Subject: mksmbpasswd shell script may create accounts with easily guessable passwords CVE #: CAN-2004-0082 Affected Versions: Samba 3.0.0 - 3.0.1 Description ----------- It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script. Samba administrators not wishing to upgrade to the current version should download the 3.0.2 release, build the pdbedit tool, and run root# pdbedit-3.0.2 --force-initialized-passwords This will disable all accounts not possessing a valid password (e.g. the password field has been set a string of X's). Samba servers running 3.0.2 are not vulnerable to this bug regardless of whether or not pdbedit has been used to sanitize the passdb backend. Credits -------- This defect was located by Samba developers during a routine code audit. -- Our Code, Our Bugs, Our Responsibility. -- The Samba Team