Opened 13 years ago

Closed 12 years ago

#34455 closed defect (fixed)

samba3 @3.2.15_2 request to add CVE-2012-1182 patch

Reported by: nonstop.server@… Owned by: mww@…
Priority: High Milestone:
Component: ports Version:
Keywords: Cc:
Port: samba3

Description

Samba 3.0.x to 3.6.3 are affected by a vulnerability that allows remote code execution as the "root" user.
A patch has been released for all Samba versions due to the seriousness of this vulnerability.
More information concerning this security issue and the released patch can be found here:

Change History (4)

comment:1 Changed 12 years ago by jmroot (Joshua Root)

Cc: mww@… removed
Owner: changed from macports-tickets@… to mww@…
Priority: NormalHigh
Type: enhancementdefect
Version: 2.0.4

comment:2 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)

The samba3 port is at version 3.6.6. Is that version still affected?

comment:3 in reply to:  2 Changed 12 years ago by nonstop.server@…

Replying to ryandesign@…:

No, there are no outstanding security updates against Samba version 3.6.6.
CVE-2012-1182 has been solved since security release 3.6.4 of Samba.

                   =============================
                   Release Notes for Samba 3.6.4
                          April 10, 2012
                   =============================

This is a security release in order to address
CVE-2012-1182 ("root" credential remote code execution).

o  CVE-2012-1182:
   Samba 3.0.x to 3.6.3 are affected by a
   vulnerability that allows remote code
   execution as the "root" user.

Changes since 3.6.3:
--------------------

o   Stefan Metzmacher <metze@samba.org>
    *BUG 8815: PIDL based autogenerated code allows overwriting beyond of
     allocated array (CVE-2012-1182).

comment:4 Changed 12 years ago by ryandesign (Ryan Carsten Schmidt)

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.