lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1YbluS-0002vR-IS@titan.mandriva.com>
Date: Sat, 28 Mar 2015 09:16:00 +0100
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2015:082 ] samba

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:082
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : samba
 Date    : March 28, 2015
 Affected: Business Server 2.0
 _______________________________________________________________________

 Problem Description:

 Updated samba packages fix security vulnerabilities:
 
 In Samba before 3.6.23, the SAMR server neglects to ensure that
 attempted password changes will update the bad password count, and does
 not set the lockout flags.  This would allow a user unlimited attempts
 against the password by simply calling ChangePasswordUser2 repeatedly.
 This is available without any other authentication (CVE-2013-4496).
 
 Information leak vulnerability in the VFS code, allowing an
 authenticated user to retrieve eight bytes of uninitialized memory
 when shadow copy is enabled (CVE-2014-0178).
 
 Samba versions before 3.6.24, 4.0.19, and 4.1.9 are vulnerable
 to a denial of service on the nmbd NetBIOS name services daemon. A
 malformed packet can cause the nmbd server to loop the CPU and prevent
 any further NetBIOS  ame service (CVE-2014-0244).
 
 Samba versions before 3.6.24, 4.0.19, and 4.1.9 are affected
 by a denial of service crash involving overwriting memory on an
 authenticated connection to the smbd file server (CVE-2014-3493).
 
 An uninitialized pointer use flaw was found in the Samba daemon
 (smbd). A malicious Samba client could send specially crafted netlogon
 packets that, when processed by smbd, could potentially lead to
 arbitrary code execution with the privileges of the user running smbd
 (by default, the root user) (CVE-2015-0240).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0178
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0244
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3493
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240
 http://advisories.mageia.org/MGASA-2014-0138.html
 http://advisories.mageia.org/MGASA-2014-0279.html
 http://advisories.mageia.org/MGASA-2015-0084.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 2/X86_64:
 d5eebcafd60491a0234a65d554fe8215  mbs2/x86_64/lib64netapi0-3.6.25-1.mbs2.x86_64.rpm
 00e4940a6c0d55c938244e089d435040  mbs2/x86_64/lib64netapi-devel-3.6.25-1.mbs2.x86_64.rpm
 a8d521d5ff42f668b2701e5930f47e82  mbs2/x86_64/lib64smbclient0-3.6.25-1.mbs2.x86_64.rpm
 fb75164165fce2046f92160cfaf1a05b  mbs2/x86_64/lib64smbclient0-devel-3.6.25-1.mbs2.x86_64.rpm
 d18bb1a8d87c85a525dc604b09790aae  mbs2/x86_64/lib64smbclient0-static-devel-3.6.25-1.mbs2.x86_64.rpm
 186cef9f46545399665b85f43fbed408  mbs2/x86_64/lib64smbsharemodes0-3.6.25-1.mbs2.x86_64.rpm
 952887304f08621ae17d2a80f5bff8f0  mbs2/x86_64/lib64smbsharemodes-devel-3.6.25-1.mbs2.x86_64.rpm
 fd1b2a84abeddad8d700fd2f03044b9c  mbs2/x86_64/lib64wbclient0-3.6.25-1.mbs2.x86_64.rpm
 22141daaf825543f94ac3d717c7fc546  mbs2/x86_64/lib64wbclient-devel-3.6.25-1.mbs2.x86_64.rpm
 83167c8ea7e8fafee55988ad3bbf0cbe  mbs2/x86_64/nss_wins-3.6.25-1.mbs2.x86_64.rpm
 d02c7826925091daf21f612a491f3d10  mbs2/x86_64/samba-client-3.6.25-1.mbs2.x86_64.rpm
 747f22b55716d64c3f8c68dc4f644f4a  mbs2/x86_64/samba-common-3.6.25-1.mbs2.x86_64.rpm
 7b4bb64285d633bcf7ee027c74112316  mbs2/x86_64/samba-doc-3.6.25-1.mbs2.noarch.rpm
 ae8b375a7415d5f18654a5771639cb73  mbs2/x86_64/samba-domainjoin-gui-3.6.25-1.mbs2.x86_64.rpm
 5e93bbf392bb83baa9a6eff2fd4975ed  mbs2/x86_64/samba-server-3.6.25-1.mbs2.x86_64.rpm
 4cf2f7bbebc7d62840514ae984c6c6ba  mbs2/x86_64/samba-swat-3.6.25-1.mbs2.x86_64.rpm
 34c333a6ddc9c59fe446cddf67120fac  mbs2/x86_64/samba-virusfilter-clamav-3.6.25-1.mbs2.x86_64.rpm
 a126f6022cd26bc032282cab61dc097b  mbs2/x86_64/samba-virusfilter-fsecure-3.6.25-1.mbs2.x86_64.rpm
 a5d673260f527fd58519dbcd62950b84  mbs2/x86_64/samba-virusfilter-sophos-3.6.25-1.mbs2.x86_64.rpm
 49592172e00aee408edcccc73b3cde65  mbs2/x86_64/samba-winbind-3.6.25-1.mbs2.x86_64.rpm 
 546147333706f85b79bc5a7390c9899f  mbs2/SRPMS/samba-3.6.25-1.mbs2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFVFlU3mqjQ0CJFipgRAorMAJ4wSA7ksJ9nMr3mhnow+9+M0qg8fQCfech+
Q9OQhX7dd+rb3g6WzLJErO4=
=5rd1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ