1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 4135-1] samba security update

    From Salvatore Bonaccorso@1:229/2 to All on Tue Mar 13 11:00:01 2018
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-4135-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso
    March 13, 2018 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : samba
    CVE ID : CVE-2018-1050 CVE-2018-1057

    Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
    print, and login server for Unix. The Common Vulnerabilities and
    Exposures project identifies the following issues:

    CVE-2018-1050

    It was discovered that Samba is prone to a denial of service
    attack when the RPC spoolss service is configured to be run as an
    external daemon.

    https://www.samba.org/samba/security/CVE-2018-1050.html

    CVE-2018-1057

    Bjoern Baumbach from Sernet discovered that on Samba 4 AD DC the
    LDAP server incorrectly validates permissions to modify passwords
    over LDAP allowing authenticated users to change any other users
    passwords, including administrative users.

    https://www.samba.org/samba/security/CVE-2018-1057.html
    https://wiki.samba.org/index.php/CVE-2018-1057

    For the oldstable distribution (jessie), CVE-2018-1050 will be addressed
    in a later update. Unfortunately the changes required to fix
    CVE-2018-1057 for Debian oldstable are too invasive to be backported.
    Users using Samba as an AD-compatible domain controller are encouraged
    to apply the workaround described in the Samba wiki and upgrade to
    Debian stretch.

    For the stable distribution (stretch), these problems have been fixed in version 2:4.5.12+dfsg-2+deb9u2.

    We recommend that you upgrade your samba packages.

    For the detailed security status of samba please refer to its security
    tracker page at:
    https://security-tracker.debian.org/tracker/samba

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqnnphfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q7xQ//bGpp8gLoxYxiaUaVJCxN08djsPRx3mas0VF319Te6Fg/iLntI2LzSx6b HmdtJ/ZZz6lLrvG5LMfeqZwgFlztUoJ8JR0Mjd+m83Rf9ccX+8dlPJQq8509WuYM tBj+DmLpLQMLxAfMDWohO3A3qDGw2jOrjsbv1Viex4NYn7JWsQVpiYb3L27pn6kp hl88nu5doRFk57bID5TjgFnA14gMJQjXj7E3y/4bc5B07ee8tantewcLYL3Nknvw r5aVZ3/Hvxs+6sArKNBwjynFuKNFPhgtE2LGOW3hp17dYX4e/uMHiyrnHjXnfI/j Ak7TZHi/vq7EWApbtvXcFCTZ3dqWlrxC2WSge0Xl5oT8hMhV3IdvoIhO6rs/wgQ4 N2ZhtphVG/8ZKhoQx5h+f5eJnuvP7iIPHmviHcgE3im9mKl/XrXhHL0rPCB2qzvH 3I5BixpwyMLU6cunGWkMHahobjPdlnl5aOpMedBnCs2DjnIRi+Jy5NJmaPdyWSeL BSkxPUrUwUhxhH3P1AChctJWwNNPJAlcoSR7EWV3M9AQhelrWdACOMb1iOK+VCTm 65UGzyGagkUW+ui/azeypHvBZM07CwS+69J5CBGVFNfHvvFGZ9HEGndMhItV7eok Ta27LiGU+Fq1S7h5QiPWmyUo5qsD9Vefh056JqMQtQVCEdwLmnw=
    =ajOu
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)