[gentoo-announce] [ GLSA 200607-10 ] Samba: Denial of Service vulnerability - gentoo-announce

From:	Sune Kloppenborg Jeppesen <jaervosz@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 200607-10 ] Samba: Denial of Service vulnerability
Date:	Sun, 30 Jul 2006 19:31:04
Message-Id:	`200607302102.47946.jaervosz@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200607-10

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Samba: Denial of Service vulnerability

9

      Date: July 25, 2006

10

      Bugs: #139369

11

        ID: 200607-10

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

A large number of share connection requests could cause a Denial of

19

Service within Samba.

20

21

Background

22

==========

23

24

Samba is a freely available SMB/CIFS implementation which allows

25

seamless interoperability of file and print services to other SMB/CIFS

26

clients.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package       /   Vulnerable   /                       Unaffected

33

    -------------------------------------------------------------------

34

  1  net-fs/samba      < 3.0.22-r3                        >= 3.0.22-r3

35

36

Description

37

===========

38

39

During an internal audit the Samba team discovered that a flaw in the

40

way Samba stores share connection requests could lead to a Denial of

41

Service.

42

43

Impact

44

======

45

46

By sending a large amount of share connection requests to a vulnerable

47

Samba server, an attacker could cause a Denial of Service due to memory

48

consumption.

49

50

Workaround

51

==========

52

53

There is no known workaround at this time.

54

55

Resolution

56

==========

57

58

All Samba users should upgrade to the latest version:

59

60

    # emerge --sync

61

    # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.22-r3"

62

63

References

64

==========

65

66

  [ 1 ] CVE-2006-3403

67

        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403

68

69

Availability

70

============

71

72

This GLSA and any updates to it are available for viewing at

73

the Gentoo Security Website:

74

75

  http://security.gentoo.org/glsa/glsa-200607-10.xml

76

77

Concerns?

78

=========

79

80

Security is a primary focus of Gentoo Linux and ensuring the

81

confidentiality and security of our users machines is of utmost

82

importance to us. Any security concerns should be addressed to

83

security@g.o or alternatively, you may file a bug at

84

http://bugs.gentoo.org.

85

86

License

87

=======

88

89

Copyright 2006 Gentoo Foundation, Inc; referenced text

90

belongs to its owner(s).

91

92

The contents of this document are licensed under the

93

Creative Commons - Attribution / Share Alike license.

94

95

http://creativecommons.org/licenses/by-sa/2.5

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200607-10
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Samba: Denial of Service vulnerability
9	Date: July 25, 2006
10	Bugs: #139369
11	ID: 200607-10
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	A large number of share connection requests could cause a Denial of
19	Service within Samba.
20
21	Background
22	==========
23
24	Samba is a freely available SMB/CIFS implementation which allows
25	seamless interoperability of file and print services to other SMB/CIFS
26	clients.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	1 net-fs/samba < 3.0.22-r3 >= 3.0.22-r3
35
36	Description
37	===========
38
39	During an internal audit the Samba team discovered that a flaw in the
40	way Samba stores share connection requests could lead to a Denial of
41	Service.
42
43	Impact
44	======
45
46	By sending a large amount of share connection requests to a vulnerable
47	Samba server, an attacker could cause a Denial of Service due to memory
48	consumption.
49
50	Workaround
51	==========
52
53	There is no known workaround at this time.
54
55	Resolution
56	==========
57
58	All Samba users should upgrade to the latest version:
59
60	# emerge --sync
61	# emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.22-r3"
62
63	References
64	==========
65
66	[ 1 ] CVE-2006-3403
67	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3403
68
69	Availability
70	============
71
72	This GLSA and any updates to it are available for viewing at
73	the Gentoo Security Website:
74
75	http://security.gentoo.org/glsa/glsa-200607-10.xml
76
77	Concerns?
78	=========
79
80	Security is a primary focus of Gentoo Linux and ensuring the
81	confidentiality and security of our users machines is of utmost
82	importance to us. Any security concerns should be addressed to
83	security@g.o or alternatively, you may file a bug at
84	http://bugs.gentoo.org.
85
86	License
87	=======
88
89	Copyright 2006 Gentoo Foundation, Inc; referenced text
90	belongs to its owner(s).
91
92	The contents of this document are licensed under the
93	Creative Commons - Attribution / Share Alike license.
94
95	http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce