./net/samba, SMB/CIFS protocol server suite

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: pkgsrc-2012Q4, Version: 3.6.12, Package name: samba-3.6.12, Maintainer: pkgsrc-users

Samba provides file and print services for Microsoft Windows clients.
These services may be hosted off any TCP/IP-enabled platform. The
Samba project includes not only an impressive feature set in file and
print serving capabilities, but has been extended to include client
functionality, utilities to ease migration to Samba, tools to aid
interoperability with Microsoft Windows, and administration tools.

DEINSTALL.nss_winbind [+/-]

Required to run:
[devel/popt] [devel/readline] [lang/perl5] [databases/tdb]

Required to build:
[devel/gmake] [devel/pkg-config]

Package options: ads, ldap, pam, winbind

Master sites: (Expand)

SHA1: e32ed81bbfaf71a6f7fcc7e1fc7a7a49b41f8bd8
RMD160: f7f95d1a0a22861f393c4e9059c756a14795dad5
Filesize: 33275.184 KB

Version history: (Expand)


CVS history: (Expand)


   2013-02-02 11:12:23 by Matthias Scheler | Files touched by this commit (2) | Package updated
Log message:
Pullup ticket #4054 - requested by taca
net/samba: security update

Revisions pulled up:
- net/samba/Makefile                                            1.228 via patch
- net/samba/distinfo                                            1.88

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Wed Jan 30 11:42:55 UTC 2013

   Modified Files:
   	pkgsrc/net/samba: Makefile distinfo

   Log message:
   Update samba to 3.6.12.

                      ==============================
                      Release Notes for Samba 3.6.12
                             January 30, 2013
                      ==============================

   This is a security release in order to address
   CVE-2013-0213 (Clickjacking issue in SWAT) and
   CVE-2013-0214 (Potential XSRF in SWAT).

   o  CVE-2013-0213:
      All current released versions of Samba are vulnerable to clickjacking in the
      Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
      a malicious web page via a frame or iframe and then overlaid by other content,
      an attacker could trick an administrator to potentially change Samba settings.

      In order to be vulnerable, SWAT must have been installed and enabled
      either as a standalone server launched from inetd or xinetd, or as a
      CGI plugin to Apache. If SWAT has not been installed or enabled (which
      is the default install state for Samba) this advisory can be ignored.

   o  CVE-2013-0214:
      All current released versions of Samba are vulnerable to a cross-site
      request forgery in the Samba Web Administration Tool (SWAT). By guessing a
      user's password and then tricking a user who is authenticated with SWAT into
      clicking a manipulated URL on a different web page, it is possible to \ 
manipulate
      SWAT.

      In order to be vulnerable, the attacker needs to know the victim's password.
      Additionally SWAT must have been installed and enabled either as a standalone
      server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
      not been installed or enabled (which is the default install state for Samba)
      this advisory can be ignored.

   Changes since 3.6.11:
   --------------------

   o   Kai Blin <kai@samba.org>
       * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
       * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.