[Bug 932239] Re: Multiple Samba security vulnerabilities

Steve Beattie sbeattie at ubuntu.com
Fri Feb 17 22:45:09 UTC 2012 

Note that Ubuntu, like many linux distributions,  backports security
fixes rather than upgrading to new versions of software to attempt to
prevent the introduction of regressions and changes in behavior in
released versions of software.

CVE-2010-3069 was addressed in http://www.ubuntu.com/usn/usn-987-1
CVE-2011-2522 and CVE-2011-2694 were addressed in http://www.ubuntu.com/usn/usn-1182-1
CVE-2011-0719 was addressed in http://www.ubuntu.com/usn/usn-1075-1
CVE-2010-1635 and CVE-2010-1642 can only kill the current connection of the attacker, the vulnerabilities do not affect the service as a whole, and as such have negligable security impact. They've also been addressed in maverick and subsequent releases.

What is Manzanita?

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-1635

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-1642

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-3069

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-0719

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2522

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2011-2694

** Changed in: samba (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/932239

Title:
  Multiple Samba security vulnerabilities

Status in “samba” package in Ubuntu:
  Invalid

Bug description:
  Please upgrade Samba to 3.4.14 or later in Manzanita

  High...
  CVE-2010-3069 Samba 3.0.x to 3.5.x are affected by a  buffer overrun vulnerability

  Medium...
  CVE-2011-2522
  CVE-2011-2694
  CVE-2011-0719 Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of the FD_SET macro
  CVE-2010-1635 
  CVE-2010-1642 sending specially crafted 'Session Setup AndX' requests, an
  unauthenticated, remote attacker can exploit these vulnerabilities

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/932239/+subscriptions

More information about the foundations-bugs mailing list