[arch-security] CVE-2013-4496 | CVE-2013-6442 [samba]
Billy McCann
thebillywayne at gmail.com
Fri Mar 14 12:43:55 EDT 2014
Samba has been flagged out-of-date since 2014-03-12.
Two CVE's were issued 2014-03-14.
*Solution*
Upgrade [extra] samba to 4.1.6.
*Summary*
CVE-2013-4496:
Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does
not enforce the password-guessing protection mechanism for all interfaces,
which makes it easier for remote attackers to obtain access via brute-force
ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
CVE-2013-6442
Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command
options it will remove the existing ACL on the object being modified,
leaving the file or directory unprotected.
*Links*
http://www.samba.org/samba/security/CVE-2013-4496
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496
http://www.samba.org/samba/security/CVE-2013-6442
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442
------------------------------------------[00(01|10)11]
-----------------------------------------
Billy Wayne McCann, Ph.D.
Google+ <https://plus.google.com/+BillyWayneMcCann>
PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040>
irc://irc.freenode.net:bwayne
MzM0LTcwMy0wMTIyCg== | base64 -d
"A rich man will always desire what his wealth cannot acquire." ~ Faust
(Goethe)
------------------------------------------[11(10|01)00]-------
-----------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140314/f4f34085/attachment-0001.html>
More information about the arch-security
mailing list