DSA-2966-1 samba — security update

Date Reported:23 Jun 2014

Affected Packages:samba

Vulnerable:Yes

Security database references:In Mitre’s CVE dictionary: CVE-2014-0178CVE-2014-0244CVE-2014-3493.

More information:
Multiple vulnerabilities were discovered and fixed in Samba, a SMB/CIFS file, print, and login server:

  • CVE-2014-0178Information leak vulnerability in the VFS code, allowing an authenticated user to retrieve eight bytes of uninitialized memory when shadow copy is enabled.
  • CVE-2014-0244Denial of service (infinite CPU loop) in the nmbd Netbios name service daemon. A malformed packet can cause the nmbd server to enter an infinite loop, preventing it to process later requests to the Netbios name service.
  • CVE-2014-3493Denial of service (daemon crash) in the smbd file server daemon. An authenticated user attempting to read a Unicode path using a non-Unicode request can force the daemon to overwrite memory at an invalid address.

For the stable distribution (wheezy), these problems have been fixed in version 2:3.6.6-6+deb7u4.

For the testing distribution (jessie), these problems have been fixed in version 2:4.1.9+dfsg-1.

For the unstable distribution (sid), these problems have been fixed in version 2:4.1.9+dfsg-1.

We recommend that you upgrade your samba packages.

Comments are disabled