-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2015:083 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : samba4 Date : March 28, 2015 Affected: Business Server 2.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been discovered and corrected in samba4: Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation (CVE-2014-8143). An uninitialized pointer use flaw was found in the Samba daemon (smbd). A malicious Samba client could send specially crafted netlogon packets that, when processed by smbd, could potentially lead to arbitrary code execution with the privileges of the user running smbd (by default, the root user) (CVE-2015-0240). The updated packages provides a solution for these security issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0240 https://www.samba.org/samba/history/samba-4.1.15.html https://www.samba.org/samba/history/samba-4.1.16.html https://www.samba.org/samba/history/samba-4.1.17.html https://www.samba.org/samba/security/CVE-2014-8143 https://www.samba.org/samba/security/CVE-2015-0240 _______________________________________________________________________ Updated Packages: Mandriva Business Server 2/X86_64: 7a21c3baa011c68360bcaa5a086d0122 mbs2/x86_64/lib64samba41-4.1.17-1.mbs2.x86_64.rpm e67ad9bd1020e4de0afa2b91c29fc99d mbs2/x86_64/lib64samba4-dc0-4.1.17-1.mbs2.x86_64.rpm 46ed288d10dd123272dd812ae56ec6ee mbs2/x86_64/lib64samba4-devel-4.1.17-1.mbs2.x86_64.rpm 1a4f3437669ca98899dfcdf2e8881870 mbs2/x86_64/lib64samba4-smbclient0-4.1.17-1.mbs2.x86_64.rpm cea478050042fea1d543c6988dc9e5d3 mbs2/x86_64/lib64samba4-smbclient-devel-4.1.17-1.mbs2.x86_64.rpm 078bdb566527115b87ae84051af53f83 mbs2/x86_64/lib64samba4-test0-4.1.17-1.mbs2.x86_64.rpm f907110b336f2151532d332a96704444 mbs2/x86_64/lib64samba4-test-devel-4.1.17-1.mbs2.x86_64.rpm 9f02113c351530d89f660c57ad738e0d mbs2/x86_64/lib64samba4-wbclient0-4.1.17-1.mbs2.x86_64.rpm a4ee31b7ca1c9c10840b5128780c10ae mbs2/x86_64/lib64samba4-wbclient-devel-4.1.17-1.mbs2.x86_64.rpm 361e64104d96f176acb1ea2b7a7dcab3 mbs2/x86_64/python-samba4-4.1.17-1.mbs2.x86_64.rpm 728fe28155e9ea617eb7b3e8c1f81560 mbs2/x86_64/samba4-4.1.17-1.mbs2.x86_64.rpm f95961c85294f2eb4e67412c333a8600 mbs2/x86_64/samba4-client-4.1.17-1.mbs2.x86_64.rpm 20260736d550aed06b930a80378f1ade mbs2/x86_64/samba4-common-4.1.17-1.mbs2.x86_64.rpm ba87fe4573774f2b6d39eb244906b8e2 mbs2/x86_64/samba4-dc-4.1.17-1.mbs2.x86_64.rpm 77d4df40799cb8b265bf04e948cb4c09 mbs2/x86_64/samba4-pidl-4.1.17-1.mbs2.noarch.rpm 0473c05efdc448e87195f0162e106ad9 mbs2/x86_64/samba4-test-4.1.17-1.mbs2.x86_64.rpm 0c947489754bd227bb70f4d13e42ac1c mbs2/x86_64/samba4-vfs-glusterfs-4.1.17-1.mbs2.x86_64.rpm 3a6a91b25a097b2aee84dbd05b628fbf mbs2/x86_64/samba4-winbind-4.1.17-1.mbs2.x86_64.rpm 302dd7340f910fac0a6d185ebac1c708 mbs2/x86_64/samba4-winbind-clients-4.1.17-1.mbs2.x86_64.rpm 3954449c55b63201fb6c82e123f42420 mbs2/x86_64/samba4-winbind-krb5-locator-4.1.17-1.mbs2.x86_64.rpm e30ce619fe04c7005bade1fb2051cdf2 mbs2/x86_64/samba4-winbind-modules-4.1.17-1.mbs2.x86_64.rpm b7a4a89d736ebde71080926777ebf1bd mbs2/SRPMS/samba4-4.1.17-1.mbs2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFVFlh+mqjQ0CJFipgRAkoZAKCwlrjIFlckh4Ufxi8VtlnPSDRFnACfYdAB JPQ7KCtyJGZ0kJGXZggwq7U= =OGlL -----END PGP SIGNATURE-----