All errata/c8.1/ALT-PU-2019-2418-1
ALT-PU-2019-2418-1

Package update samba-DC in branch c8.1

Version4.9.11-alt1
Task#235302
Published2019-08-08
Max severityHIGH
Severity:

Closed issues (8)

BDU:2019-01870
HIGH7.5

Уязвимость реализации Heimdal протокола Kerberos пакета программ сетевого взаимодействия Samba, позволяющая нарушителю раскрыть защищаемую информацию или вызвать отказ в обслуживании

Published: 2019-05-31Modified: 2025-03-05
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C
References
BDU:2020-00695
MEDIUM4.4

Уязвимость компонента обработки зоны DNS на сервере программ сетевого взаимодействия Samba, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-02-24Modified: 2025-03-05
CVSS 3.xMEDIUM 4.4
CVSS:3.x/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:N/A:P
References
BDU:2020-00697
MEDIUM5.9

Уязвимость конфигурации AD DC программ сетевого взаимодействия Samba, позволяющая нарушителю оказать воздействие на целостность информации

Published: 2020-02-24Modified: 2025-03-05
CVSS 3.xMEDIUM 5.9
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
References
BDU:2020-00724
MEDIUM6.5

Уязвимость программного обеспечения Samba, связанная с разыменованием нулевого указателя, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2020-02-27Modified: 2021-03-25
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
References
CVE-2018-16852
MEDIUM4.4

Samba from version 4.9.0 and before version 4.9.3 is vulnerable to a NULL pointer de-reference. During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service.

Published: 2018-11-28Modified: 2024-11-21
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSS 3.xMEDIUM 4.4
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
References
CVE-2018-16857
MEDIUM5.9

Samba from version 4.9.0 and before version 4.9.3 that have AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. The primary risk from this issue is with regards to domains that have been upgraded from Samba 4.8 and earlier. In these cases the manual testing done to confirm an organisation's password policies apply as expected may not have been re-done after the upgrade.

Published: 2018-11-28Modified: 2024-11-21
CVSS 2.0MEDIUM 4.3
CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
References
CVE-2018-16860
HIGH7.5

A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.

Published: 2019-07-31Modified: 2024-11-21
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2019-12435
MEDIUM6.5

Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer dereference, leading to Denial of Service. This is related to the AD DC DNS management server (dnsserver) RPC server process.

Published: 2019-06-19Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References