[csw-users] Security Vulnerabilities in Samba.
Jeremiah Johnson
jeremiah.johnson at gmail.com
Fri Jul 20 00:54:50 CEST 2007
Hello,
I contacted the maintainer of the Samba package well over a month ago
about some vulnerabilities in the Samba package. I've never received
a response from him, and there is no other clear method of resolving
security issues in Blastwave packages.
Samba has the following problems:
o CVE-2007-2444
Versions: Samba 3.0.23d - 3.0.25pre2
Local SID/Name translation bug can result in
user privilege elevation
o CVE-2007-2446
Versions: Samba 3.0.0 - 3.0.24
Multiple heap overflows allow remote code execution
o CVE-2007-2447
Versions: Samba 3.0.0 - 3.0.24
Unescaped user input parameters are passed as
arguments to /bin/sh allowing for remote command
execution
These problems were fixed in Samba 3.0.25(released on May 14, 2007),
3.0.25b is current, 3.0.23,REV=2006.08.09b is what Blastwave packages.
FWIW, the blastwave package is also vuln to:
(Fixed in Samba 3.0.24 Feb 5, 2007)
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
Further, there should be some clearly defined Blastwave policy
regarding security issues. If the maintainer cannot get to it,
somebody else from the Blastwave team should be able to handle it.
The maintainer, and a security user/list at Blastwave should probably
be subscribed to samba-announce, and similar lists for other packages
so security announcements are not missed.
Considering that one of your standards is "Efforts are focused on
providing a greater, more timely set of packages than SFW, while also
having consistency and dependancies that are not offered by
sunfreeware.com" its fairly sad that SFW has actually updated the
package before Blastwave.
FWIW, Sun has actually updated the SFW packages that they distribute
to fix this problem.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
I really like the Blastwave distribution, after having SFW cause more
problems than it was worth, I was glad to have a friend tell me about
Blastwave. If there is any way I can actually help rectify this
problem, please let me know.
-miah
More information about the users
mailing list