Advisories ยป MGASA-2019-0397

Updated samba packages fix security vulnerabilities

Publication date: 19 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-10218 , CVE-2019-14833 , CVE-2019-14847 , CVE-2019-14861 , CVE-2019-14870


Updated samba packages fix security vulnerabilities:

Malicious servers can cause Samba client code to return filenames
containing path separators to calling code (CVE-2019-10218).

When the password contains multi-byte (non-ASCII) characters, the
check password script does not receive the full password string

Users with the "get changes" extended access right can crash the AD
DC LDAP server by requesting an attribute using the range= syntax

An authenticated user can crash the DCE/RPC DNS management server by
creating records with matching the zone name (CVE-2019-14861).

The DelegationNotAllowed Kerberos feature restriction was not being
applied when processing protocol transition requests (S4U2Self), in
the AD DC KDC (CVE-2019-14870).