 1.0
SuSE Linux Enterprise Server 8
SuSE Linux Openexchange Server 4
SuSE Linux Desktop 1.0
SuSE Linux Standard Server 8
SuSE Linux School Server
SUSE LINUX Retail Solution 8
SUSE SLES 9
Novell Linux Desktop 9
Open Enterprise Server
Novell Linux POS 9
SUSE Linux Enterprise Desktop 10 SP1
SLE SDK 10 SP1
SUSE Linux Enterprise Server 10 SP1
Vulnerability Type: remote code execution
Severity (1-10): 7
SUSE Default Package: no
Cross-References: CVE-2007-5398
CVE-2007-4572
Content of This Advisory:
1) Security Vulnerability Resolved:
fixed two buffer overflows
Problem Description
2) Solution or Work-Around
3) Special Instructions and Notes
4) Package Location and Checksums
5) Pending Vulnerabilities, Solutions, and Work-Arounds:
none
6) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Problem Description and Brief Discussion
The samba-suite is an open-source implementation of the SMB protocol.
CVE-2007-5398:
Secunia Research has reported a bug in function reply_netbios_packet()
that allowed remote attackers to execute arbitrary code
by sending specially crafted WINS "Name Registration" requests followed
by a WINS "Name Query" request packet.
The exploitable code in samba can only be reached if the option "wins
support" was enabled.
CVE-2007-4572:
Another bug reported by Secunia Research affected the processing of GETDC
mailslot request in nmbd. This error can also be exploited remotely to
execute arbitrary code, but only if samba was configured as Primary or
Backup Domain Controller.
2) Solution or Work-Around
Please install the provided samba update packages.
3) Special Instructions and Notes
Please restart the samba daemons.
4) Package Location and Checksums
The preferred method for installing security updates is to use the YaST
Online Update (YOU) tool. YOU detects which updates are required and
automatically performs the necessary steps to verify and install them.
Alternatively, download the update packages for your distribution manually
and verify their integrity by the methods listed in Section 6 of this
announcement. Then install the packages using the command
rpm -Fhv
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Content-ID:
SUSE Security Announcement
Package: samba Announcement ID: SUSE-SA:2007:065 Date: Wed, 05 Dec 2007 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3
Does this one solve the core dump reported here and in: https://bugzilla.novell.com/show_bug.cgi?id=345437 https://bugzilla.samba.org/show_bug.cgi?id=5087#c10 ? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHVsg/tTMYHG2NR9URAqEeAJ9mvCY/UuADrZHfSU2ercbDUo+80gCgiGIZ BCUN65Kt0/YMXIKCWM5Gyko= =Queh -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Wed, Dec 05, 2007 at 04:48:13PM +0100, Carlos E. R. wrote:
Content-ID:
The Wednesday 2007-12-05 at 16:16 +0100, Thomas Biege wrote:
SUSE Security Announcement
Package: samba Announcement ID: SUSE-SA:2007:065 Date: Wed, 05 Dec 2007 16:00:00 +0000 Affected Products: SUSE LINUX 10.0 SUSE LINUX 10.1 openSUSE 10.2 openSUSE 10.3
Does this one solve the core dump reported here and in:
https://bugzilla.novell.com/show_bug.cgi?id=345437 https://bugzilla.samba.org/show_bug.cgi?id=5087#c10
?
This was the update that causes this problem, the packages for this were the ones released last Thursday. We are working on fixed packages for the core dump problem, there are more issues in various places. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2007-12-05 at 16:52 +0100, Marcus Meissner wrote:
?
This was the update that causes this problem, the packages for this were the ones released last Thursday.
I thought so.
We are working on fixed packages for the core dump problem, there are more issues in various places.
Ah, ok, thanks. I already had reverted to the version on the DVD, as the security problem is no concern in my particular case, so I can wait :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFHV3MItTMYHG2NR9URAmPzAJ9sV3MKH2G9bSfZJ5sQ14u93EhrAQCeKaCp oNgIPhTDVxSbqQToouOxVA4= =DVlx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (3)
-
Carlos E. R.
-
Marcus Meissner
-
Thomas Biege