Source: samba Version: 2:4.1.13+dfsg-2 Severity: important Tags: security upstream patch fixed-upstream
Hi Samba maintainers, I know you are aware of the issue, but filling the bug to cross reference BTS and security-tracker. the following vulnerability was published for samba. CVE-2014-8143[0]: | Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before | 4.2rc4, when an Active Directory Domain Controller (AD DC) is | configured, allows remote authenticated users to set the LDB | userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain | privileges, by leveraging delegation of authority for user-account or | computer-account creation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2014-8143 [1] https://www.samba.org/samba/security/CVE-2014-8143 [2] https://download.samba.org/pub/samba/patches/security/samba-4.1.15-CVE-2014-8143.patch I'm not sure about the severity (if it should be RC), since this actually (only) affects samba installations running as AD Domain Controller and delectaion for the creation of users needs to be configured. Regards, Salvatore _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
