[arch-security] CVE-2013-4496 | CVE-2013-6442 [samba]

Billy McCann thebillywayne at gmail.com
Fri Mar 14 13:15:40 EDT 2014


FIXED
Many thanks to Tobias Powalowski (tpowa) for the quick turnaround.


On Fri, Mar 14, 2014 at 12:49 PM, Billy McCann <thebillywayne at gmail.com>wrote:

> Bug report:
> https://bugs.archlinux.org/task/39424
>
> ------------------------------------------[00(01|10)11]
> -----------------------------------------
>
> Billy Wayne McCann, Ph.D.
> Google+ <https://plus.google.com/+BillyWayneMcCann>
> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040>
> irc://irc.freenode.net:bwayne
>
> MzM0LTcwMy0wMTIyCg== | base64 -d
>
> "A rich man will always desire what his wealth cannot acquire." ~ Faust
> (Goethe)
>
> ------------------------------------------[11(10|01)00]-------
> -----------------------------------
>
>
> On Fri, Mar 14, 2014 at 12:43 PM, Billy McCann <thebillywayne at gmail.com>wrote:
>
>> Samba has been flagged out-of-date since 2014-03-12.
>> Two CVE's were issued 2014-03-14.
>>
>> *Solution*
>> Upgrade [extra] samba to 4.1.6.
>>
>> *Summary*
>> CVE-2013-4496:
>> Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does
>> not enforce the password-guessing protection mechanism for all interfaces,
>> which makes it easier for remote attackers to obtain access via brute-force
>> ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
>>
>> CVE-2013-6442
>> Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
>> smbcacls is used with the "-C|--chown name" or "-G|--chgrp name" command
>> options it will remove the existing ACL on the object being modified,
>> leaving the file or directory unprotected.
>>
>> *Links*
>> http://www.samba.org/samba/security/CVE-2013-4496
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4496
>> http://www.samba.org/samba/security/CVE-2013-6442
>> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6442
>>
>>
>>
>> ------------------------------------------[00(01|10)11]
>> -----------------------------------------
>>
>> Billy Wayne McCann, Ph.D.
>> Google+ <https://plus.google.com/+BillyWayneMcCann>
>> PGP Key <http://pgp.mit.edu/pks/lookup?op=get&search=0x223A2CAA56146040>
>> irc://irc.freenode.net:bwayne
>>
>> MzM0LTcwMy0wMTIyCg== | base64 -d
>>
>> "A rich man will always desire what his wealth cannot acquire." ~ Faust
>> (Goethe)
>>
>> ------------------------------------------[11(10|01)00]-------
>> -----------------------------------
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.archlinux.org/pipermail/arch-security/attachments/20140314/5b0e05f8/attachment.html>


More information about the arch-security mailing list