Ticket #34455 (closed defect: fixed)
samba3 @3.2.15_2 request to add CVE-2012-1182 patch
| Reported by: | nonstop.server@… | Owned by: | mww@… |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | ports | Version: | |
| Keywords: | Cc: | ||
| Port: | samba3 |
Description
Samba 3.0.x to 3.6.3 are affected by a vulnerability that allows remote code execution as the "root" user.
A patch has been released for all Samba versions due to the seriousness of this vulnerability.
More information concerning this security issue and the released patch can be found here:
- Announcement for CVE-2012-1182
- CVE-ID: CVE-2012-1182
- Download patch for version 3.2.15
Change History
comment:1 Changed 13 months ago by jmr@…
- Owner changed from macports-tickets@… to mww@…
- Cc mww@… removed
- Version 2.0.4 deleted
- Type changed from enhancement to defect
- Priority changed from Normal to High
comment:2 follow-up: ↓ 3 Changed 11 months ago by ryandesign@…
The samba3 port is at version 3.6.6. Is that version still affected?
comment:3 in reply to: ↑ 2 Changed 11 months ago by nonstop.server@…
Replying to ryandesign@…:
No, there are no outstanding security updates against Samba version 3.6.6.
CVE-2012-1182 has been solved since security release 3.6.4 of Samba.
=============================
Release Notes for Samba 3.6.4
April 10, 2012
=============================
This is a security release in order to address
CVE-2012-1182 ("root" credential remote code execution).
o CVE-2012-1182:
Samba 3.0.x to 3.6.3 are affected by a
vulnerability that allows remote code
execution as the "root" user.
Changes since 3.6.3:
--------------------
o Stefan Metzmacher <metze@samba.org>
*BUG 8815: PIDL based autogenerated code allows overwriting beyond of
allocated array (CVE-2012-1182).
Note: See
TracTickets for help on using
tickets.