[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2463-1] samba security update

Debian LTS Advisory DLA-2463-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                  Roberto C. Sánchez
November 22, 2020                             https://wiki.debian.org/LTS

Package        : samba
Version        : 2:4.5.16+dfsg-1+deb9u3
CVE ID         : CVE-2020-1472 CVE-2020-10704 CVE-2020-10730 CVE-2020-10745 
                 CVE-2020-10760 CVE-2020-14303 CVE-2020-14318 CVE-2020-14323 

Multiple vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix.


    Unauthenticated domain controller compromise by subverting Netlogon
    cryptography.  This vulnerability includes both ZeroLogon and
    non-ZeroLogon variations.


    An unauthorized user can trigger a denial of service via a stack
    overflow in the AD DC LDAP server.


    NULL pointer de-reference and use-after-free in Samba AD DC LDAP
    Server with ASQ, VLV and paged_results.


    Denial of service resulting from abuse of compression of replies to
    NetBIOS over TCP/IP name resolution and DNS packets causing excessive
    CPU load on the Samba AD DC.


    The use of the paged_results or VLV controls against the Global
    Catalog LDAP server on the AD DC will cause a use-after-free.


    Denial of service resulting from CPU spin and and inability to
    process further requests once the AD DC NBT server receives an empty
    (zero-length) UDP packet to port 137.


    Missing handle permissions check in ChangeNotify


    Unprivileged user can crash winbind via invalid lookupsids DoS


    DNS server crash via invalid records resulting from uninitialized

For Debian 9 stretch, these problems have been fixed in version

We recommend that you upgrade your samba packages.

For the detailed security status of samba please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Attachment: signature.asc
Description: PGP signature

Reply to: