ESB-2017.1757 - [Debian] samba: Multiple vulnerabilities 2017-07-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1757
                           samba security update
                               17 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           samba
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-11103  

Reference:         ESB-2017.1741
                   ESB-2017.1756

Original Bulletin: 
   http://www.debian.org/security/2017/dsa-3909

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3909-1                   security@debian.org
https://www.debian.org/security/                        Yves-Alexis Perez
July 14, 2017                         https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : samba
CVE ID         : CVE-2017-11103
Debian Bug     : 868209

Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual
authentication bypass vulnerability in samba, the SMB/CIFS file, print, and
login server. Also known as Orpheus' Lyre, this vulnerability is located in
Samba Kerberos Key Distribution Center (KDC-REP) component and could be used by
an attacker on the network path to impersonate a server. 

More details can be found on the vulnerability website
(https://orpheus-lyre.info/) and on the Samba project website
(https://www.samba.org/samba/security/CVE-2017-11103.html) 

For the oldstable distribution (jessie), this problem has been fixed
in version 2:4.2.14+dfsg-0+deb8u7.

For the stable distribution (stretch), this problem has been fixed in
version 2:4.5.8+dfsg-2+deb9u1.

For the testing distribution (buster), this problem has been fixed
in version 2:4.6.5+dfsg-4.

For the unstable distribution (sid), this problem has been fixed in
version 2:4.6.5+dfsg-4.

We recommend that you upgrade your samba packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEl0WwInMjgf6efq/1bdtT8qZ1wKUFAllotnEACgkQbdtT8qZ1
wKUelggAmbHEA545HOANov7vXy0CWTjdzg+JXoWwqnAZi7ucyFZ5fdqeiVEL5kl0
+mM2R6DebZhmu6xFJf+PZv6VGKx0KmN1XeJCQxz2x72omKUlyOddnptebeyvpLz3
Pp0nzQqeq70aFF46Cbh3w+9kRAQoaOG2kBmjvPwL+ZkpJlYCy5nPfC35K4lG5QSv
pXSqV6S2oD95+j8RReZ0v3DeI4tpbuAvCMtNaSOPmDoBxoVBNuMk7xmLTZuTLlaJ
f/cFDQC0Ykx6cmV2SxN49Eo2pnMCz2uT9Iv/7kEzJ1C4mI7vUNgAq/XwMjeAPx7h
SOae2x1DVIWPewpJa0pLO7iaOmNiZQ==
=2zvn
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWWv4Y4x+lLeg9Ub1AQhrBA//eGD61j5VYC5Lehr6/I7NWHGuClDFC0zD
nWDsJ/ov+uWFQoygqYaBaVHfNtIWfzduj8gGVljL+0Gz/YNCIKzzcsbuAaW+zKcq
RzxLl3CSxI/DXqpNmExMc2GthH//kTIY0jrDrPssqktS0P/EwjWUgPgGkuS0X9Py
1WrVUMjT+ZBpHx/AaOdVQmUP4WZd3V4OM0RQlkFkbaMZLCRSb+oKH41nwaIkMIzx
7a0YKV9R6V46/apkcPveNYSqxZivZ9fZUJI6p5oT/SoiFSfZzvVhYnTsxeWV3N2X
4Put25C7BWxFyqc6rYoo7PcQEQf3/HJJmjqfvM4JdO+wYfpsZo4AfS5ManWZvrGM
tou70RkzcNMTU0f6vxN0OS8+H1QuYbLN1/NCjmaN670a5Aj9JyCHricttXH4cZM6
C5I+BJRRBuT72m9LRcbcIKKBccmwAGCJCXsIcH9OhbyJl9mcBRsVwtSxou3nxo5d
1F1063N2yjPOD8am6x/Z0PpBWJVnoU4fDSpDIple7Au+txrRVp/GZvQyFbwHgLQp
qIEc/CQWL5gZOHy1Ghbj55B5Olt2LZ+NzkUqQfoIchW/0heBV5ww8n8oFAVWZ1V2
NCm7d2WU9mohqqYqZS29ARBLIUS3lwj69+I68TeSo7APeOQ5Ic5fUz1Cg+26vkTX
W4au7BeVOCQ=
=NaJ1
-----END PGP SIGNATURE-----

« Back to bulletins