Date:  Tue, 22 Apr 2003 12:15:54 -0400
From:  madodel at ptdprolog.net
Subject:  [VOICENWS] Net: Vulnerability warning - Samba 2.2.8a

[Moderator note: There is no current version of Samba server for OS/2 that
I am aware of, but if you are on a network using Samba, you might want to
look into this warning.  Also I am told that the source for this updated
version of Samba is available if someone wants to port it to OS/2.]

From: Joerg Sievers <jogiDESPAM at warpsite.de> 

English Source:
<http://samba.org/samba/samba.html>

German source:
<http://www.tecchannel.de/news/20030409/thema20030409-10428.html>
<http://de.news.yahoo.com/030409/51/3e0o7.html>

News:
(7 Apr, 2003) Security Advisory - Samba 2.2.8a security available for 
download

Digital Defense, Inc. has alerted the Samba Team to a serious 
vulnerability in all stable versions of Samba currently shipping. The 
Common Vulnerabilities and Exposures (CVE) project has assigned the  ID
CAN-2003-0201 to this defect.

This vulnerability, if exploited correctly, leads to an anonymous  user
gaining root access on a Samba serving system. All versions of  Samba up
to and including Samba 2.2.8 are vulnerable. An active  exploit of the bug
has been reported in the wild. Alpha versions of  Samba 3.0 and above are
*NOT* vulnerable.

The 2.2.8a release contains only updates to address this security  issue.
A rollup patch for release 2.2.7a and 2.0.10 addressing both 
CAN-2003-0201 and CAN-2003-0085 can be obtained from this directory.

The source tarball is available in both gzip format and bzip2 format.  The
uncompressed tarball signature should also be downloaded to  verify the
archive's integrity. Here is the Samba Distribution Key  for verifying the
tarball. Finally, here is the patchfile against  2.2.8 (signature).

If you suspect your system may have been attacked, please consult the 
AusCERT/CERT checklist for responding to a suspected compromise.  Please
contact security at samba.org if your machine has been attacked.




[Moderator's note:  Because of the incredible increase in SPAM lately I
will now endeavor to add DESPAM to email addresses in all posts to the
News list.  If you wish to send a response to someone listed in the post
be sure to remove the "DESPAM" from the email address.]


                           

-- 

To unsubscribe yourself from this list, send the following message
to majormajor at os2voice.org

     unsubscribe news
     end

If you have an announcement you would like posted to the VOICE 
News list, please send it to submit at os2voice.org. Please include a 
valid reply address and a real contact name.  If you wish to comment
on this post, please reply to feedback at os2voice.org