Debian 10260 Published by

A samba security update has been released for Debian GNU/Linux 8 Extended LTS to address multiple vulnerabilities.



ELA-317-1 samba security update


Package samba
Version 2:4.2.14+dfsg-0+deb8u14
Related CVEs CVE-2020-1472 CVE-2020-10704 CVE-2020-10745 CVE-2020-14303 CVE-2020-14318 CVE-2020-14323 CVE-2020-14383
Multiple vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix.

CVE-2020-1472

Unauthenticated domain controller compromise by subverting Netlogon
cryptography. This vulnerability includes both ZeroLogon and
non-ZeroLogon variations.
CVE-2020-10704

An unauthorized user can trigger a denial of service via a stack
overflow in the AD DC LDAP server.
CVE-2020-10745

Denial of service resulting from abuse of compression of replies to
NetBIOS over TCP/IP name resolution and DNS packets causing excessive
CPU load on the Samba AD DC.
CVE-2020-14303

Denial of service resulting from CPU spin and and inability to
process further requests once the AD DC NBT server receives an empty
(zero-length) UDP packet to port 137.
CVE-2020-14318

Missing handle permissions check in ChangeNotify
CVE-2020-14323

Unprivileged user can crash winbind via invalid lookupsids DoS
CVE-2020-14383

DNS server crash via invalid records resulting from uninitialized
variables
For Debian 8 jessie, these problems have been fixed in version 2:4.2.14+dfsg-0+deb8u14.

We recommend that you upgrade your samba packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-317-1 samba security update