[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Sun Dec 8 22:44:35 MST 2013 

The branch, master has been updated
       via  f32a5a1 Add security advisories for CVE-2013-4408 and CVE-2012-6150.
      from  1e82af3 Update latest stable release...

http://gitweb.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit f32a5a1e0e90362078b28fa321785b95c24f53a7
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Dec 9 06:43:33 2013 +0100

    Add security advisories for CVE-2013-4408 and CVE-2012-6150.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 security/CVE-2012-6150.html |   76 +++++++++++++++++++++++++++++++++++
 security/CVE-2013-4408.html |   93 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 169 insertions(+), 0 deletions(-)
 create mode 100644 security/CVE-2012-6150.html
 create mode 100644 security/CVE-2013-4408.html


Changeset truncated at 500 lines:

diff --git a/security/CVE-2012-6150.html b/security/CVE-2012-6150.html
new file mode 100644
index 0000000..f11a3df
--- /dev/null
+++ b/security/CVE-2012-6150.html
@@ -0,0 +1,76 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2012-6150.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject:     pam_winbind login without require_membership_of restrictions
+==
+== CVE ID#:     CVE-2012-6150
+==
+== Versions:    Samba 3.3.10, 3.4.3, 3.5.0 and later
+==
+== Summary:     Login of authenticated users is not restricted by the
+==              pam_winbind require_membership_of parameter if it only
+==              specifies invalid group names.
+==
+===========================================================
+
+===========
+Description
+===========
+
+Winbind allows for the further restriction of authenticated PAM logins using
+the require_membership_of parameter. System administrators may specify a list
+of SIDs or groups for which an authenticated user must be a member of. If an
+authenticated user does not belong to any of the entries, then login should
+fail. Invalid group name entries are ignored.
+
+Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
+authenticated users if the require_membership_of parameter specifies only
+invalid group names.
+
+This is a vulnerability with low impact. All require_membership_of group
+names must be invalid for this bug to be encountered.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue have been posted to:
+
+    http://www.samba.org/samba/security/
+
+Samba versions 3.6.22, 4.0.13, and 4.1.3 have been released to address this
+issue.
+
+==========
+Workaround
+==========
+
+Ensure that the require_membership_of parameter only refers to SIDs or valid
+Active Directory group names.
+
+=======
+Credits
+=======
+
+This problem was found by Noel Power from SUSE who also provided the patch
+to fix the issue.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2013-4408.html b/security/CVE-2013-4408.html
new file mode 100644
index 0000000..87318ca
--- /dev/null
+++ b/security/CVE-2013-4408.html
@@ -0,0 +1,93 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2013-4408.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject:     DCE-RPC fragment length field is incorrectly checked.
+==
+== CVE ID#:     CVE-2013-4408
+==
+== Versions:    All versions of Samba later than 3.4.0
+==
+== Summary:     Incorrect length checks on DCE-RPC fragment lengths
+==              cause Samba client utilities including winbindd to
+==              be vulnerable to buffer overrun exploits.
+==
+===========================================================
+
+===========
+Description
+===========
+
+Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 -
+3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are
+vulnerable to buffer overrun exploits in the client processing of
+DCE-RPC packets. This is due to incorrect checking of the DCE-RPC
+fragment length in the client code.
+
+This is a critical vulnerability as the DCE-RPC client code is part of
+the winbindd authentication and identity mapping daemon, which is
+commonly configured as part of many server installations (when joined
+to an Active Directory Domain). A malicious Active Directory Domain
+Controller or man-in-the-middle attacker impersonating an Active
+Directory Domain Controller could achieve root-level access by
+compromising the winbindd process.
+
+Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are
+also vulnerable to a denial of service attack (server crash) due to a
+similar error in the server code of those versions.
+
+Samba server versions 3.6.0 and above (including all 3.6.x versions,
+all 4.0.x versions and 4.1.x) are not vulnerable to this problem.
+
+In addition range checks were missing on arguments returned from calls
+to the DCE-RPC functions LookupSids (lsa and samr), LookupNames (lsa and samr)
+and LookupRids (samr) which could also cause similar problems.
+
+As this was found during an internal audit of the Samba code there are
+no currently known exploits for this problem (as of December 9th 2013).
+
+==================
+Patch Availability
+==================
+
+Patches addressing all these issues have been posted to:
+
+    http://www.samba.org/samba/security/
+
+Samba versions 3.6.22, 4.0.13, and 4.1.3 have been released to
+address this issue. Patches for 3.4.17 and 3.5.22 are available at the above URL.
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+This problem was found by an internal audit of the Samba code by
+Stefan Metzmacher and Michael Adam of SerNet.
+
+Patches provided by Stefan Metzmacher and Jeremy Allison of the Samba
+team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>


-- 
Samba Website Repository

More information about the samba-cvs mailing list