Summary: | <net-fs/samba-{3.6.20, 4.0.11, 4.1.1}: Insecure File Permissions and Security Bypass Security Issues (CVE-2013-{4475,4476}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | samba |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/55638/ | ||
Whiteboard: | C3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Lars Wendler (Polynomial-C) (RETIRED)
2013-11-12 09:33:30 UTC
+*samba-4.1.1 (12 Nov 2013) +*samba-4.0.11 (12 Nov 2013) +*samba-3.6.20 (12 Nov 2013) + + 12 Nov 2013; Lars Wendler <polynomial-c@gentoo.org> -samba-3.6.16.ebuild, + +samba-3.6.20.ebuild, +samba-4.0.11.ebuild, +samba-4.1.1.ebuild, + +files/samba-4.1.0-remove-dmapi-automagic.patch: + Security bumps for CVE-2013-4475 and CVE-2013-4476. Removed automagic + dependency on dmapi. Thanks to Andreas Sturmlechner for providing a patch in + bug #474492. Removed old. + Oh well... arches please test and mark stable =net-fs/samba-3.6.20. Target KEYWORDS are: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux Stable for HPPA. amd64 stable x86 stable ppc stable ppc64 stable arm stable sparc stable alpha stable CVE-2013-4476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4476): Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller. CVE-2013-4475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4475): Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS). *** Bug 490240 has been marked as a duplicate of this bug. *** Stabilized a newer version for ia64. Maintainer: please cleanup. Security: please vote This has ben cleaned up by masking old packages by maintainer(s). Added it to an existing GLSA Request. This issue was resolved and addressed in GLSA 201502-15 at http://security.gentoo.org/glsa/glsa-201502-15.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |