Univention Bugzilla – Bug 40222
Samba: Multiple issues (4.0)
Last modified: 2015-12-16 17:13:45 CET
+++ This bug was initially created as a clone of Bug #40221 +++ Multiple security issues have been found in Samba: CVE-2015-7540: Bogus LDAP request cause samba to use all the memory and be ookilled CVE-2015-3223: LDAP \00 search expression attack DoS in Samba 4.x CVE-2015-5252: Insufficient symlink verification (file access outside the share) CVE-2015-5299: Currently the snapshot browsing is not secure thru windows previous version (shadow_copy2) CVE-2015-5296: No man in the middle protection when forcing smb encryption on the client side CVE-2015-8467: Microsoft MS15-096 / CVE-2015-2535 needs matching fix in Samba CVE-2015-5330: Remote read memory exploit in LDB
The ldb package needs to be updated to version 1.1.24 too.
ldb 2:1.1.20-3 has been rebuilt in errata4.0-4 with the following additional patches adjusted from upstream: 99_sambabug11636-ldb-part1.patch 99_sambabug11636-ldb-part2.patch samba 2:4.2.3-1 has been rebuilt in errata4.0-4 with the following additional patches from upstream: 99_sambabug11395.patch 99_sambabug11529.patch 99_sambabug11536.patch 99_sambabug11552.patch 99_sambabug11636-part1.patch 99_sambabug11636-part2.patch Samba bug 9187 doesn't apply to Samba 4.2.x, the changes are already in there. Advisories: ldb.yaml and samba.yaml
OK - update/installation OK - update to 4.1 OK - shares access, windows client join, login, s4search OK - ucs-test samba4 OK - ldb.yaml OK - samba.yaml
<http://errata.software-univention.de/ucs/4.0/373.html> <http://errata.software-univention.de/ucs/4.0/374.html>
<http://errata.software-univention.de/ucs/4.0/375.html>