Software Update: Samba 3.4.2 / 3.3.8 / 3.2.15 / 3.0.37

Samba runs on Unix, BSD and Linux machines and is able to provide file and printer services using the cifs protocol to Windows clients. For documentation on the how and what of Samba you can take a look at this page. The developers have patched a number of security vulnerabilities, resulting in the release of versions 3.4.2, 3.3.8, 3.2.15, and 3.0.37. The announcement of these latest versions looks like this:

Release Notes for Samba 3.4.2 / 3.3.8 / 3.2.15 / 3.0.37

This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906.

• CVE-2009-2813: In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.
• CVE-2009-2948: If mount.cifs is installed as a setuid program, a user can pass it a credential or password path to which he or she does not have access and then use the –verbose option to view the first line of that file. All known Samba versions are affected.
• CVE-2009-2906: Specially crafted SMB requests on authenticated SMB connections can send smbd into a 100% CPU loop, causing a DoS on the Samba server.

Please note that Samba 3.0.x is not maintained any longer. This security release was shipped on a voluntary basis.