Debian Bug report logs -
#550423
samba: CVE-2009-2906 dos and CVE-2009-2948 password access
Reported by: Michael S Gilbert <michael.s.gilbert@gmail.com>
Date: Fri, 9 Oct 2009 22:48:02 UTC
Severity: serious
Tags: patch, security
Found in version samba/3.0.24-6
Fixed in versions 2:3.4.2-1, 3.4.2-1
Done: Christian Perrier <bubulle@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#550423
; Package samba
.
(Fri, 09 Oct 2009 22:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Fri, 09 Oct 2009 22:48:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: samba
version: 3.0.24-6
severity: serious
tags: security , patch
hi,
the following CVEs were issued for samba.
CVE-2009-2906 [0]:
| smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4
| before 3.4.2 allows remote authenticated users to cause a denial of service
| (infinite loop) via an unanticipated oplock break notification reply packet.
CVE-2009-2948 [1]:
| mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and
| 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly
| enforce permissions, which allows local users to read part of the
credentials file
| and obtain the password by specifying the path to the credentials file and
| using the --verbose or -v option.
these are fixed in unstable. patches are available from [2].
mike
[0] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2906
[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2948
[2] http://www.samba.org/samba/security/
Bug Marked as fixed in versions 2:3.4.2-1.
Request was from Michael Gilbert <michael.s.gilbert@gmail.com>
to control@bugs.debian.org
.
(Fri, 09 Oct 2009 23:21:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#550423
; Package samba
.
(Sat, 10 Oct 2009 05:27:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Sat, 10 Oct 2009 05:27:06 GMT) (full text, mbox, link).
Message #12 received at 550423@bugs.debian.org (full text, mbox, reply):
On Sat, 10 Oct 2009 07:10:51 +0200 Christian Perrier wrote:
> Version: 3.4.2-1
>
> Quoting Michael S Gilbert (michael.s.gilbert@gmail.com):
> > package: samba
> > version: 3.0.24-6
> > severity: serious
> > tags: security , patch
> >
> > hi,
> >
> > the following CVEs were issued for samba.
>
>
> Fixed in 3.4.2
>
> Fixes for lenny are on their way.
good to know. thanks for the quick response.
mike
Reply sent
to Christian Perrier <bubulle@debian.org>
:
You have taken responsibility.
(Sat, 10 Oct 2009 05:27:08 GMT) (full text, mbox, link).
Notification sent
to Michael S Gilbert <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Sat, 10 Oct 2009 05:27:08 GMT) (full text, mbox, link).
Message #17 received at 550423-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 3.4.2-1
Quoting Michael S Gilbert (michael.s.gilbert@gmail.com):
> package: samba
> version: 3.0.24-6
> severity: serious
> tags: security , patch
>
> hi,
>
> the following CVEs were issued for samba.
Fixed in 3.4.2
Fixes for lenny are on their way.
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 31 Jan 2010 07:30:51 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:58:36 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.