Otkrivene su dvije ranjivosti programskog paketa Samba, a mogu ih iskoristiti udaljeni napadači kako bi umetnuli proizvoljni HTML i skriptni kod, te dobili povećane ovlasti.
Paket:
Samba 3.x
Operacijski sustavi:
Fedora 14, Fedora 15
Kritičnost:
5.9
Problem:
CSRF, XSS
Iskorištavanje:
udaljeno
Posljedica:
dobivanje većih privilegija, umetanje HTML i skriptnog koda
Rješenje:
programska zakrpa proizvođača
CVE:
CVE-2011-2522, CVE-2011-2694
Izvorni ID preporuke:
FEDORA-2011-10367
Izvor:
Fedora
Problem:
U komponenti SWAT (eng. Samba Web Administration Tool) otkrivene su brojne CSRF (eng. cross-site request forgery) ranjivosti. U funkciji "chg_passwd" u datoteci "web/swat.c" otkrivena je XSS ranjivost.
Posljedica:
Prvu ranjivost udaljeni napadač može iskoristiti za dobivanje dodatnih ovlasti s kojima može dodavati i uklanjati korisničke račune, pisače i grupe za dijeljenje. Drugu ranjivost također mogu iskoristiti udaljeni napadači, a moguće je umetanje proizvoljnog HTML i skriptnog koda.
Rješenje:
Korisnicima se preporuča korištenje službenih programskih zakrpi koje otklanjaju obje ranjivosti.
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-10367
2011-08-05 03:32:49
--------------------------------------------------------------------------------
Name : samba
Product : Fedora 14
Version : 3.5.11
Release : 79.fc14
URL : http://www.samba.org/
Summary : Server and Client software to interoperate with Windows machines
Description :
Samba is the suite of programs by which a lot of PC-related machines
share files, printers, and other information (such as lists of
available files and printers). The Windows NT, OS/2, and Linux
operating systems support this natively, and add-on packages can
enable the same thing for DOS, Windows, VMS, UNIX of all kinds, MVS,
and more. This package provides an SMB/CIFS server that can be used to
provide network services to SMB/CIFS clients.
Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT
need the NetBEUI (Microsoft Raw NetBIOS frame) protocol.
--------------------------------------------------------------------------------
Update Information:
Windows security patch KB2536276 prevents access to samba shares
Security update to 3.5.10, fixes CVE-2011-2522 and CVE-2011-2694
--------------------------------------------------------------------------------
ChangeLog:
* Thu Aug 4 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.11-79
- Update to 3.5.11
- resolves: #713648
* Tue Aug 2 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.10-78
- Security update to 3.5.10, fixes CVE-2011-2522 and CVE-2011-2694
- resolves: #725890
* Tue Jun 14 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.9-77
- Update to 3.5.9
* Fri Apr 1 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.8-76
- Fix nmb init script description
- resolves: #551631
- Fix root check in smb init script
- resolves: #577533
- Check for wbpriv group existence in samba-common
- resolves: #643362
* Tue Mar 22 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.8-75
- Fix broken smb.conf.5 manpage
- resolves: #689605
* Tue Mar 8 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.8-74
- Update to 3.5.8
- resolves: #596830
* Thu Mar 3 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.7-73
- Security update to 3.5.7 to address CVE-2011-0719
- resolves: #681852
* Thu Jan 6 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.6-72
- Fix GSSAPI checksum for some SMB servers
- resolves: #667647
* Mon Nov 22 2010 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.6-71
- Handle no network case in init scripts
- resolves: #655766
* Thu Nov 18 2010 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.6-70
- Fix libsmbclient SMB signing
- resolves: #654408
* Fri Oct 8 2010 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.6-69
- Update to 3.5.6
- resolves: #617771
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #713648 - Windows security patch KB2536276 prevents access to samba
shares
https://bugzilla.redhat.com/show_bug.cgi?id=713648
[ 2 ] Bug #725890 - CVE-2011-2522 CVE-2011-2694 samba various flaws
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=725890
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update samba' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-10341
2011-08-05 03:31:52
--------------------------------------------------------------------------------
Name : samba
Product : Fedora 15
Version : 3.5.11
Release : 71.fc15.1
URL : http://www.samba.org/
Summary : Server and Client software to interoperate with Windows machines
Description :
Samba is the suite of programs by which a lot of PC-related machines
share files, printers, and other information (such as lists of
available files and printers). The Windows NT, OS/2, and Linux
operating systems support this natively, and add-on packages can
enable the same thing for DOS, Windows, VMS, UNIX of all kinds, MVS,
and more. This package provides an SMB/CIFS server that can be used to
provide network services to SMB/CIFS clients.
Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT
need the NetBEUI (Microsoft Raw NetBIOS frame) protocol.
--------------------------------------------------------------------------------
Update Information:
Windows security patch KB2536276 prevents access to samba shares
Security update to 3.5.10, fixes CVE-2011-2522 and CVE-2011-2694
--------------------------------------------------------------------------------
ChangeLog:
* Thu Aug 4 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.11-71
- Update to 3.5.11
- resolves: #713648
* Tue Aug 2 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.10-70
- Security update to 3.5.10, fixes CVE-2011-2522 and CVE-2011-2694
- resolves: #725890
* Tue Jun 14 2011 Guenther Deschner <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 3.5.9-69
- Update to 3.5.9
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #713648 - Windows security patch KB2536276 prevents access to samba
shares
https://bugzilla.redhat.com/show_bug.cgi?id=713648
[ 2 ] Bug #725890 - CVE-2011-2522 CVE-2011-2694 samba various flaws
[fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=725890
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update samba' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Posljednje sigurnosne preporuke