Univention Bugzilla – Bug 54369
samba: Multiple issues (5.0)
Last modified: 2022-03-21 12:05:25 CET
Security update scheduled for January 31st 2022. * https://bugzilla.samba.org/show_bug.cgi?id=14911 UNIX extensions in SMB1 disclose whether the outside target of a symlink exists (CVE-2021-44141) CVSS:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:N/MA:N Base score 4.2. * https://bugzilla.samba.org/show_bug.cgi?id=14950 Re-adding an SPN skips subsequent SPN conflict checks (CVE-2022-0336) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Base score 8.8. * https://bugzilla.samba.org/show_bug.cgi?id=14914 Out-of-Bound Read/Write on Samba vfs_fruit module (CVE-2021-44142) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C Base score 9.9. -> The module is not enabled by default on UCS
CVE-2021-44141 patch differs to much, is too invasive and cannot be backported to samba 4.13. This is the same issue we had with the previous fix at bug 54015. Upstream bug mentions that other vendors have the same issue and will not backport this fix. Patches for the other issues added in svn r19508 98_CVE-2021-44142-v4.13-bug-14914.quilt 98_CVE-2022-0336-v4.13-bug-14950.quilt samba 2:4.13.13-1A~5.0.0.202201242233
Created attachment 10907 [details] advisory
Patches applied: OK Advisory: OK Automatic Tests: OK Verified
<https://errata.software-univention.de/#/?erratum=5.0x200>