Debian Security Advisory

DSA-2812-1 samba -- several vulnerabilities

Date Reported:
09 Dec 2013
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2013-4408, CVE-2013-4475.
More information:

Two security issues were found in Samba, a SMB/CIFS file, print, and login server:

  • CVE-2013-4408

    It was discovered that multiple buffer overflows in the processing of DCE-RPC packets may lead to the execution of arbitrary code.

  • CVE-2013-4475

    Hemanth Thummala discovered that ACLs were not checked when opening files with alternate data streams. This issue is only exploitable if the VFS modules vfs_streams_depot and/or vfs_streams_xattr are used.

For the oldstable distribution (squeeze), these problems have been fixed in version 3.5.6~dfsg-3squeeze11.

For the stable distribution (wheezy), these problems have been fixed in version 3.6.6-6+deb7u2.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your samba packages.