Notified: April 09, 2003 Updated: April 11, 2003
Affected
Apple has released Mac OS X 10.2.5 which includes the patch from the Samba team for this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see the announcement for Mac OS X 10.2.5.
Notified: April 09, 2003 Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see CLSA-2003:624.
Notified: April 09, 2003 Updated: April 10, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 10, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see DSA-280.
Notified: April 09, 2003 Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see FreeBSD-SN-03:01.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 10, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GENTOO LINUX SECURITY ANNOUNCEMENT 200304-02 PACKAGE : samba SUMMARY : Buffer overflow DATE : 2003-04-09 08:44 UTC EXPLOIT : remote VERSIONS AFFECTED : <2.2.8a FIXED VERSION : >=2.2.8a CVE : CAN-2003-0201 - From advisory: "An anonymous user can gain remote root access due to a buffer overflow caused by a StrnCpy() into a char array (fname) using a non-constant length (namelen)." Read the full advisory at: http://marc.theaimsgroup.com/?l=bugtraq&m=104972664226781&w=2 SOLUTION It is recommended that all Gentoo Linux users who are running net-fs/samba upgrade to samba-2.2.8a as follows: emerge sync emerge samba emerge clean aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+k91YfT7nyhUpoZMRAtowAKDAgOYrqeXDRilQkDN/SBXJegJ6RgCgsSRV ni8x1vst4U3vttassFEdpfA= =wFgE -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 10, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 10, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Source: Source: HEWLETT-PACKARD COMPANY Software Security Response Team Published: SECURITY BULLETIN HPSBUX0304-254 Originally issued: 09 April 2003 SSRT3536 Potential Security Vulnerability in CIFS/9000 Server CIFS/9000 Server is potentially vulnerable to altered SMB/CIFS network messages. Note: Although having similar descriptions, this is a different vulnerability from that described in HPSBUX0303-251 SSRT3509 Potential Security Vulnerability in CIFS/9000 Server. Using the fix described in this bulletin will correct both vulnerabilities. NOTE: Using your itrc account security bulletins can be found here: http://itrc.hp.com/cki/bin/doc.pl/screen=ckiSecurityBulletin Note: The following are not vulnerable: HP OpenVMS HP NonStop Servers HP Secure Web Servers for HP Tru64 UNIX HP Secure Web Servers for HP Tru64 OpenVMS To report potential security vulnerabilities in HP software, send an E-mail message to: mailto:security-alert@hp.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBPpSZhDnTu2ckvbFuEQK9vQCeKGkqYmGB1hvQktsd4zzCVbUTPjUAoN1V rYSaNyLeXqcqGvdb0U+hIwVa =59Tc -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 10, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The AIX Toolbox for Linux ships with Samba. Security fixes for the issues discussed in CERT Vulnerability Note VU#267873 have been incorporated into Samba 2.2.7-4 and is available for download from: ftp://ftp.software.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ ppc/samba/samba-2.2.7-4.aix4.3.ppc.rpm Note that the URL given spans two lines. This download also contains fixes for the issues discussed in CERT Vulnerability Note VU#298233 Please note these items are shipped "as is" and are unwarranted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) iD8DBQE+lIBlcnMXzUg7txIRApmHAKCSlysEH5U3Ibs6cInZbqBhUrabTgCfWmJp zCwi/cRcKLx8JzXDy6JJVwo= =/OXU -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 10, 2003
Not Affected
Ingrian Platforms do not include Samba and thus are not affected by this issue.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see MDKSA-2003:044.
Notified: April 09, 2003 Updated: April 10, 2003
Affected
MontaVista was vulnerable to this issue. We advise customers to use our support web site or contact their support representative for an updated package.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 14, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see OpenPKG-SA-2003.028.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 10, 2003
Affected
Red Hat Linux and Red Hat Enterprise Linux ship with a Samba package vulnerable to this issue. Updated Samba packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-137.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2003-138.html
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 10, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
These vulnerabilities are addressed in Samba 2.2.8a:
Updated: April 10, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
These vulnerabilities are addressed in Samba-TNG 0.3.2:
Notified: April 09, 2003 Updated: May 15, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see CSSA-2003-017.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see SGI Security Advisory 20030403-01-P.
Updated: April 10, 2003
Affected
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] Samba security problem fixed The samba packages in Slackware 8.1 and 9.0 have been upgraded to Samba 2.2.8a to fix a security problem. All sites running samba should upgrade. Here are the details from the Slackware 9.0 ChangeLog: Mon Apr 7 14:26:53 PDT 2003 patches/packages/samba-2.2.8a-i386-1.tgz: Upgraded to samba-2.2.8a. From the samba-2.2.8a WHATSNEW.txt: * IMPORTANT: Security bugfix for Samba * Digital Defense, Inc. has alerted the Samba Team to a serious vulnerability in all stable versions of Samba currently shipping. The Common Vulnerabilities and Exposures (CVE) project has assigned the ID CAN-2003-0201 to this defect. This vulnerability, if exploited correctly, leads to an anonymous user gaining root access on a Samba serving system. All versions of Samba up to and including Samba 2.2.8 are vulnerable. An active exploit of the bug has been reported in the wild. Alpha versions of Samba 3.0 and above are *NOT* vulnerable. (* Security fix *) More information may be found in the Samba 2.2.8a release notes. WHERE TO FIND THE NEW PACKAGES: Updated Samba package for Slackware 8.1: ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/samba-2.2.8a-i386-1.tgz Updated Samba package for Slackware 9.0: ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/samba-2.2.8a-i386-1.tgz MD5 SIGNATURES: Here are the md5sums for the packages: Slackware 8.1 package: 875ef129196f56d71c833911f3156cd5 samba-2.2.8a-i386-1.tgz Slackware 9.0 package: d1d2b689b79a1a8dfc0ee34fd390e72c samba-2.2.8a-i386-1.tgz INSTALLATION INSTRUCTIONS: As root, stop the samba server: . /etc/rc.d/rc.samba stop Next, upgrade the samba package(s) with upgradepkg: upgradepkg samba-2.2.8a-i386-1.tgz Finally, start samba again: . /etc/rc.d/rc.samba start Slackware Linux Security Team http://slackware.com/gpg-key security@slackware.com | HOW TO REMOVE YOURSELF FROM THIS MAILING LIST: | | Send an email to majordomo@slackware.com with this text in the body of | | the email message: | | unsubscribe slackware-security | | You will get a confirmation message back. Follow the instructions to | | complete the unsubscription. Do not reply to this message to | | unsubscribe! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+kfZlakRjwEAQIjMRAunYAJwO7tAYu+nT6eK3pl/QUFDRNJK5RACfb27W sky8+QhsZnx0/Jezsuk0EwY= =BAYr -----END PGP SIGNATURE-----
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: April 09, 2003 Updated: July 03, 2003
Affected
Sun includes a version of Samba with Solaris 9 which is affected by this issue. Sun provides Samba on the Solaris Companion CD for Solaris 2.6, 7, and 8: http://wwws.sun.com/software/solaris/freeware/index.html as an unsupported package which installs to /opt/sfw and is vulnerable to this issue too. Sites using the freeware version of Samba from the Solaris Companion CD will have to upgrade to a later version from Samba.org. Sun has published Sun Alert 53581 for this issue describing the workaround options here: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/53581 The Sun Alert will be updated with the patch information as soon as it becomes available.
The vendor has not provided us with any further information regarding this vulnerability.
Sun Cobalt systems are also affected:
Notified: April 09, 2003 Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see SuSE-SA:2003:025.
Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Please see TSLSA-2003-0019.
Notified: April 09, 2003 Updated: April 10, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The CERT/CC has no additional comments at this time.
Notified: April 09, 2003 Updated: April 09, 2003
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.