On Thu, 2017-07-13 at 18:05 +1200, Andrew Bartlett wrote: > On Thu, 2017-07-13 at 07:14 +0200, Raphael Hertzog wrote: > > Source: samba > > Severity: grave > > Tags: security patch > > Version: 2:4.1.11+dfsg-1 > > > > Hi, > > > > the following vulnerability was published for samba (due to its embedded > > copy of heimdal). I checked the build logs for unstable and apparently it > > does use this copy (I don't know the status for older releases). > > > > CVE-2017-11103[0]: MitM attack, impersonation of the Kerberos client, know > > as Orpheus Lyre > > > > A dedicated website is here: > > https://orpheus-lyre.info/ > > > > The samba announce and patch are here: > > https://www.samba.org/samba/security/CVE-2017-11103.html > > https://download.samba.org/pub/samba/patches/security/samba-4.x.y-CVE-2017-11103.patch > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2017-11103 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103 > > > > Please adjust the affected versions in the BTS as needed. > > Proposed updates are in jessie and stretch branches at: > > git://git.samba.org/abartlet/samba-debian.git > > I've only built them, not tested them. Then again, the upstream > patches were not manually tested either (we relied on autobuild), such > was the rush... > > I can upload the built binaries if you want to test them or comment.
Unsigned packages (sorry) are at: https://seafile.catalyst.net.nz/d/8f9c648216c3452497cb/ -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba