Mandrake Local Security Checks : Mandriva Update for samba MDVSA-2011:121 (samba)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.831433

Category: Mandrake Local Security Checks

Title: Mandriva Update for samba MDVSA-2011:121 (samba)

Summary: The remote host is missing an update for the 'samba'; package(s) announced via the referenced advisory.

Description: Summary:
The remote host is missing an update for the 'samba'
package(s) announced via the referenced advisory.

Vulnerability Insight:
Multiple vulnerabilities has been discovered and corrected in samba:

All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By
tricking a user who is authenticated with SWAT into clicking a
manipulated URL on a different web page, it is possible to manipulate
SWAT (CVE-2011-2522).

All current released versions of Samba are vulnerable to a cross-site
scripting issue in the Samba Web Administration Tool (SWAT). On the
Change Password field, it is possible to insert arbitrary content
into the user field (CVE-2011-2694).

Packages for 2009.0 are provided as of the Extended Maintenance
Program. The updated packages have been patched to correct these issues.

Affected Software/OS:
samba on Mandriva Linux 2009.0,
Mandriva Linux 2009.0/X86_64,
Mandriva Linux 2010.1,
Mandriva Linux 2010.1/X86_64,
Mandriva Enterprise Server 5,
Mandriva Enterprise Server 5/X86_64

Solution:
Please Install the Updated Packages.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2011-2522
BugTraq ID: 48899
http://www.securityfocus.com/bid/48899
Debian Security Information: DSA-2290 (Google Search)
http://www.debian.org/security/2011/dsa-2290
http://www.exploit-db.com/exploits/17577
HPdes Security Advisory: HPSBNS02701
http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c03008543
HPdes Security Advisory: HPSBUX02768
http://marc.info/?l=bugtraq&m=133527864025056&w=2
HPdes Security Advisory: SSRT100598
HPdes Security Advisory: SSRT100664
http://jvn.jp/en/jp/JVN29529126/index.html
http://www.mandriva.com/security/advisories?name=MDVSA-2011:121
http://osvdb.org/74071
http://securitytracker.com/id?1025852
http://secunia.com/advisories/45393
http://secunia.com/advisories/45488
http://secunia.com/advisories/45496
http://securityreason.com/securityalert/8317
http://ubuntu.com/usn/usn-1182-1
XForce ISS Database: samba-swat-csrf(68843)
https://exchange.xforce.ibmcloud.com/vulnerabilities/68843
Common Vulnerability Exposure (CVE) ID: CVE-2011-2694
BugTraq ID: 48901
http://www.securityfocus.com/bid/48901
http://jvn.jp/en/jp/JVN63041502/index.html
http://osvdb.org/74072
XForce ISS Database: samba-user-xss(68844)
https://exchange.xforce.ibmcloud.com/vulnerabilities/68844

Copyright Copyright (C) 2011 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.831433
Category:	Mandrake Local Security Checks
Title:	Mandriva Update for samba MDVSA-2011:121 (samba)
Summary:	The remote host is missing an update for the 'samba'; package(s) announced via the referenced advisory.
Description:	Summary: The remote host is missing an update for the 'samba' package(s) announced via the referenced advisory. Vulnerability Insight: Multiple vulnerabilities has been discovered and corrected in samba: All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT (CVE-2011-2522). All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool (SWAT). On the Change Password field, it is possible to insert arbitrary content into the user field (CVE-2011-2694). Packages for 2009.0 are provided as of the Extended Maintenance Program. The updated packages have been patched to correct these issues. Affected Software/OS: samba on Mandriva Linux 2009.0, Mandriva Linux 2009.0/X86_64, Mandriva Linux 2010.1, Mandriva Linux 2010.1/X86_64, Mandriva Enterprise Server 5, Mandriva Enterprise Server 5/X86_64 Solution: Please Install the Updated Packages. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2011-2522 BugTraq ID: 48899 http://www.securityfocus.com/bid/48899 Debian Security Information: DSA-2290 (Google Search) http://www.debian.org/security/2011/dsa-2290 http://www.exploit-db.com/exploits/17577 HPdes Security Advisory: HPSBNS02701 http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c03008543 HPdes Security Advisory: HPSBUX02768 http://marc.info/?l=bugtraq&m=133527864025056&w=2 HPdes Security Advisory: SSRT100598 HPdes Security Advisory: SSRT100664 http://jvn.jp/en/jp/JVN29529126/index.html http://www.mandriva.com/security/advisories?name=MDVSA-2011:121 http://osvdb.org/74071 http://securitytracker.com/id?1025852 http://secunia.com/advisories/45393 http://secunia.com/advisories/45488 http://secunia.com/advisories/45496 http://securityreason.com/securityalert/8317 http://ubuntu.com/usn/usn-1182-1 XForce ISS Database: samba-swat-csrf(68843) https://exchange.xforce.ibmcloud.com/vulnerabilities/68843 Common Vulnerability Exposure (CVE) ID: CVE-2011-2694 BugTraq ID: 48901 http://www.securityfocus.com/bid/48901 http://jvn.jp/en/jp/JVN63041502/index.html http://osvdb.org/74072 XForce ISS Database: samba-user-xss(68844) https://exchange.xforce.ibmcloud.com/vulnerabilities/68844
Copyright	Copyright (C) 2011 Greenbone AG