[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Security bugfix for Samba

Title: Security bugfix for Samba
Released by: SAMBA
Date: 3rd October 1997
Printable version: Click here

            IMPORTANT: Security bugfix for Samba - all versions


A security hole in all versions of Samba has been recently

discovered. The security hole allows unauthorized remote users to

obtain root access on the Samba server.

An exploit for this security hole has been posted to the internet so

system administrators should assume that this hole is being actively


The exploit for the security hole is very architecture specific and

has been only demonstrated to work for Samba servers running on Intel

based platforms. The exploit posted to the internet is specific to

Intel Linux servers. It would be very difficult to produce an exploit

for other architectures but it may be possible.

A new release of Samba has now been made that fixes the security

hole. The new release is version 1.9.17p2 and is available from :


The md5 checksum of this new version is:

27ac28ccf084268ba5c8c0b3a0ed12e4 b samba-1.9.17p2.tar.gz

This release also adds a routine which logs a message if anyone

attempts to take advantage of the security hole. The message (in the

Samba log files) will look like this:

        ERROR: Invalid password length 999

        your machine may be under attack by a user exploiting an old bug

        Attack was from IP=aaa.bbb.ccc.ddd

where aaa.bbb.ccc.ddd is the IP address of the machine performing the


The "Samba Survey" containing the current list of Samba users that is

hosted on the Samba Web site has been temporarily suspended to remove

a list of potentially vulnerable sites. All users on this list will

be contacted and encouraged to upgrade.

Any new information will be made available on the Samba WWW site at


To report bugs and ask questions about the fix please email :


        The Samba Team



Version: 2.6







(C) 1999-2000 All rights reserved.