Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] ERRATA: [ GLSA 200409-14 ] Samba: Remote printing non-vulnerability
Date: Fri, 10 Sep 2004 12:48:04
Message-Id: 200409101422.57615.jaervosz@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 200409-14:02
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Low
11 Title: Samba: Remote printing non-vulnerability
12 Date: September 10, 2004
13 Bugs: #62476
14 ID: 200409-14:02
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Errata
19 ======
20
21 This advisory incorrectly described Samba versions as being vulnerable
22 to a remote denial of service. After further verifications, it appears
23 that a remote user can only deny service to himself, so this bug does
24 not induce any security issue at all. The corrected sections appear
25 below.
26
27 Synopsis
28 ========
29
30 Samba has a bug with out of sequence print change notification
31 requests, but it cannot be used to perform a remote denial of service
32 attack.
33
34 Affected packages
35 =================
36
37 There are no affected packages.
38
39 Description
40 ===========
41
42 Due to a bug in the printer_notify_info() function, authorized users
43 could potentially crash their smbd process by sending improperly
44 handled print change notification requests in an invalid order. Windows
45 XP SP2 clients can trigger this behavior by sending a
46 FindNextPrintChangeNotify() request before previously sending a
47 FindFirstPrintChangeNotify() request.
48
49 Impact
50 ======
51
52 We incorrectly thought that this bug could be exploited to deny service
53 to all Samba users. It is not the case, this bug has no security impact
54 whatsoever. Many thanks to Jerry Carter from the Samba team for
55 correcting our mistake.
56
57 Workaround
58 ==========
59
60 There is no need for a workaround.
61
62 Resolution
63 ==========
64
65 Samba users can keep their current versions.
66
67 References
68 ==========
69
70 [ 1 ] Samba Release Notes
71 http://samba.org/samba/history/samba-3.0.6.html
72 [ 2 ] Samba Bug #1520
73 https://bugzilla.samba.org/show_bug.cgi?id=1520
74
75 Availability
76 ============
77
78 This GLSA and any updates to it are available for viewing at
79 the Gentoo Security Website:
80
81 http://security.gentoo.org/glsa/glsa-200409-14.xml
82
83 Concerns?
84 =========
85
86 Security is a primary focus of Gentoo Linux and ensuring the
87 confidentiality and security of our users machines is of utmost
88 importance to us. Any security concerns should be addressed to
89 security@g.o or alternatively, you may file a bug at
90 http://bugs.gentoo.org.
91
92 License
93 =======
94
95 Copyright 2004 Gentoo Foundation, Inc; referenced text
96 belongs to its owner(s).
97
98 The contents of this document are licensed under the
99 Creative Commons - Attribution / Share Alike license.
100
101 http://creativecommons.org/licenses/by-sa/1.0
102 -----BEGIN PGP SIGNATURE-----
103 Version: GnuPG v1.2.4 (GNU/Linux)
104
105 iD8DBQFBQZxEzKC5hMHO6rkRAkBgAJwLjo2yVXdSw/JarAQu1braP2go2ACeODSp
106 jcbJYy36/rPusdMvF8aMWxo=
107 =J7+u
108 -----END PGP SIGNATURE-----