FS#39424 - [samba] CVE-2013-4496 | CVE-6442
Attached to Project:
Arch Linux
Opened by Billy Wayne McCann (bwayne) - Friday, 14 March 2014, 16:48 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 14 March 2014, 17:03 GMT
Opened by Billy Wayne McCann (bwayne) - Friday, 14 March 2014, 16:48 GMT
Last edited by Tobias Powalowski (tpowa) - Friday, 14 March 2014, 17:03 GMT
|
Details
Description:
Samba has been flagged out-of-date since 2014-03-12. Two CVE's were issued 2014-03-14. This bug report is to notify developers that upgrade to 4.1.6 is critical. CVE-2013-4496: Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. CVE-2013-6442 Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected. *Links* http://www.samba.org/samba/security/CVE-2013-4496 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496 http://www.samba.org/samba/security/CVE-2013-6442 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442 Additional info: * package version(s) < 4.1.6 *Solution* Upgrade [extra] samba to 4.1.6. *Summary* Samba version 4.1.6 have been released to address this issue. |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Friday, 14 March 2014, 17:03 GMT
Reason for closing: Fixed
Additional comments about closing: 4.1.6-1
Friday, 14 March 2014, 17:03 GMT
Reason for closing: Fixed
Additional comments about closing: 4.1.6-1