UbuntuUpdates.org

Package "samba"

Name: samba

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Samba testing utilities
  • Samba Web Administration Tool

Latest version: 2:3.6.25-0ubuntu0.12.04.10
Release: precise (12.04)
Level: updates
Repository: universe

Links



Other versions of "samba" in Precise

Repository Area Version
base main 2:3.6.3-2ubuntu2
base universe 2:3.6.3-2ubuntu2
security universe 2:3.6.25-0ubuntu0.12.04.10
security main 2:3.6.25-0ubuntu0.12.04.10
updates main 2:3.6.25-0ubuntu0.12.04.10
PPA: nathan-renniewaldock ppa 2:3.6.7-1~ppa~precise

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 2:3.6.25-0ubuntu0.12.04.2 2016-04-18 14:07:01 UTC

  samba (2:3.6.25-0ubuntu0.12.04.2) precise-security; urgency=medium

  * SECURITY UPDATE: fix multiple security issues
    - debian/patches/CVE-preparation-v3-6.patch: code changes required
      for security patches.
    - debian/patches/CVE-2016-2110-v3-6.patch: Man in the middle attacks
      possible with NTLMSSP.
    - debian/patches/CVE-2016-2111-v3-6.patch: NETLOGON Spoofing
      Vulnerability.
    - debian/patches/CVE-2016-2112-v3-6.patch: The LDAP client and server
      don't enforce integrity protection.
    - debian/patches/CVE-2016-2115-v3-6.patch: SMB client connections for
      IPC traffic are not integrity protected.
    - debian/patches/CVE-2016-2118-v3-6.patch: SAMR and LSA man in the
      middle attacks possible.
    - debian/patches/CVE-2015-5370-v3-6.patch: Multiple errors in DCE-RPC
      code
    - Thanks to Andreas Schneider, Ralph Böhme, Stefan Metzmacher,
      Günther Deschner and Aurélien Aptel for the patch backports to
      Samba 3.6!
  * Updated to upstream 3.6.25
    - Removed upstreamed patches: initialize_password_db-null-deref,
      fix-samba.ldip-syntax.patch, CVE-2012-1182-1.patch,
      CVE-2012-1182-2.patch, CVE-2012-2111.patch,
      lp_970679_fix-large-groups.patch,
      net-rpc-share-allowedusers-with-2008r2.patch,
      lp_967410_fix-cups-printer-not-added-to-registry.patch,
      lp_1016895_setgroups_3.5.patch, winbind-kerberos-refresh.patch,
      CVE-2013-0454.patch,
      lp_1003296_fix-login-with-expiring-user-passwords.patch,
      CVE-2013-4124.patch, CVE-2013-4475.patch, CVE-2012-6150.patch,
      CVE-2013-4408.patch, CVE-2013-4496.patch, CVE-2014-0244.patch,
      CVE-2014-3493.patch, CVE-2015-0240.patch,
      security-CVE-2013-0213.patch, security-CVE-2013-0214.patch.
    - debian/rules: don't build external libtevent
    - debian/rules: add idl_full to dh_auto_build

 -- Marc Deslauriers <email address hidden> Tue, 12 Apr 2016 07:21:15 -0400

Source diff to previous version
CVE-2016-2110 an in the middle attacks possible with NTLMSSP
CVE-2016-2111 NETLOGON Spoofing Vulnerability
CVE-2016-2112 The LDAP client and server don't enforce integrity protection
CVE-2016-2115 SMB client connections for IPC traffic are not integrity protected
CVE-2016-2118 SAMR and LSA man in the middle attacks possible
CVE-2015-5370 Multiple errors in DCE-RPC code
CVE-2012-1182 The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a m
CVE-2012-2111 Incorrect permission checks when granting/removing privileges
CVE-2013-0454 The SMB2 implementation in Samba 3.6.x before 3.6.6, as used on the IBM Storwize V7000 Unified 1.3 before 1.3.2.3 and 1.4 before 1.4.0.1 and possibly
CVE-2013-4124 Integer overflow in the read_nttrans_ea_list function in nttrans.c in ...
CVE-2013-4475 Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, ...
CVE-2012-6150 The winbind_name_list_to_sid_string_list function in ...
CVE-2013-4408 Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba 3.x before 3.6.22, 4.0.x be
CVE-2013-4496 Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 ...
CVE-2014-0244 The sys_recvfrom function in nmbd in Samba 3.6.x before 3.6.24, 4.0.x ...
CVE-2014-3493 The push_ascii function in smbd in Samba 3.6.x before 3.6.24, 4.0.x ...
CVE-2015-0240 The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc
CVE-2013-0213 The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct cli
CVE-2013-0214 Cross-site request forgery (CSRF) vulnerability in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x

Version: 2:3.6.3-2ubuntu2.17 2016-03-08 16:06:34 UTC

  samba (2:3.6.3-2ubuntu2.17) precise-security; urgency=medium

  * SECURITY UPDATE: incorrect ACL get/set allowed on symlink path
    - debian/patches/CVE-2015-7560.patch: properly handle symlinks in
      source3/smbd/nttrans.c, source3/smbd/trans2.c.
    - CVE-2015-7560
  * SECURITY UPDATE: clickjacking vulnerability in SWAT
    - debian/patches/security-CVE-2013-0213.patch: use X-Frame-Options
      header in source3/web/swat.c.
    - CVE-2013-0213
  * SECURITY UPDATE: CSRF vulnerability in SWAT
    - debian/patches/security-CVE-2013-0214.patch: use additional nonce on
      XSRF protection in source3/web/cgi.c, source3/web/swat.c,
      source3/web/swat_proto.h.
    - CVE-2013-0214

 -- Marc Deslauriers <email address hidden> Mon, 07 Mar 2016 07:13:51 -0500

Source diff to previous version
CVE-2015-7560 Incorrect ACL get/set allowed on symlink path
CVE-2013-0213 The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct cli
CVE-2013-0214 Cross-site request forgery (CSRF) vulnerability in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12, and 4.x

Version: 2:3.6.3-2ubuntu2.14 2016-02-16 16:07:11 UTC

  samba (2:3.6.3-2ubuntu2.14) precise-security; urgency=medium

  * Fixes regression introduced by debian/patches/CVE-2015-5252.patch.
    (LP: #1545750)

 -- Dariusz Gadomski <email address hidden> Mon, 15 Feb 2016 15:43:57 +0100

Source diff to previous version
1545750 Access denied if the share path is \
CVE-2015-5252 vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships e

Version: 2:3.6.3-2ubuntu2.13 2016-01-05 21:07:04 UTC

  samba (2:3.6.3-2ubuntu2.13) precise-security; urgency=medium

  * SECURITY UPDATE: file-access restrictions bypass via symlink
    - debian/patches/CVE-2015-5252.patch: validate matching component in
      source3/smbd/vfs.c.
    - CVE-2015-5252
  * SECURITY UPDATE: man-in-the-middle attack via encrypted-to-unencrypted
    downgrade
    - debian/patches/CVE-2015-5296.patch: force signing in
      source3/libsmb/clidfs.c, source3/libsmb/libsmb_server.c.
    - CVE-2015-5296
  * SECURITY UPDATE: snapshot access via shadow copy directory
    - debian/patches/CVE-2015-5299.patch: fix missing access checks in
      source3/modules/vfs_shadow_copy2.c.
    - CVE-2015-5299
  * SECURITY UPDATE: information leak via incorrect string length handling
    - debian/patches/CVE-2015-5330.patch: fix string length handling in
      lib/util/charset/charset.h, lib/util/charset/codepoints.c,
      lib/util/charset/util_unistr.c, source3/lib/util_str.c.
    - CVE-2015-5330

 -- Marc Deslauriers Mon, 04 Jan 2016 14:50:47 -0500

Source diff to previous version
CVE-2015-5252 vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships e
CVE-2015-5296 Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in
CVE-2015-5299 The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_copy2.c in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before
CVE-2015-5330 ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles string lengths, w

Version: 2:3.6.3-2ubuntu2.12 2015-02-23 20:06:53 UTC

  samba (2:3.6.3-2ubuntu2.12) precise-security; urgency=medium

  * SECURITY UPDATE: code execution vulnerability in smbd daemon
    - debian/patches/CVE-2015-0240.patch: don't call talloc_free on an
      uninitialized pointer and don't dereference a NULL pointer in
      source3/rpc_server/netlogon/srv_netlog_nt.c, initialize creds_out in
      libcli/auth/schannel_state_tdb.c.
    - CVE-2015-0240
 -- Marc Deslauriers <email address hidden> Mon, 23 Feb 2015 10:29:50 -0500




About   -   Send Feedback to @ubuntu_updates