From $URL : Description A vulnerability has been reported in Samba, which can be exploited by malicious people to conduct clickjacking attacks. The Samba Web Administration Tool (SWAT) allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change certain settings by tricking a user into clicking a specially crafted link via clickjacking. Successful exploitation requires that SWAT is enabled (disabled by default). The vulnerability is reported in versions 3.0.x through 4.0.1. Solution Update to versions 4.0.2, 3.6.12, or 3.5.21. Provided and/or discovered by The vendor credits Jann Horn. Original Advisory http://www.samba.org/samba/history/security.html http://www.samba.org/samba/security/CVE-2013-0213 http://www.samba.org/samba/security/CVE-2013-0214
@security: I've update samba to versions 4.0.2, 3.6.12, or 3.5.21 and cleaned up old versions, excluding stable ones. The stabilization schedule should be: samba-3.6.12: amd64 hppa x86 samba-3.5.21: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
(In reply to comment #1) > @security: I've update samba to versions 4.0.2, 3.6.12, or 3.5.21 and > cleaned up old versions, excluding stable ones. > > The stabilization schedule should be: > > samba-3.6.12: amd64 hppa x86 > samba-3.5.21: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 @security are you alive? May I stabilize the arches I use? I don't want users to use vulnerable versions.
CVE-2013-0214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0214): Cross-site request forgery (CSRF) vulnerability in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to hijack the authentication of arbitrary users by leveraging knowledge of a password and composing requests that perform SWAT actions. CVE-2013-0213 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0213): The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct clickjacking attacks via a (1) FRAME or (2) IFRAME element.
(In reply to comment #1) > @security: I've update samba to versions 4.0.2, 3.6.12, or 3.5.21 and > cleaned up old versions, excluding stable ones. > > The stabilization schedule should be: > > samba-3.6.12: amd64 hppa x86 > samba-3.5.21: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86 Arches, please test and mark stable.
x86 stable
amd64 stable
ppc stable
ppc64 stable
Stable for HPPA.
ia64 stable
sparc stable
arm stable
alpha stable
s390 stable
sh stable
Ready for vote, I vote NO.
GLSA vote: no, too. Closing noglsa.