8826Re: [nslu2-general] Re: samba2 on pogoplug not accessible from mac
- Jan 4, 2013On 01/04/2013 10:21 PM, Gregg Levine wrote:
> On Fri, Jan 4, 2013 at 8:43 PM, Ron Guerin<ron@...> wrote:I bought an ASUS RT-N16 last year. The discovery of Optware has led to
>> On 01/04/2013 08:28 PM, oddballhero wrote:
>>> I'm pretty sure Samba3 has been around for a while... You mean like certain computer companies are perpetually in trial and error stage... There are only two sure things... (fill this in with your preference, see Benjamin Franklin or Elvis).
>> Samba3 is from 2003. Samba4 just went stable a few weeks ago.
>>> I've been running 3.6 for some time.
>> FYI: https://www.samba.org/samba/security/CVE-2012-1182
>> The version I see in Optware, is 3.2.15-5, which would also be
>> vulnerable to the above exploit.
>> - Ron
> Ron nice to see you here.
a device I continue to find new uses for.
> What is the exploit? For those of us who do not follow those pleaseI don't follow these either. I went to look up the year Samba3 was
released and found the security warning on the Wikipedia page. The
entire description is summary length, so I'll post it here.
Samba versions 3.6.3 and all versions previous to this are affected by
a vulnerability that allows remote code execution as the "root" user
from an anonymous connection.
The code generator for Samba's remote procedure call (RPC) code
contained an error which caused it to generate code containing a
security flaw. This generated code is used in the parts of Samba that
control marshalling and unmarshalling of RPC calls over the network.
The flaw caused checks on the variable containing the length of an
allocated array to be done independently from the checks on the
variable used to allocate the memory for that array. As both these
variables are controlled by the connecting client it makes it possible
for a specially crafted RPC call to cause the server to execute
As this does not require an authenticated connection it is the most
serious vulnerability possible in a program, and users and vendors are
encouraged to patch their Samba installations immediately.
- << Previous post in topic Next post in topic >>