[FUG-BR] [Announce] Samba 4.0.2, 3.6.12 and 3.5.21 Security Releases Available for Download
Jose Nilton
jniltinho em gmail.com
Quarta Janeiro 30 13:00:30 BRST 2013
Saiu a versão 4.0.2 do Samba
2013/1/30 Karolin Seeger <kseeger em samba.org>
> Release Announcements
> ---------------------
>
> Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security releases in
> order
> to address CVE-2013-0213 (Clickjacking issue in SWAT) and
> CVE-2013-0214 (Potential XSRF in SWAT).
>
> o CVE-2013-0213:
> All current released versions of Samba are vulnerable to clickjacking
> in the
> Samba Web Administration Tool (SWAT). When the SWAT pages are
> integrated into
> a malicious web page via a frame or iframe and then overlaid by other
> content,
> an attacker could trick an administrator to potentially change Samba
> settings.
>
> In order to be vulnerable, SWAT must have been installed and enabled
> either as a standalone server launched from inetd or xinetd, or as a
> CGI plugin to Apache. If SWAT has not been installed or enabled (which
> is the default install state for Samba) this advisory can be ignored.
>
> o CVE-2013-0214:
> All current released versions of Samba are vulnerable to a cross-site
> request forgery in the Samba Web Administration Tool (SWAT). By
> guessing a
> user's password and then tricking a user who is authenticated with SWAT
> into
> clicking a manipulated URL on a different web page, it is possible to
> manipulate
> SWAT.
>
> In order to be vulnerable, the attacker needs to know the victim's
> password.
> Additionally SWAT must have been installed and enabled either as a
> standalone
> server launched from inetd or xinetd, or as a CGI plugin to Apache. If
> SWAT has
> not been installed or enabled (which is the default install state for
> Samba)
> this advisory can be ignored.
>
>
> Changes:
> ========
>
> o Kai Blin <kai em samba.org>
> * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
> * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
>
>
> #######################################
> Reporting bugs & Development Discussion
> #######################################
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored. All bug reports should
> be filed under the Samba 4.0 product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ======================================================================
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ======================================================================
>
> ================
> Download Details
> ================
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6568B7EA). The source code can be downloaded
> from:
>
> http://download.samba.org/samba/ftp/stable/
>
> The release notes are available online at:
>
> http://www.samba.org/samba/history/samba-4.0.2.html
> http://www.samba.org/samba/history/samba-3.6.12.html
> http://www.samba.org/samba/history/samba-3.5.21.html
>
> Binary packages will be made available on a volunteer basis from
>
> http://download.samba.org/samba/ftp/Binary_Packages/
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
> --Enjoy
> The Samba Team
>
--
..............................................................................
*Com Deus todas as coisas são possíveis* :::
LinuxPro<http://www.linuxpro.com.br>
*"A qualidade nunca se obtém por acaso; ela é sempre o resultado do esforço
inteligente." (John Ruskin)
"A mente que se abre a uma nova ideia jamais volta ao seu tamanho original"
(Albert Einstein)*
Mais detalhes sobre a lista de discussão freebsd