Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 377909 (CVE-2011-2522)

Summary: <net-fs/samba-3.5.10: Cross-site Request Forgery (CVE-2011-{2522,2694})
Product: Gentoo Security Reporter: gregorcy <gregorcy>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: samba
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B4 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 318285    
Bug Blocks:    

Description gregorcy 2011-08-05 19:34:18 UTC
Samba 3.5.11 has been released that fixes a problem with windows clients no longer being able to connect to samba shares after Windows Patch KB2536276 is installed

Reproducible: Always
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-05 20:07:18 UTC
3.5.11 is not particularly important, but 3.5.10 is a security release:

Samba 3.5.10 Available for Download

                   Release Notes for Samba 3.5.10
			   July 26, 2011

This is a security release in order to address
CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).

o  CVE-2011-2522:
   The Samba Web Administration Tool (SWAT) in Samba versions
   3.0.x to 3.5.9 are affected by a cross-site request forgery.

o  CVE-2011-2694:
   The Samba Web Administration Tool (SWAT) in Samba versions
   3.0.x to 3.5.9 are affected by a cross-site scripting

Please note that SWAT must be enabled in order for these
vulnerabilities to be exploitable. By default, SWAT
is *not* enabled on a Samba install.

Changes since 3.5.9:

o   Kai Blin <>
    * BUG 8289: SWAT contains a cross-site scripting vulnerability.
    * BUG 8290: CSRF vulnerability in SWAT.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-07 20:13:00 UTC
+*samba-3.5.11 (07 Aug 2011)
+  07 Aug 2011; Lars Wendler <> files/3.4/samba.confd,
+  +samba-3.5.11.ebuild, files/3.5/samba.confd, samba-3.6.0_rc3-r1.ebuild,
+  files/3.6/samba.confd:
+  Non-maintaner commit: 3.5.11 version bump (bug #377909), removed --oknodo
+  from confd files (see bug #377843 as reference), install pam_winbind.conf
+  when "pam" and "winbind" USE flags are enabled (bug #376853).
Comment 3 Víctor Ostorga (RETIRED) gentoo-dev 2011-08-09 17:22:54 UTC
All vulnerable versions have been dropped, except the current stable

@security : please proceed with stabilizing samba-3.5.11 , target: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2011-08-13 15:52:37 UTC
Arches please test and mark stable net-fs/samba-3.5.11

According to Victor target keywords are:

alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 5 Agostino Sarubbo gentoo-dev 2011-08-13 17:45:11 UTC

Please test and stabilize also: =dev-db/ctdb-1.0.114_p1

is a depend.
Comment 6 Agostino Sarubbo gentoo-dev 2011-08-14 00:17:05 UTC
I cant'give ok because fails to compile as I've reported.
Comment 7 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-08-14 05:14:52 UTC
amd64: fails emerge. bug 318285 with this version as well.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-15 13:24:34 UTC
(In reply to comment #5)
> arches,
> Please test and stabilize also: =dev-db/ctdb-1.0.114_p1
> is a depend.

You don't have the point out the painly obvious every time, thanks.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-15 13:24:48 UTC
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2011-08-15 13:37:34 UTC
Stable for HPPA.
Comment 11 Víctor Ostorga (RETIRED) gentoo-dev 2011-08-15 17:16:28 UTC
bug #318285 have been fixed.
Comment 12 Agostino Sarubbo gentoo-dev 2011-08-15 17:31:58 UTC
(In reply to comment #11)
> bug #318285 have been fixed.

works now, amd64 ok
Comment 13 Tony Vroon (RETIRED) gentoo-dev 2011-08-16 13:02:44 UTC
+  16 Aug 2011; Tony Vroon <> ctdb-1.0.114_p1.ebuild:
+  Marked stable on AMD64 as a dependency of net-fs/samba-3.5.11; based on arch
+  testing by Agostino "ago" Sarubbo in bug #377909.

+  16 Aug 2011; Tony Vroon <> samba-3.5.11.ebuild:
+  Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo in bug
+  #377909.
Comment 14 Ian Delaney (RETIRED) gentoo-dev 2011-08-16 13:12:38 UTC

all ok
Comment 15 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-08-17 03:50:30 UTC
x86 stable
Comment 16 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-08-18 07:30:26 UTC
ppc/ppc64 stable
Comment 17 Markus Meier gentoo-dev 2011-08-25 20:46:07 UTC
arm stable
Comment 18 Raúl Porcel (RETIRED) gentoo-dev 2011-08-27 11:23:12 UTC
alpha/ia64/s390/sh/sparc stable
Comment 19 Tim Sammut (RETIRED) gentoo-dev 2011-08-27 16:36:41 UTC
Thanks, folks. GLSA Vote: No (xss and csrf)
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:38:04 UTC
CVE-2011-2522 (
  Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web
  Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers
  to hijack the authentication of administrators for requests that (1) shut
  down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add
  printers, (6) remove printers, (7) add user accounts, or (8) remove user
  accounts, as demonstrated by certain start, stop, and restart parameters to
  the status program.
Comment 21 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-07 22:38:48 UTC
Vote: no, closing noglsa.
Comment 22 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-07 22:39:03 UTC
actually closing