[ SOURCE: http://www.secureroot.com/security/advisories/9641777651.html ]

- -----BEGIN PGP SIGNED MESSAGE-----



            IMPORTANT: Security bugfix for Samba - all versions

            ---------------------------------------------------



A security hole in all versions of Samba has been recently

discovered. The security hole allows unauthorized remote users to

obtain root access on the Samba server.



An exploit for this security hole has been posted to the internet so

system administrators should assume that this hole is being actively

exploited.



The exploit for the security hole is very architecture specific and

has been only demonstrated to work for Samba servers running on Intel

based platforms. The exploit posted to the internet is specific to

Intel Linux servers. It would be very difficult to produce an exploit

for other architectures but it may be possible.



A new release of Samba has now been made that fixes the security

hole. The new release is version 1.9.17p2 and is available from :



ftp://samba.anu.edu.au/pub/samba/samba-1.9.17p2.tar.gz



The md5 checksum of this new version is:



27ac28ccf084268ba5c8c0b3a0ed12e4 b samba-1.9.17p2.tar.gz



This release also adds a routine which logs a message if anyone

attempts to take advantage of the security hole. The message (in the

Samba log files) will look like this:



        ERROR: Invalid password length 999

        your machine may be under attack by a user exploiting an old bug

        Attack was from IP=aaa.bbb.ccc.ddd



where aaa.bbb.ccc.ddd is the IP address of the machine performing the

attack.



The "Samba Survey" containing the current list of Samba users that is

hosted on the Samba Web site has been temporarily suspended to remove

a list of potentially vulnerable sites. All users on this list will

be contacted and encouraged to upgrade.



Any new information will be made available on the Samba WWW site at

http://samba.anu.edu.au/samba



To report bugs and ask questions about the fix please email :

samba-bugs@samba.anu.edu.au.





        The Samba Team

        samba-bugs@samba.anu.edu.au



- -----BEGIN PGP SIGNATURE-----

Version: 2.6



iQCVAgUBNDHbEGNSlURsK/StAQEvbwP/Z4b56i42IGcHX7FExNJOSCUM2ggjucI6

koqc8sS8xj5ciOsnBBVFf+14C9+tG/hT4/4CJkwLeJ+PeaXWHkGof++Xn0TGACO9

DBzszrZDYLq0fP/4O/W+Ot0AoHjnW7JzNlC2TWyNO4RCFIxq1mmBCo6CY6ksWhNO

v7z4oThyhLE=

=8yla

- -----END PGP SIGNATURE-----