[arch-security] CVE-2013-4496 | CVE-2013-6442 [samba]
Billy McCann
thebillywayne at gmail.com
Fri Mar 14 12:49:39 EDT 2014
Bug report:
https://bugs.archlinux.org/task/39424
------------------------------------------[00(01|10)11]
-----------------------------------------
Billy Wayne McCann, Ph.D.
Google+ <https://plus.google.com/+BillyWayneMcCann>
PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040>
irc://irc.freenode.net:bwayne
MzM0LTcwMy0wMTIyCg== | base64 -d
"A rich man will always desire what his wealth cannot acquire." ~ Faust
(Goethe)
------------------------------------------[11(10|01)00]-------
-----------------------------------
On Fri, Mar 14, 2014 at 12:43 PM, Billy McCann <thebillywayne at gmail.com>wrote:
> Samba has been flagged out-of-date since 2014-03-12.
> Two CVE's were issued 2014-03-14.
>
> *Solution*
> Upgrade [extra] samba to 4.1.6.
>
> *Summary*
> CVE-2013-4496:
> Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does
> not enforce the password-guessing protection mechanism for all interfaces,
> which makes it easier for remote attackers to obtain access via brute-force
> ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
>
> CVE-2013-6442
> Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
> smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command
> options it will remove the existing ACL on the object being modified,
> leaving the file or directory unprotected.
>
> *Links*
> http://www.samba.org/samba/security/CVE-2013-4496
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496
> http://www.samba.org/samba/security/CVE-2013-6442
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442
>
>
>
> ------------------------------------------[00(01|10)11]
> -----------------------------------------
>
> Billy Wayne McCann, Ph.D.
> Google+ <https://plus.google.com/+BillyWayneMcCann>
> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040>
> irc://irc.freenode.net:bwayne
>
> MzM0LTcwMy0wMTIyCg== | base64 -d
>
> "A rich man will always desire what his wealth cannot acquire." ~ Faust
> (Goethe)
>
> ------------------------------------------[11(10|01)00]-------
> -----------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140314/6c328d64/attachment.html>
More information about the arch-security
mailing list