From ${URL} : Description Two security issues have been reported in Samba, which can be exploited by malicious, local users to disclose certain sensitive information and by malicious users to bypass certain security restrictions. 1) The application does not properly apply access control list permissions when accessing alternate streams of a file or a directory. This can be exploited to e.g. disclose contents of otherwise inaccessible alternate streams. Successful exploitation requires the "vfs_streams_depot" or "vfs_streams_xattr" module to be loaded (not loaded by default). This security issue is reported in versions prior to 3.6.20, 4.0.11, and 4.1.1. 2) The application creates private keys that are used for the SSL/TLS encryption for ldaps with insecure world-readable permissions. This can be exploited to disclose the keys and subsequently e.g. disclose or manipulate HTTPS traffic. Successful exploitation requires the "server services" option to contain "web" (does not contain by default). This security issue is reported in versions prior to 4.0.11 and 4.1.1. Solution: Update to version 3.6.20, 4.0.11, or 4.1.1. Provided and/or discovered by: The vendor credits: 1) Hemanth Thummala. 2) Stefan Metzmacher and Björn Baumbach, SerNet. Original Advisory: http://www.samba.org/samba/security/CVE-2013-4475 http://www.samba.org/samba/security/CVE-2013-4476
+*samba-4.1.1 (12 Nov 2013) +*samba-4.0.11 (12 Nov 2013) +*samba-3.6.20 (12 Nov 2013) + + 12 Nov 2013; Lars Wendler <polynomial-c@gentoo.org> -samba-3.6.16.ebuild, + +samba-3.6.20.ebuild, +samba-4.0.11.ebuild, +samba-4.1.1.ebuild, + +files/samba-4.1.0-remove-dmapi-automagic.patch: + Security bumps for CVE-2013-4475 and CVE-2013-4476. Removed automagic + dependency on dmapi. Thanks to Andreas Sturmlechner for providing a patch in + bug #474492. Removed old. +
Oh well... arches please test and mark stable =net-fs/samba-3.6.20. Target KEYWORDS are: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux
Stable for HPPA.
amd64 stable
x86 stable
ppc stable
ppc64 stable
arm stable
sparc stable
alpha stable
CVE-2013-4476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4476): Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller. CVE-2013-4475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4475): Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).
*** Bug 490240 has been marked as a duplicate of this bug. ***
Stabilized a newer version for ia64. Maintainer: please cleanup. Security: please vote
This has ben cleaned up by masking old packages by maintainer(s). Added it to an existing GLSA Request.
This issue was resolved and addressed in GLSA 201502-15 at http://security.gentoo.org/glsa/glsa-201502-15.xml by GLSA coordinator Kristian Fiskerstrand (K_F).