[arch-security] CVE-2013-4496 | CVE-2013-6442 [samba]
Samba has been flagged out-of-date since 2014-03-12. Two CVE's were issued 2014-03-14. *Solution* Upgrade [extra] samba to 4.1.6. *Summary* CVE-2013-4496: Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. CVE-2013-6442 Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected. *Links* http://www.samba.org/samba/security/CVE-2013-4496 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496 http://www.samba.org/samba/security/CVE-2013-6442 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442 ------------------------------------------[00(01|10)11] ----------------------------------------- Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne MzM0LTcwMy0wMTIyCg== | base64 -d "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe) ------------------------------------------[11(10|01)00]------- -----------------------------------
Bug report: https://bugs.archlinux.org/task/39424 ------------------------------------------[00(01|10)11] ----------------------------------------- Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne MzM0LTcwMy0wMTIyCg== | base64 -d "A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe) ------------------------------------------[11(10|01)00]------- ----------------------------------- On Fri, Mar 14, 2014 at 12:43 PM, Billy McCann <thebillywayne@gmail.com>wrote:
Samba has been flagged out-of-date since 2014-03-12. Two CVE's were issued 2014-03-14.
*Solution* Upgrade [extra] samba to 4.1.6.
*Summary* CVE-2013-4496: Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
CVE-2013-6442 Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected.
*Links* http://www.samba.org/samba/security/CVE-2013-4496 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496 http://www.samba.org/samba/security/CVE-2013-6442 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442
------------------------------------------[00(01|10)11] -----------------------------------------
Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne
MzM0LTcwMy0wMTIyCg== | base64 -d
"A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe)
------------------------------------------[11(10|01)00]------- -----------------------------------
FIXED Many thanks to Tobias Powalowski (tpowa) for the quick turnaround. On Fri, Mar 14, 2014 at 12:49 PM, Billy McCann <thebillywayne@gmail.com>wrote:
Bug report: https://bugs.archlinux.org/task/39424
------------------------------------------[00(01|10)11] -----------------------------------------
Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne
MzM0LTcwMy0wMTIyCg== | base64 -d
"A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe)
------------------------------------------[11(10|01)00]------- -----------------------------------
On Fri, Mar 14, 2014 at 12:43 PM, Billy McCann <thebillywayne@gmail.com>wrote:
Samba has been flagged out-of-date since 2014-03-12. Two CVE's were issued 2014-03-14.
*Solution* Upgrade [extra] samba to 4.1.6.
*Summary* CVE-2013-4496: Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
CVE-2013-6442 Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected.
*Links* http://www.samba.org/samba/security/CVE-2013-4496 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496 http://www.samba.org/samba/security/CVE-2013-6442 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442
------------------------------------------[00(01|10)11] -----------------------------------------
Billy Wayne McCann, Ph.D. Google+ <https://plus.google.com/+BillyWayneMcCann> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040> irc://irc.freenode.net:bwayne
MzM0LTcwMy0wMTIyCg== | base64 -d
"A rich man will always desire what his wealth cannot acquire." ~ Faust (Goethe)
------------------------------------------[11(10|01)00]------- -----------------------------------
participants (1)
-
Billy McCann