Release Planning for Samba 3.3: Difference between revisions

From SambaWiki
Line 59: Line 59:


== Samba 3.3.12 ==
== Samba 3.3.12 ==
:Release Notes for Samba 3.3.12
:March 8, 2010

===This is a security release in order to address CVE-2010-0728.===

* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0728 CVE-2010-0728 CVE-2010-0728]:
: In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code was added to fix a problem with Linux asynchronous IO handling. This code introduced a bad security flaw on Linux platforms if the binaries were built on Linux platforms with libcap support. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access.


('''Updated 09-March-2010''')
('''Updated 09-March-2010''')

Revision as of 14:22, 2 May 2011

This release series is in the security fixes only mode.

Samba 3.3 turned into security fixes only mode

(Updated 01-March-2010)

Moving forward, any 3.3.x releases will be on a as needed basis for security issues only.

Samba 3.3.15

Release Notes for Samba 3.3.15
February 28, 2011


This is a security release in order to address CVE-2011-0719.

All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select on a bad file descriptor set.


(Updated 28-February-2011)

  • Monday, February 28 - Samba 3.3.15 has been released to address CVE-2011-0719.
 Release Notes Samba 3.3.15

Samba 3.3.14

Release Notes for Samba 3.3.14
September 14, 2010

This is a security release in order to address CVE-2010-3069.

All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server.

(Updated 14-September-2010)

  • Tuesday, September 14 - Samba 3.3.14 has been released to address CVE-2010-2069.
 Release Notes Samba 3.3.14

Samba 3.3.13

Release Notes for Samba 3.3.13
June 16, 2010

This is a security release in order to address CVE-2010-2063.

In Samba 3.3.x and below, a buffer overrun is possible in chain_reply code.


(Updated 16-June-2010)

  • Wednesday, June 16 - Samba 3.3.13 has been released to address CVE-2010-2063.
 Release Notes Samba 3.3.13

Samba 3.3.12

Release Notes for Samba 3.3.12
March 8, 2010

This is a security release in order to address CVE-2010-0728.

In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code was added to fix a problem with Linux asynchronous IO handling. This code introduced a bad security flaw on Linux platforms if the binaries were built on Linux platforms with libcap support. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access.

(Updated 09-March-2010)

  • Monday, March 8 - Samba 3.3.12 has been released to address CVE-2010-0728.
 Release Notes Samba 3.3.12

Samba 3.3.11

(Updated 26-February-2010)

  • Friday, February 26 - Samba 3.3.11 has been released

Please note, that this will probably be the last bug fix release of the 3.3 series.

Samba 3.3.12

(Updated 09-March-2010)

  • Monday, March 8 - Samba 3.3.12 has been released to address CVE-2010-0728.
 Release Notes Samba 3.3.12

Samba 3.3.10

(Updated 14-January-2010)

  • Thursday, January 14 - Samba 3.3.10 has been released
 Release Notes Samba 3.3.10

Samba 3.3.9

(Updated 15-October-2009)

  • Thursday, October 15 - Samba 3.3.9 has been released
 Release Notes Samba 3.3.9

Samba 3.3.8

(Updated 1-October-2009)

  • Thursday, October 1 - Samba 3.3.8 has been issued as Security Release to address CVE-2009-2906,

CVE-2009-2906 and CVE-2009-2813.

 Release Notes Samba 3.3.8

Samba 3.3.7

(Updated 23-June-2009)

  • Wednesday, July 29 - Samba 3.3.7 has been released
 Release Notes Samba 3.3.7

Samba 3.3.6

(Updated 23-June-2009)

  • Tuesday, June 23 2009: Samba 3.3.6 Security Release has been released to address

CVE-2009-1888 ("Uninitialized read of a data value"). For more information, please see Samba Security page.

 Security Advisory

Samba 3.3.5

(Updated 16-June-2009)

  • Tuesday, June 16 - Samba 3.3.5 has been released
 Release Notes Samba 3.3.5

Samba 3.3.4

(Updated 29-April-2009)

  • Wednesday, April 29 - Samba 3.3.4 has been released
 Release Notes Samba 3.3.4

Samba 3.3.3

(Updated 01-April-2009)

  • Wednesday, April 1 - Samba 3.3.3 has been released
 Release Notes Samba 3.3.3

Samba 3.3.2

(Updated 12-March-2009)

  • Thursday, March 12 - Samba 3.3.2 has been released
 Release Notes Samba 3.3.2

Samba 3.3.1

(Updated 24-February-2009)

  • Tuesday, February 24 - Samba 3.3.1 has been released
 Release Notes Samba 3.3.1

Samba 3.3.0

(Updated 27-January-2009)

  • Tuesday, August 26 - Samba 3.3.0pre1 has been released
  • Thursday, October 2 - Samba 3.3.0pre2 has been released
  • Thursday, November 27 - Samba 3.3.0rc1 has been released
  • Monday, December 15 - Samba 3.3.0rc2 has been released
  • Tuesday, January 27 - Samba 3.3.0 has been released
 Release Notes Samba 3.3.0