Main Vulnerability Database SB2013111902

SB2013111902 - Slackware Linux update for samba

Published: November 19, 2013 Updated: May 6, 2017

Security Bulletin ID SB2013111902

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2013-4475)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Samba 3.2.x through 3.6.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).

2) Cryptographic issues (CVE-ID: CVE-2013-4476)

The vulnerability allows a local non-authenticated attacker to gain access to sensitive information.

Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller.

Remediation

Install update from vendor's website.

References

http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.420125