Slackware Local Security Checks : Slackware: Security Advisory (SSA:2006-200-01)

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.57174

Kategorie: Slackware Local Security Checks

Titel: Slackware: Security Advisory (SSA:2006-200-01)

Zusammenfassung: The remote host is missing an update for the 'Samba' package(s) announced via the SSA:2006-200-01 advisory.

Beschreibung: Summary:
The remote host is missing an update for the 'Samba' package(s) announced via the SSA:2006-200-01 advisory.

Vulnerability Insight:
New Samba packages are available for Slackware 10.0, 10.1, 10.2,
and -current.

In Slackware 10.0, 10.1, and 10.2, Samba was evidently picking up
the libdm.so.0 library causing a Samba package issued primarily as
a security patch to suddenly require a library that would only be
present on the machine if the xfsprogs package (from the A series
but marked 'optional') was installed. Sorry -- this was not
intentional, though I do know that I'm taking the chance of this
kind of issue when trying to get security related problems fixed
quickly (hopefully balanced with reasonable testing), and when the
fix is achieved by upgrading to a new version rather than with the
smallest patch possible to fix the known issue. However, I tend
to trust that by following upstream sources as much as possible
I'm also fixing some problems that aren't yet public.

So, all of the 10.0, 10.1, and 10.2 packages have been rebuilt
on systems without the dm library, and should be able to directly
upgrade older samba packages without additional requirements.
Well, unless they are also under /patches. ,-)

All the packages (including -current) have been patched with a
fix from Samba's CVS for some reported problems with winbind.
Thanks to Mikhail Kshevetskiy for pointing me to the patch.

I realize these packages don't really fix security issues, but
they do fix security patch packages that are less than a couple
of days old, so it seems prudent to notify slackware-security
(and any subscribed lists) again. Sorry if it's noise...

Here are the details from the Slackware 10.2 ChangeLog:
+--------------------------+
patches/packages/samba-3.0.23-i486-2_slack10.2.tgz:
Patched a problem in nsswitch/wins.c that caused crashes in the wins
and/or winbind libraries.
Thanks to Mikhail Kshevetskiy for pointing out the issue and offering
a reference to the patch in Samba's source repository.
Also, this version of Samba evidently created a new dependency on libdm.so
(found in the xfsprogs package in non -current Slackware versions). This
additional dependency was not intentional, and has been corrected.
+--------------------------+

Affected Software/OS:
'Samba' package(s) on Slackware 10.0, Slackware 10.1, Slackware 10.2, Slackware current.

Solution:
Please install the updated package(s).

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Copyright Copyright (C) 2012 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.57174
Kategorie:	Slackware Local Security Checks
Titel:	Slackware: Security Advisory (SSA:2006-200-01)
Zusammenfassung:	The remote host is missing an update for the 'Samba' package(s) announced via the SSA:2006-200-01 advisory.
Beschreibung:	Summary: The remote host is missing an update for the 'Samba' package(s) announced via the SSA:2006-200-01 advisory. Vulnerability Insight: New Samba packages are available for Slackware 10.0, 10.1, 10.2, and -current. In Slackware 10.0, 10.1, and 10.2, Samba was evidently picking up the libdm.so.0 library causing a Samba package issued primarily as a security patch to suddenly require a library that would only be present on the machine if the xfsprogs package (from the A series but marked 'optional') was installed. Sorry -- this was not intentional, though I do know that I'm taking the chance of this kind of issue when trying to get security related problems fixed quickly (hopefully balanced with reasonable testing), and when the fix is achieved by upgrading to a new version rather than with the smallest patch possible to fix the known issue. However, I tend to trust that by following upstream sources as much as possible I'm also fixing some problems that aren't yet public. So, all of the 10.0, 10.1, and 10.2 packages have been rebuilt on systems without the dm library, and should be able to directly upgrade older samba packages without additional requirements. Well, unless they are also under /patches. ,-) All the packages (including -current) have been patched with a fix from Samba's CVS for some reported problems with winbind. Thanks to Mikhail Kshevetskiy for pointing me to the patch. I realize these packages don't really fix security issues, but they do fix security patch packages that are less than a couple of days old, so it seems prudent to notify slackware-security (and any subscribed lists) again. Sorry if it's noise... Here are the details from the Slackware 10.2 ChangeLog: +--------------------------+ patches/packages/samba-3.0.23-i486-2_slack10.2.tgz: Patched a problem in nsswitch/wins.c that caused crashes in the wins and/or winbind libraries. Thanks to Mikhail Kshevetskiy for pointing out the issue and offering a reference to the patch in Samba's source repository. Also, this version of Samba evidently created a new dependency on libdm.so (found in the xfsprogs package in non -current Slackware versions). This additional dependency was not intentional, and has been corrected. +--------------------------+ Affected Software/OS: 'Samba' package(s) on Slackware 10.0, Slackware 10.1, Slackware 10.2, Slackware current. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Copyright	Copyright (C) 2012 Greenbone AG