1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Release Notes Archive</title>
11 <H2>Samba 3.6.25 Available for Download</H2>
15 ==============================
16 Release Notes for Samba 3.6.25
18 ==============================
21 This is a security release in order to address CVE-2015-0240 (Unexpected
22 code execution in smbd).
25 All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
26 unexpected code execution vulnerability in the smbd file server
29 A malicious client could send packets that may set up the stack in
30 such a way that the freeing of memory in a subsequent anonymous
31 netlogon packet could allow execution of arbitrary code. This code
32 would execute with root privileges.
35 In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
36 or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
37 Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
38 response field. The uninitialized buffer is sent back to the client.
40 A non-default VFS module providing the get_shadow_copy_data_fn() hook
41 must be explicitly enabled for Samba to process the aforementioned
42 client requests. Therefore, only configurations with "shadow_copy" or
43 "shadow_copy2" specified for the "vfs objects" parameter are vulnerable.
49 o Jeremy Allison <jra@samba.org>
50 * BUG 11077: CVE-2015-0240: talloc free on uninitialized stack pointer
51 in netlogon server could lead to security vulnerability.
54 o Jiří Šašek <jiri.sasek@oracle.com>
55 * BUG 10549: CVE-2014-0178: Fix malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS
59 o Andreas Schneider <asn@samba.org>
60 * BUG 11077: CVE-2015-0240: s3-netlogon: Make sure we do not deference
61 a NULL pointer./auth: Make sure that creds_out is initialized with NULL.