Karolin Seeger
2013-Jan-30 09:18 UTC
[Announce] Samba 4.0.2, 3.6.12 and 3.5.21 Security Releases Available for Download
Release Announcements
---------------------
Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security releases in order
to address CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).
o CVE-2013-0213:
All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other
content,
an attacker could trick an administrator to potentially change Samba
settings.
In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.
o CVE-2013-0214:
All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user's password and then tricking a user who is authenticated with SWAT
into
clicking a manipulated URL on a different web page, it is possible to
manipulate
SWAT.
In order to be vulnerable, the attacker needs to know the victim's
password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT
has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.
Changes:
=======
o Kai Blin <kai at samba.org>
* BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
* BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.0 product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA). The source code can be downloaded
from:
http://download.samba.org/samba/ftp/stable/
The release notes are available online at:
http://www.samba.org/samba/history/samba-4.0.2.html
http://www.samba.org/samba/history/samba-3.6.12.html
http://www.samba.org/samba/history/samba-3.5.21.html
Binary packages will be made available on a volunteer basis from
http://download.samba.org/samba/ftp/Binary_Packages/
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
Apparently Analagous Threads
- [Announce] Samba 4.0.2, 3.6.12 and 3.5.21 Security Releases Available for Download
- [Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
- [Announce] Samba 3.5.10, 3.4.14 and 3.3.16 Security Releases Available
- FreeBSD 9.1 + Samba 3.6.12 : Winbind sid lookup issue
- [RHSA-2001:016-03] rpm-4.0.2 for all Red Hat platforms and releases.
Wisdom of the Ancients
