Univention Bugzilla – Bug 33827
samba4: Incorrect membership validation in Winbind PAM module (3.1)
Last modified: 2019-04-11 19:23:44 CEST
+++ This bug was initially created as a clone of Bug #33826 +++ CVE-2012-6150 Quoting from https://www.samba.org/samba/history/samba-4.1.3.html: Winbind allows for the further restriction of authenticated PAM logins using the require_membership_of parameter. System administrators may specify a list of SIDs or groups for which an authenticated user must be a member of. If an authenticated user does not belong to any of the entries, then login should fail. Invalid group name entries are ignored. Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from authenticated users if the require_membership_of parameter specifies only invalid group names. This is a vulnerability with low impact. All require_membership_of group names must be invalid for this bug to be encountered.
The maintenance with bug and security fixes for UCS 3.1-x has ended on 31st of May 2014. The maintenance of the UCS 3.x major series is continued by UCS 3.2-x that is supplied with bug and security fixes. Customers still on UCS 3.1-x are encouraged to update to UCS 3.2. Please contact your partner or Univention for any questions.