Debian Security Advisory

Samba -- Security problems corrected in new upstream version

Date Reported:

31 Jul 1999

Affected Packages:

samba
samba-common
smbclient
smbfs
smbwrapper
swat

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-1999-0810, CVE-1999-0811, CVE-1999-0812.

More information:

The version of samba as distributed in Debian GNU/Linux 2.1 has a couple of security problems:

a Denial-of-Service attack against nmbd was possible
it was possible to exploit smbd if you had a message command defined which used the %f or %M formatter.
smbmnt's check to see if a user is allowed to create a mount was flawed which allowed users to mount at arbitrary mount points in the file system.

These problems have been fixed in version 2.0.5a-1. We recommend you upgrade your samba packages immediately.

Please note that this is a major upgrade so please be careful when you upgrade since some changes to the configuration file might be necessary. The configuration file also moved to a new location (/etc/samba).

The smbfsx package is also obsolete with this update and has been replaced by smbfs, which can handle both 2.0 and 2.2 kernels now.

Fixed in:

Architecture-independent component:: http://security.debian.org/dists/stable/updates/binary-all/samba-doc_2.0.5a-1_all.deb
alpha:: http://security.debian.org/dists/stable/updates/binary-alpha/samba-common_2.0.5a-1_alpha.deb; http://security.debian.org/dists/stable/updates/binary-alpha/samba_2.0.5a-1_alpha.deb; http://security.debian.org/dists/stable/updates/binary-alpha/smbclient_2.0.5a-1_alpha.deb; http://security.debian.org/dists/stable/updates/binary-alpha/smbfs_2.0.5a-1_alpha.deb; http://security.debian.org/dists/stable/updates/binary-alpha/smbwrapper_2.0.5a-1_alpha.deb; http://security.debian.org/dists/stable/updates/binary-alpha/swat_2.0.5a-1_alpha.deb
i386:: http://security.debian.org/dists/stable/updates/binary-i386/samba-common_2.0.5a-1_i386.deb; http://security.debian.org/dists/stable/updates/binary-i386/samba_2.0.5a-1_i386.deb; http://security.debian.org/dists/stable/updates/binary-i386/smbclient_2.0.5a-1_i386.deb; http://security.debian.org/dists/stable/updates/binary-i386/smbfs_2.0.5a-1_i386.deb; http://security.debian.org/dists/stable/updates/binary-i386/smbwrapper_2.0.5a-1_i386.deb; http://security.debian.org/dists/stable/updates/binary-i386/swat_2.0.5a-1_i386.deb
m68k:: http://security.debian.org/dists/stable/updates/binary-m68k/samba-common_2.0.5a-1_m68k.deb; http://security.debian.org/dists/stable/updates/binary-m68k/samba_2.0.5a-1_m68k.deb; http://security.debian.org/dists/stable/updates/binary-m68k/smbclient_2.0.5a-1_m68k.deb; http://security.debian.org/dists/stable/updates/binary-m68k/smbfs_2.0.5a-1_m68k.deb; http://security.debian.org/dists/stable/updates/binary-m68k/smbwrapper_2.0.5a-1_m68k.deb; http://security.debian.org/dists/stable/updates/binary-m68k/swat_2.0.5a-1_m68k.deb
sparc:: http://security.debian.org/dists/stable/updates/binary-sparc/samba-common_2.0.5a-1_sparc.deb; http://security.debian.org/dists/stable/updates/binary-sparc/samba_2.0.5a-1_sparc.deb; http://security.debian.org/dists/stable/updates/binary-sparc/smbclient_2.0.5a-1_sparc.deb; http://security.debian.org/dists/stable/updates/binary-sparc/smbfs_2.0.5a-1_sparc.deb; http://security.debian.org/dists/stable/updates/binary-sparc/smbwrapper_2.0.5a-1_sparc.deb; http://security.debian.org/dists/stable/updates/binary-sparc/swat_2.0.5a-1_sparc.deb