[gentoo-announce] [ GLSA 202003-52 ] Samba: Multiple vulnerabilities - gentoo-announce

From:	Thomas Deutschmann <whissi@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 202003-52 ] Samba: Multiple vulnerabilities
Date:	Wed, 25 Mar 2020 16:36:17
Message-Id:	`cac2ee3a-323d-5248-8203-979df9f36443@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 202003-52

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: Normal

8

    Title: Samba: Multiple vulnerabilities

9

     Date: March 25, 2020

10

     Bugs: #664316, #672140, #686036, #693558, #702928, #706144

11

       ID: 202003-52

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Samba, the worst of which

19

could lead to remote code execution.

20

21

Background

22

==========

23

24

Samba is a suite of SMB and CIFS client/server programs.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  net-fs/samba                 < 4.11.6                 *>= 4.9.18

33

                                                          *>= 4.10.13

34

                                                           *>= 4.11.6

35

36

Description

37

===========

38

39

Multiple vulnerabilities have been discovered in Samba. Please review

40

the CVE identifiers referenced below for details.

41

42

Impact

43

======

44

45

A remote attacker could possibly execute arbitrary code, cause a Denial

46

of Service condition, conduct a man-in-the-middle attack, or obtain

47

sensitive information.

48

49

Workaround

50

==========

51

52

There is no known workaround at this time.

53

54

Resolution

55

==========

56

57

All Samba 4.9.x users should upgrade to the latest version:

58

59

  # emerge --sync

60

  # emerge --ask --oneshot --verbose ">=net-fs/samba-4.9.18"

61

62

All Samba 4.10.x users should upgrade to the latest version:

63

64

  # emerge --sync

65

  # emerge --ask --oneshot --verbose ">=net-fs/samba-4.10.13"

66

67

All Samba 4.11.x users should upgrade to the latest version:

68

69

  # emerge --sync

70

  # emerge --ask --oneshot --verbose ">=net-fs/samba-4.11.6"

71

72

References

73

==========

74

75

[  1 ] CVE-2018-10858

76

       https://nvd.nist.gov/vuln/detail/CVE-2018-10858

77

[  2 ] CVE-2018-10918

78

       https://nvd.nist.gov/vuln/detail/CVE-2018-10918

79

[  3 ] CVE-2018-10919

80

       https://nvd.nist.gov/vuln/detail/CVE-2018-10919

81

[  4 ] CVE-2018-1139

82

       https://nvd.nist.gov/vuln/detail/CVE-2018-1139

83

[  5 ] CVE-2018-1140

84

       https://nvd.nist.gov/vuln/detail/CVE-2018-1140

85

[  6 ] CVE-2018-14629

86

       https://nvd.nist.gov/vuln/detail/CVE-2018-14629

87

[  7 ] CVE-2018-16841

88

       https://nvd.nist.gov/vuln/detail/CVE-2018-16841

89

[  8 ] CVE-2018-16851

90

       https://nvd.nist.gov/vuln/detail/CVE-2018-16851

91

[  9 ] CVE-2018-16852

92

       https://nvd.nist.gov/vuln/detail/CVE-2018-16852

93

[ 10 ] CVE-2018-16853

94

       https://nvd.nist.gov/vuln/detail/CVE-2018-16853

95

[ 11 ] CVE-2018-16857

96

       https://nvd.nist.gov/vuln/detail/CVE-2018-16857

97

[ 12 ] CVE-2018-16860

98

       https://nvd.nist.gov/vuln/detail/CVE-2018-16860

99

[ 13 ] CVE-2019-10197

100

       https://nvd.nist.gov/vuln/detail/CVE-2019-10197

101

[ 14 ] CVE-2019-14861

102

       https://nvd.nist.gov/vuln/detail/CVE-2019-14861

103

[ 15 ] CVE-2019-14870

104

       https://nvd.nist.gov/vuln/detail/CVE-2019-14870

105

[ 16 ] CVE-2019-14902

106

       https://nvd.nist.gov/vuln/detail/CVE-2019-14902

107

[ 17 ] CVE-2019-14907

108

       https://nvd.nist.gov/vuln/detail/CVE-2019-14907

109

[ 18 ] CVE-2019-19344

110

       https://nvd.nist.gov/vuln/detail/CVE-2019-19344

111

112

Availability

113

============

114

115

This GLSA and any updates to it are available for viewing at

116

the Gentoo Security Website:

117

118

 https://security.gentoo.org/glsa/202003-52

119

120

Concerns?

121

=========

122

123

Security is a primary focus of Gentoo Linux and ensuring the

124

confidentiality and security of our users' machines is of utmost

125

importance to us. Any security concerns should be addressed to

126

security@g.o or alternatively, you may file a bug at

127

https://bugs.gentoo.org.

128

129

License

130

=======

131

132

Copyright 2020 Gentoo Foundation, Inc; referenced text

133

belongs to its owner(s).

134

135

The contents of this document are licensed under the

136

Creative Commons - Attribution / Share Alike license.

137

138

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 202003-52
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Samba: Multiple vulnerabilities
9	Date: March 25, 2020
10	Bugs: #664316, #672140, #686036, #693558, #702928, #706144
11	ID: 202003-52
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Samba, the worst of which
19	could lead to remote code execution.
20
21	Background
22	==========
23
24	Samba is a suite of SMB and CIFS client/server programs.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 net-fs/samba < 4.11.6 *>= 4.9.18
33	*>= 4.10.13
34	*>= 4.11.6
35
36	Description
37	===========
38
39	Multiple vulnerabilities have been discovered in Samba. Please review
40	the CVE identifiers referenced below for details.
41
42	Impact
43	======
44
45	A remote attacker could possibly execute arbitrary code, cause a Denial
46	of Service condition, conduct a man-in-the-middle attack, or obtain
47	sensitive information.
48
49	Workaround
50	==========
51
52	There is no known workaround at this time.
53
54	Resolution
55	==========
56
57	All Samba 4.9.x users should upgrade to the latest version:
58
59	# emerge --sync
60	# emerge --ask --oneshot --verbose ">=net-fs/samba-4.9.18"
61
62	All Samba 4.10.x users should upgrade to the latest version:
63
64	# emerge --sync
65	# emerge --ask --oneshot --verbose ">=net-fs/samba-4.10.13"
66
67	All Samba 4.11.x users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot --verbose ">=net-fs/samba-4.11.6"
71
72	References
73	==========
74
75	[ 1 ] CVE-2018-10858
76	https://nvd.nist.gov/vuln/detail/CVE-2018-10858
77	[ 2 ] CVE-2018-10918
78	https://nvd.nist.gov/vuln/detail/CVE-2018-10918
79	[ 3 ] CVE-2018-10919
80	https://nvd.nist.gov/vuln/detail/CVE-2018-10919
81	[ 4 ] CVE-2018-1139
82	https://nvd.nist.gov/vuln/detail/CVE-2018-1139
83	[ 5 ] CVE-2018-1140
84	https://nvd.nist.gov/vuln/detail/CVE-2018-1140
85	[ 6 ] CVE-2018-14629
86	https://nvd.nist.gov/vuln/detail/CVE-2018-14629
87	[ 7 ] CVE-2018-16841
88	https://nvd.nist.gov/vuln/detail/CVE-2018-16841
89	[ 8 ] CVE-2018-16851
90	https://nvd.nist.gov/vuln/detail/CVE-2018-16851
91	[ 9 ] CVE-2018-16852
92	https://nvd.nist.gov/vuln/detail/CVE-2018-16852
93	[ 10 ] CVE-2018-16853
94	https://nvd.nist.gov/vuln/detail/CVE-2018-16853
95	[ 11 ] CVE-2018-16857
96	https://nvd.nist.gov/vuln/detail/CVE-2018-16857
97	[ 12 ] CVE-2018-16860
98	https://nvd.nist.gov/vuln/detail/CVE-2018-16860
99	[ 13 ] CVE-2019-10197
100	https://nvd.nist.gov/vuln/detail/CVE-2019-10197
101	[ 14 ] CVE-2019-14861
102	https://nvd.nist.gov/vuln/detail/CVE-2019-14861
103	[ 15 ] CVE-2019-14870
104	https://nvd.nist.gov/vuln/detail/CVE-2019-14870
105	[ 16 ] CVE-2019-14902
106	https://nvd.nist.gov/vuln/detail/CVE-2019-14902
107	[ 17 ] CVE-2019-14907
108	https://nvd.nist.gov/vuln/detail/CVE-2019-14907
109	[ 18 ] CVE-2019-19344
110	https://nvd.nist.gov/vuln/detail/CVE-2019-19344
111
112	Availability
113	============
114
115	This GLSA and any updates to it are available for viewing at
116	the Gentoo Security Website:
117
118	https://security.gentoo.org/glsa/202003-52
119
120	Concerns?
121	=========
122
123	Security is a primary focus of Gentoo Linux and ensuring the
124	confidentiality and security of our users' machines is of utmost
125	importance to us. Any security concerns should be addressed to
126	security@g.o or alternatively, you may file a bug at
127	https://bugs.gentoo.org.
128
129	License
130	=======
131
132	Copyright 2020 Gentoo Foundation, Inc; referenced text
133	belongs to its owner(s).
134
135	The contents of this document are licensed under the
136	Creative Commons - Attribution / Share Alike license.
137
138	https://creativecommons.org/licenses/by-sa/2.5