Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4015 USN-4167-2: Samba vulnerabilities 30 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Samba Publisher: Ubuntu Operating System: Ubuntu Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Existing Account Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-14847 CVE-2019-14833 CVE-2019-10218 Original Bulletin: https://usn.ubuntu.com/4167-2/ https://usn.ubuntu.com/4167-1/ Comment: This bulletin contains two (2) Ubuntu security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- USN-4167-2: Samba vulnerabilities 29 October 2019 samba vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 14.04 ESM o Ubuntu 12.04 ESM Summary Several security issues were fixed in Samba. Software Description o samba - SMB/CIFS file, print, and login server for Unix Details USN-4167-1 fixed several vulnerabilities in Samba. This update provides the corresponding update for Ubuntu 12.04 ESM and Ubuntu 14.04 ESM. Original advisory details: Michael Hanselmann discovered that the Samba client code incorrectly handled path separators. If a user were tricked into connecting to a malicious server, a remote attacker could use this issue to cause the client to access local pathnames instead of network pathnames. (CVE-2019-10218) Adam Xu discovered that Samba incorrectly handled the dirsync LDAP control. A remote attacker with "get changes" permissions could possibly use this issue to cause Samba to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 ESM. (CVE-2019-14847) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 ESM libsmbclient - 2:4.3.11+dfsg-0ubuntu0.14.04.20+esm3 samba - 2:4.3.11+dfsg-0ubuntu0.14.04.20+esm3 Ubuntu 12.04 ESM libsmbclient - 2:3.6.25-0ubuntu0.12.04.19 samba - 2:3.6.25-0ubuntu0.12.04.19 To update your system, please follow these instructions: https:// wiki.ubuntu.com/Security/Upgrades . In general, a standard system update will make all the necessary changes. References o USN-4167-1 o CVE-2019-10218 o CVE-2019-14847 - --- USN-4167-1: Samba vulnerabilities 29 October 2019 samba vulnerabilities A security issue affects these releases of Ubuntu and its derivatives: o Ubuntu 19.10 o Ubuntu 19.04 o Ubuntu 18.04 LTS o Ubuntu 16.04 LTS Summary Several security issues were fixed in Samba. Software Description o samba - SMB/CIFS file, print, and login server for Unix Details Michael Hanselmann discovered that the Samba client code incorrectly handled path separators. If a user were tricked into connecting to a malicious server, a remote attacker could use this issue to cause the client to access local pathnames instead of network pathnames. (CVE-2019-10218) Simon Fonteneau and BjArn Baumbach discovered that Samba incorrectly handled the check password script. This issue could possibly bypass custom password complexity checks, contrary to expectations. This issue only affected Ubuntu 18.04 LTS, Ubuntu 19.04, and Ubuntu 19.10. (CVE-2019-14833) Adam Xu discovered that Samba incorrectly handled the dirsync LDAP control. A remote attacker with "get changes" permissions could possibly use this issue to cause Samba to crash, resulting in a denial of service. (CVE-2019-14847) Update instructions The problem can be corrected by updating your system to the following package versions: Ubuntu 19.10 libsmbclient - 2:4.10.7+dfsg-0ubuntu2.2 samba - 2:4.10.7+dfsg-0ubuntu2.2 Ubuntu 19.04 libsmbclient - 2:4.10.0+dfsg-0ubuntu2.6 samba - 2:4.10.0+dfsg-0ubuntu2.6 Ubuntu 18.04 LTS libsmbclient - 2:4.7.6+dfsg~ubuntu-0ubuntu2.13 samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.13 Ubuntu 16.04 LTS libsmbclient - 2:4.3.11+dfsg-0ubuntu0.16.04.23 samba - 2:4.3.11+dfsg-0ubuntu0.16.04.23 To update your system, please follow these instructions: https:// wiki.ubuntu.com/Security/Upgrades . In general, a standard system update will make all the necessary changes. References o CVE-2019-10218 o CVE-2019-14833 o CVE-2019-14847 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXbkHi2aOgq3Tt24GAQiSVhAAzwTpugRsYL2cjbN8RAC4FQ2ossF+TBjY JDmEkJcqOusVbPqakj9GKQvnzP2izjDplyNgGpymF4mbISHiTMzutgHprAE/3mba Wo7qw0WcGsmaI0YlEFDlIzrUXLa5DxRcs7oeOvAW0ELs/ewPPQFbsWsbYlglK+4p gA8tJ4A7F01adE0CjCNr8ksriMqJST0CfxF/8qloKi6C8UZHe7gwVEqs1ZHawHXB TU0sheL+jw5dhFaRfWk+7u8mYmQM9mH3MSODNNZC/QbAUg+sT6MwNSJPf54I4RGu 73SMMvUvVfL+HcvUpXsfyP0rUkh4PpPa0c6gTo3GEpfZKKxcq7D9fyH+ozKkkIU2 IDyWuTkRdBcWCQzFek1avrabaWDmyD+YZUk0w+XFXvT4uVHLFQrp1UqY9X2j/GMz //0eeaDm7gKLfSZ4FNAeQKepnNGe/VxRqAIcBufA2gJNjEwmlbropkE5gg45Gla5 mlq98tmDk7L30/+UfHyPhB3Im/1EF22OCm6VWsxIQMGzeIC8IEPUzKyawWuR68KD /ktRXuq04nea4iIjIjGWKlLjjxyFyVpmvtzcB07c9rf6P7KBqfp2I3zUgEc6I+qf NF4wfsRHV09h+FqvxwsmwnKkKLcdwCO/du8FPg99pI70wKp5o+du7iVbQfL6Ly09 OdmUCNhh9A4= =qUbE -----END PGP SIGNATURE-----