Uploaded image for project: 'TrueNAS'
  1. TrueNAS
  2. NAS-103657

Update Samba to 4.9.15 to address CVE-2019-10218, CVE-2019-14833, and CVE-2019-14847

    XMLWordPrintable

    Details

      Description

      Release Announcements
      ---------------------

      These are security releases in order to address the following defects:

      o CVE-2019-10218: Client code can return filenames containing path separators.         
      o CVE-2019-14833: Samba AD DC check password script does not receive the full
                        password.
      o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
                        via dirsync.

      =======
      Details
      =======

      o  CVE-2019-10218:
         Malicious servers can cause Samba client code to return filenames containing
         path separators to calling code.

      o  CVE-2019-14833:
         When the password contains multi-byte (non-ASCII) characters, the check
         password script does not receive the full password string.

      o  CVE-2019-14847:
         Users with the "get changes" extended access right can crash the AD DC LDAP
         server by requesting an attribute using the range= syntax.

      For more details and workarounds, please refer to the security advisories.

        Attachments

          Attachments

            JEditor

              Issue Links

                Activity

                  People

                  Assignee:
                  awalker Andrew Walker
                  Reporter:
                  awalker Andrew Walker
                  Watchers:
                  Andrew Walker, Bug Clerk, William Grzybowski
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                    Dates

                    Created:
                    Updated:
                    Resolved: