The branch, master has been updated via 2e6773c Announce Samba 3.6.3. from 9190d58 Fix release date.
http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 2e6773c8d60f2fce8207429b4fa1b92649700d08 Author: Karolin Seeger <ksee...@samba.org> Date: Sun Jan 29 21:17:31 2012 +0100 Announce Samba 3.6.3. Karolin ----------------------------------------------------------------------- Summary of changes: generated_news/latest_10_bodies.html | 18 ++++---- generated_news/latest_10_headlines.html | 4 +- generated_news/latest_2_bodies.html | 18 ++++---- history/header_history.html | 1 + history/samba-3.6.3.html | 43 +++++++++++++++++ history/security.html | 10 ++++ latest_stable_release.html | 6 +- security/CVE-2012-0817.html | 78 +++++++++++++++++++++++++++++++ 8 files changed, 155 insertions(+), 23 deletions(-) create mode 100755 history/samba-3.6.3.html create mode 100644 security/CVE-2012-0817.html Changeset truncated at 500 lines: diff --git a/generated_news/latest_10_bodies.html b/generated_news/latest_10_bodies.html index 1071ffc..06268ce 100644 --- a/generated_news/latest_10_bodies.html +++ b/generated_news/latest_10_bodies.html @@ -1,3 +1,12 @@ + <h5><a name="3.6.3">29 January 2012</a></h5> + <p class="headline">Samba 3.6.3 Security Release Available for Download</p> + <p>This is a security release in order to address <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0817">CVE-2012-0817 (Memory leak/Denial of service)</a>.</p> + +<p>The uncompressed tarballs and patch files have been signed +using GnuPG (ID 6568B7EA). The source code can be +<a href="http://samba.org/samba/ftp/stable/samba-3.6.3.tar.gz">downloaded +now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.2-3.6.3.diffs.gz">patch against Samba 3.6.2</a> is also available. See the <a href="http://samba.org/samba/history/samba-3.6.3.html">release notes</a> for more info.</p> + <h5><a name="3.6.2">25 January 2012</a></h5> <p class="headline">Samba 3.6.2 Available for Download</p> <p>This is the latest stable release of the Samba 3.6 series.</p> @@ -82,12 +91,3 @@ enhanced library components.</p> using GnuPG (ID 6568B7EA). The source code can be <a href="http://samba.org/samba/ftp/stable/samba-3.6.0.tar.gz">downloaded now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.5.11-3.6.0.diffs.gz">patch against Samba 3.5.11</a> is also available. See <a href="http://samba.org/samba/history/samba-3.6.0.html">the release notes for more info</a>.</p> - - <h5><a name="3.5.11">04 August 2011</a></h5> - <p class="headline">Samba 3.5.11 Available for Download</p> - <p>This is the latest stable release of the Samba 3.5 series.</p> - -<p>The uncompressed tarballs and patch files have been signed -using GnuPG (ID 6568B7EA). The source code can be -<a href="http://samba.org/samba/ftp/stable/samba-3.5.11.tar.gz">downloaded -now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.5.10-3.5.11.diffs.gz">patch against Samba 3.5.10</a> is also available. See <a href="http://samba.org/samba/history/samba-3.5.11.html">the release notes for more info</a>.</p> diff --git a/generated_news/latest_10_headlines.html b/generated_news/latest_10_headlines.html index 05cf7ba..f8b235c 100644 --- a/generated_news/latest_10_headlines.html +++ b/generated_news/latest_10_headlines.html @@ -1,4 +1,6 @@ <ul> + <li> 29 January 2012 <a href="#3.6.3">Samba 3.6.3 Security Release Available for Download</a></li> + <li> 25 January 2012 <a href="#3.6.2">Samba 3.6.2 Available for Download</a></li> <li> 17 January 2012 <a href="http://lwn.net/SubscriberLink/475592/8ed5bac474ed9f8a/">A Samba 4 update</a> featured by <a href=http://LWN.net/>LWN.net</a>.</li> @@ -16,6 +18,4 @@ <li> 09 August 2011 <a href="/samba/news/releases/3.6.0.html">The highlights of Samba 3.6</a></li> <li> 09 August 2011 <a href="#3.6.0">Samba 3.6.0 Available for Download</a></li> - - <li> 04 August 2011 <a href="#3.5.11">Samba 3.5.11 Available for Download</a></li> </ul> diff --git a/generated_news/latest_2_bodies.html b/generated_news/latest_2_bodies.html index 4ec8153..7376bf6 100644 --- a/generated_news/latest_2_bodies.html +++ b/generated_news/latest_2_bodies.html @@ -1,3 +1,12 @@ + <h5><a name="3.6.3">29 January 2012</a></h5> + <p class="headline">Samba 3.6.3 Security Release Available for Download</p> + <p>This is a security release in order to address <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-CVE-2012-0817">CVE-2012-0817 (Memory leak/Denial of service)</a>.</p> + +<p>The uncompressed tarballs and patch files have been signed +using GnuPG (ID 6568B7EA). The source code can be +<a href="http://samba.org/samba/ftp/stable/samba-3.6.3.tar.gz">downloaded +now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.2-3.6.3.diffs.gz">patch against Samba 3.6.2</a> is also available. See the <a href="http://samba.org/samba/history/samba-3.6.3.html">release notes</a> for more info.</p> + <h5><a name="3.6.2">25 January 2012</a></h5> <p class="headline">Samba 3.6.2 Available for Download</p> <p>This is the latest stable release of the Samba 3.6 series.</p> @@ -6,12 +15,3 @@ using GnuPG (ID 6568B7EA). The source code can be <a href="http://samba.org/samba/ftp/stable/samba-3.6.2.tar.gz">downloaded now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-3.6.1-3.6.2.diffs.gz">patch against Samba 3.6.1</a> is also available. See <a href="http://samba.org/samba/history/samba-3.6.2.html">the release notes for more info</a>.</p> - - <h5><a name="lwn_lca12">17 January 2012</a></h5> - <p class="headline">LCA: A Samba 4 update</p> - -<p>Read what Jonathan Corbet and many others got presented at -<a href="http://linux.conf.au/">linux.conf.au 2012</a> at the -<a href="http://lwn.net/SubscriberLink/475592/8ed5bac474ed9f8a/"> -A Samba 4 update</a> talk. -</p> diff --git a/history/header_history.html b/history/header_history.html index d750545..1658d9d 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-3.6.3.html">samba-3.6.3</a></li> <li><a href="samba-3.6.2.html">samba-3.6.2</a></li> <li><a href="samba-3.6.1.html">samba-3.6.1</a></li> <li><a href="samba-3.6.0.html">samba-3.6.0</a></li> diff --git a/history/samba-3.6.3.html b/history/samba-3.6.3.html new file mode 100755 index 0000000..6b52f0b --- /dev/null +++ b/history/samba-3.6.3.html @@ -0,0 +1,43 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Release Notes Archive</title> +</head> + +<body> + + <H2>Samba 3.6.3 Available for Download</H2> + +<p> +<pre> + ============================= + Release Notes for Samba 3.6.3 + January 29, 2012 + ============================= + + +This is a security release in order to address +CVE-2012-0817 (Memory leak/Denial of service). + +o CVE-2012-0817: + The Samba File Serving daemon (smbd) in Samba versions + 3.6.0 to 3.6.2 is affected by a memory leak that can + cause a server denial of service. + + +Changes since 3.6.2: +-------------------- + + +o Jeremy Allison <j...@samba.org> + * BUG 8724: Fix memory leak in parent smbd on connection. + + +o Ira Cooper <sa...@ira.wakeful.net> + * BUG 8724: Fix memory leak in parent smbd on connection. +</pre> + +</body> +</html> diff --git a/history/security.html b/history/security.html index 70a8695..ab6d93f 100755 --- a/history/security.html +++ b/history/security.html @@ -22,6 +22,16 @@ link to full release notes for each release.</p> </tr> <tr> + <td>29 Jan 2012</td> + <td><a href="/samba/ftp/patches/security/samba-3.6.2-CVE-2012-0817.patch"> + patch for Samba 3.6.2</a> + <td>Memory leak/Denial of service</td> + <td>3.6.0-3.6.2</td> + <td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0817">CVE-2012-0817</a></td> + <td><a href="/samba/security/CVE-2012-0817">Announcement</a></td> + </tr> + + <tr> <td>26 Jul 2011</td> <td><a href="/samba/ftp/patches/security/samba-3.3.15-CVE-2011-2522.patch"> patch for Samba 3.3.15</a> diff --git a/latest_stable_release.html b/latest_stable_release.html index 7977a23..631f0c2 100644 --- a/latest_stable_release.html +++ b/latest_stable_release.html @@ -1,5 +1,5 @@ <p> - <a href="/samba/ftp/stable/samba-3.6.2.tar.gz">Samba 3.6.2 (gzipped)</a><br> - <a href="/samba/history/samba-3.6.2.html">Release Notes</a> · - <a href="/samba/ftp/stable/samba-3.6.2.tar.asc">Signature</a> + <a href="/samba/ftp/stable/samba-3.6.3.tar.gz">Samba 3.6.3 (gzipped)</a><br> + <a href="/samba/history/samba-3.6.3.html">Release Notes</a> · + <a href="/samba/ftp/stable/samba-3.6.3.tar.asc">Signature</a> </p> diff --git a/security/CVE-2012-0817.html b/security/CVE-2012-0817.html new file mode 100644 index 0000000..adf6ad5 --- /dev/null +++ b/security/CVE-2012-0817.html @@ -0,0 +1,78 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2012-0817:</H2> + +<p> +<pre> +=========================================================== +== Subject: Memory leak/Denial of service. +== +== CVE ID#: CVE-2012-0817 +== +== Versions: Samba 3.6.0 - 3.6.2 (inclusive) +== +== Summary: The Samba File Serving daemon (smbd) in Samba versions +== 3.6.0 to 3.6.2 is affected by a memory leak that can +== cause a server denial of service. +== +== +=========================================================== + +=========== +Description +=========== + +Samba versions 3.6.0 to 3.6.2 inclusive are vulnerable to a memory +leak that can cause a server denial of service. + +The Samba smbd daemon that listens for incoming connections leaks +a small amount of memory on every connection attempt. Although this +is a small leak, it happens on every connection even without successful +authentication. Thus an attacker can simply loop making connection +requests and cause the listening daemon to ever increase in size. + +Eventually the server process will grow enough to either cause memory +allocations in other processes to fail, or be killed by the system +as part of its out of memory protection. Either way, denial of service +would be achieved. + +The symptom that caused this issue to be discovered was extreme CPU use +on an affected system. This was caused by the child processes that were +forked from the parent attempting to free the leaked memory. + +========== +Workaround +========== + +None. + +================== +Patch Availability +================== + +A patch addressing this defect has been posted to + + http://www.samba.org/samba/security/ + +Additionally, Samba 3.6.3 has been issued as security release to correct the +defect. Samba administrators running affected versions are advised to upgrade +to 3.6.3 or apply the patch as soon as possible. + +======= +Credits +======= + +The vulnerability was discovered and reported to the Samba Team by Youzhong +Yang and Ira Cooper of MathWorks. Patches were written and tested by Ira +Cooper of MathWorks and Jeremy Allison of the Samba Team. +</pre> +</body> +</html> -- Samba Website Repository