1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CAN-2004-0930: Potential Remote Denial of Service Vulnerability in Samba 3.0.x <= 3.0.7</H2>
15 Subject: Potential Remote Denial of Service
18 Versions: Samba 3.0.x <= 3.0.7
20 Summary: A remote attacker could cause and smbd process
21 to consume abnormal amounts of system resources
22 due to an input validation error when matching
23 filenames containing wildcard characters.
29 A patch for Samba 3.0.7 (samba-3.0.7-CAN-2004-0930.patch) is
30 available from http://www.samba.org/samba/ftp/patches/security/.
31 The patch has been signed with the "Samba Distribution Verification
38 A bug in the input validation routines used to match
39 filename strings containing wildcard characters may allow
40 a user to consume more than normal amounts of CPU cycles
41 thus impacting the performance and response of the server.
42 In some circumstances the server can become entirely
46 Protecting Unpatched Servers
47 ----------------------------
49 The Samba Team always encourages users to run the latest stable
50 release as a defense of against attacks. However, under certain
51 circumstances it may not be possible to immediately upgrade
52 important installations. In such cases, administrators should
53 read the "Server Security" documentation found at
54 http://www.samba.org/samba/docs/server_security.html.
60 This security issue was reported to Samba developers by
61 iDEFENSE (http://www.idefense.com/). Karol Wiesek is credited
67 Our Code, Our Bugs, Our Responsibility.