A samba security update has been released for Debian GNU/Linux 8 Extended LTS to address a flaw in the smbd file server which maps Windows group identities (SIDs) into unix group ids (gids).

ELA-422-1 samba security update

Package samba
Version 2:4.2.14+dfsg-0+deb8u15
Related CVEs CVE-2021-20254

Peter Eriksson of Linköping University discovered a flaw in the smbd file server which maps Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The vulnerability could allow unauthorized access to files.

For Debian 8 jessie, these problems have been fixed in version 2:4.2.14+dfsg-0+deb8u15.

We recommend that you upgrade your samba packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/

  ELA-422-1 samba security update