Release Planning for Samba 3.3: Difference between revisions

From SambaWiki
Line 182: Line 182:
====Major enhancements in Samba 3.3.5 include:====
====Major enhancements in Samba 3.3.5 include:====


* Fix SAMR and LSA checks (bug #6089, #6289)
* Fix SAMR and LSA checks [https://bugzilla.samba.org/show_bug.cgi?id=6089 bug #60689], [https://bugzilla.samba.org/show_bug.cgi?id=6289 bug #6289]
* Fix posix acls when setting an ACL without explicit ACE for the owner (bug #2346).
* Fix posix acls when setting an ACL without explicit ACE for the owner [https://bugzilla.samba.org/show_bug.cgi?id=2346 bug #2346].
* Fix joining of Win7 into Samba domain (bug #6099).
* Fix joining of Win7 into Samba domain [https://bugzilla.samba.org/show_bug.cgi?id=6099 bug #6099].
* Fix joining of Win2000 SP4 clients (bug #6301).
* Fix joining of Win2000 SP4 clients [https://bugzilla.samba.org/show_bug.cgi?id=6301 bug #6301].
('''Updated 16-June-2009''')
('''Updated 16-June-2009''')



Revision as of 14:47, 2 May 2011

This release series is in the security fixes only mode.

Samba 3.3 turned into security fixes only mode

(Updated 01-March-2010)

Moving forward, any 3.3.x releases will be on a as needed basis for security issues only.

Samba 3.3.15

Release Notes for Samba 3.3.15
February 28, 2011


This is a security release in order to address CVE-2011-0719.

All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select on a bad file descriptor set.


(Updated 28-February-2011)

  • Monday, February 28 - Samba 3.3.15 has been released to address CVE-2011-0719.
 Release Notes Samba 3.3.15

Samba 3.3.14

Release Notes for Samba 3.3.14
September 14, 2010

This is a security release in order to address CVE-2010-3069.

All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server.

(Updated 14-September-2010)

  • Tuesday, September 14 - Samba 3.3.14 has been released to address CVE-2010-2069.
 Release Notes Samba 3.3.14

Samba 3.3.13

Release Notes for Samba 3.3.13
June 16, 2010

This is a security release in order to address CVE-2010-2063.

In Samba 3.3.x and below, a buffer overrun is possible in chain_reply code.


(Updated 16-June-2010)

  • Wednesday, June 16 - Samba 3.3.13 has been released to address CVE-2010-2063.
 Release Notes Samba 3.3.13

Samba 3.3.12

Release Notes for Samba 3.3.12
March 8, 2010

This is a security release in order to address CVE-2010-0728.

In Samba releases 3.5.0, 3.4.6 and 3.3.11, new code was added to fix a problem with Linux asynchronous IO handling. This code introduced a bad security flaw on Linux platforms if the binaries were built on Linux platforms with libcap support. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access.

(Updated 09-March-2010)

  • Monday, March 8 - Samba 3.3.12 has been released to address CVE-2010-0728.
 Release Notes Samba 3.3.12

Samba 3.3.11

Release Notes for Samba 3.3.11
February 26, 2010

This is the latest bugfix release of the Samba 3.3 series.

Major enhancements in Samba 3.3.11 include:

  • "wide links" and "unix extensions" are incompatible bug #7104.
  • Fix failing of smbd to respond to a read or a write caused by Linux asynchronous IO (aio) bug #7067.

(Updated 26-February-2010)

  • Friday, February 26 - Samba 3.3.11 has been released

Please note, that this will probably be the last bug fix release of the 3.3 series.

Samba 3.3.10

Release Notes for Samba 3.3.10
January 14, 2010

This is the latest bugfix release of the Samba 3.3 series.

Major enhancements in Samba 3.3.10 include:

  • Fix changing of ACLs on writable file with "dos filemode=yes" bug #5202.
  • Fix smbd crashes in dns_register_smbd_reply bug #6696.
  • Fix Winbind crashes when queried from nss bug #6889.
  • Fix Winbind crash when retrieving empty group members bug #7014.
  • Fix interdomain trusts with Win2008R2 bug #6697.

(Updated 14-January-2010)

  • Thursday, January 14 - Samba 3.3.10 has been released
 Release Notes Samba 3.3.10

Samba 3.3.9

Release Notes for Samba 3.3.9
October, 15 2009

This is the latest bugfix release of the Samba 3.3 series.

Major enhancements in Samba 3.3.9 include:

  • Fix trust relationships to windows 2008 (2008 r2) bug #6711.
  • Fix file corruption using smbclient with NT4 server bug #6606.
  • Fix Windows 7 share access (which defaults to NTLMv2) bug #6680.
  • Fix SAMR server for Winbind access bug #6504.

(Updated 15-October-2009)

  • Thursday, October 15 - Samba 3.3.9 has been released
 Release Notes Samba 3.3.9

Samba 3.3.8

Release Notes for Samba 3.3.8
October, 1 2009

This is a security release in order to address CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906.

In all versions of Samba later than 3.0.11, connecting to the home share of a user will use the root of the filesystem as the home directory if this user is misconfigured to have an empty home directory in /etc/passwd.
If mount.cifs is installed as a setuid program, a user can pass it a credential or password path to which he or she does not have access and then use the --verbose option to view the first line of that file. All known Samba versions are affected.
Specially crafted SMB requests on authenticated SMB connections can send smbd into a 100% CPU loop, causing a DoS on the Samba server.

(Updated 1-October-2009)

  • Thursday, October 1 - Samba 3.3.8 has been issued as Security Release to address CVE-2009-2906,

CVE-2009-2906 and CVE-2009-2813.

 Release Notes Samba 3.3.8

Samba 3.3.7

Release Notes for Samba 3.3.7
July, 29 2009

This is the latest bugfix release of the Samba 3.3 series.

(Updated 23-June-2009)

  • Wednesday, July 29 - Samba 3.3.7 has been released
 Release Notes Samba 3.3.7

Samba 3.3.6

Release Notes for Samba 3.3.6
June, 23 2009

This is a security release in order to address CVE-2009-1888.

In Samba 3.0.31 to 3.3.5 (inclusive), an uninitialized read of a data value can potentially affect access control when "dos filemode" is set to "yes".


(Updated 23-June-2009)

  • Tuesday, June 23 2009: Samba 3.3.6 Security Release has been released to address

CVE-2009-1888 ("Uninitialized read of a data value"). For more information, please see Samba Security page.

 Security Advisory
 Release Notes Samba 3.3.6

Samba 3.3.5

Release Notes for Samba 3.3.5
June, 16 2009

This is the latest bugfix release of the Samba 3.3 series.

Major enhancements in Samba 3.3.5 include:

(Updated 16-June-2009)

  • Tuesday, June 16 - Samba 3.3.5 has been released
 Release Notes Samba 3.3.5

Samba 3.3.4

(Updated 29-April-2009)

  • Wednesday, April 29 - Samba 3.3.4 has been released
 Release Notes Samba 3.3.4

Samba 3.3.3

(Updated 01-April-2009)

  • Wednesday, April 1 - Samba 3.3.3 has been released
 Release Notes Samba 3.3.3

Samba 3.3.2

(Updated 12-March-2009)

  • Thursday, March 12 - Samba 3.3.2 has been released
 Release Notes Samba 3.3.2

Samba 3.3.1

(Updated 24-February-2009)

  • Tuesday, February 24 - Samba 3.3.1 has been released
 Release Notes Samba 3.3.1

Samba 3.3.0

(Updated 27-January-2009)

  • Tuesday, August 26 - Samba 3.3.0pre1 has been released
  • Thursday, October 2 - Samba 3.3.0pre2 has been released
  • Thursday, November 27 - Samba 3.3.0rc1 has been released
  • Monday, December 15 - Samba 3.3.0rc2 has been released
  • Tuesday, January 27 - Samba 3.3.0 has been released
 Release Notes Samba 3.3.0