[NAS-103657] Update Samba to 4.9.15 to address CVE-2019-10218, CVE-2019-14833, and CVE-2019-14847 - iX - Bug Tracker (Jira)

XML

Word

Printable

Details

Type: Improvement
Status: Done (View Workflow)
Priority: Low
Resolution: Complete
Affects Version/s: None
Fix Version/s: 11.2-U7, TrueNAS 11.2-U7
Component/s: Services
Labels:
None

Description

Release Announcements
---------------------

These are security releases in order to address the following defects:

o CVE-2019-10218: Client code can return filenames containing path separators.
o CVE-2019-14833: Samba AD DC check password script does not receive the full
password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
via dirsync.

=======
Details
=======

o CVE-2019-10218:
Malicious servers can cause Samba client code to return filenames containing
path separators to calling code.

o CVE-2019-14833:
When the password contains multi-byte (non-ASCII) characters, the check
password script does not receive the full password string.

o CVE-2019-14847:
Users with the "get changes" extended access right can crash the AD DC LDAP
server by requesting an attribute using the range= syntax.

For more details and workarounds, please refer to the security advisories.

Adobe XD

Share XD links and collaborate with your team. Learn more |Send feedback

Attachments

Issue Links

relates to

NAS-102502 Update Samba to 4.10.10 to address CVE-2019-10218, CVE-2019-14833, and CVE-2019-14847

Done

Activity

People

Assignee:: Andrew Walker

Reporter:: Andrew Walker

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 29/Oct/19 10:08 AM

Updated:: 21/Nov/19 9:38 AM

Resolved:: 04/Nov/19 9:36 AM