Advisories » MGASA-2014-0138

Updated samba packages fix security vulnerability

Publication date: 23 Mar 2014
Modification date: 23 Mar 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2013-4496

Description

In Samba before 3.6.23, the SAMR server neglects to ensure that attempted
password changes will update the bad password count, and does not set the
lockout flags.  This would allow a user unlimited attempts against the
password by simply calling ChangePasswordUser2 repeatedly.  This is
available without any other authentication (CVE-2013-4496)
                

References

• https://bugs.mageia.org/show_bug.cgi?id=12999
• http://www.samba.org/samba/security/CVE-2013-4496
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4496

SRPMS

4/core

• samba-3.6.23-1.mga4

3/core

• samba-3.6.15-1.4.mga3