Security Information / 2013 / Security Information -- DSA-2812-1 samba

Debian Security Advisory

DSA-2812-1 samba -- several vulnerabilities

Date Reported:

09 Dec 2013

Affected Packages:

samba

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2013-4408, CVE-2013-4475.

More information:

Two security issues were found in Samba, a SMB/CIFS file, print, and login server:

• CVE-2013-4408

  It was discovered that multiple buffer overflows in the processing of DCE-RPC packets may lead to the execution of arbitrary code.

• CVE-2013-4475

  Hemanth Thummala discovered that ACLs were not checked when opening files with alternate data streams. This issue is only exploitable if the VFS modules vfs_streams_depot and/or vfs_streams_xattr are used.

For the oldstable distribution (squeeze), these problems have been fixed in version 3.5.6~dfsg-3squeeze11.

For the stable distribution (wheezy), these problems have been fixed in version 3.6.6-6+deb7u2.

For the unstable distribution (sid), these problems will be fixed soon.

We recommend that you upgrade your samba packages.