Advisories ยป MGASA-2019-0397

Updated samba packages fix security vulnerabilities

Publication date: 19 Dec 2019
Modification date: 19 Dec 2019
Type: security
Affected Mageia releases : 7
CVE: CVE-2019-10218 , CVE-2019-14833 , CVE-2019-14847 , CVE-2019-14861 , CVE-2019-14870

Description

Updated samba packages fix security vulnerabilities:

Malicious servers can cause Samba client code to return filenames
containing path separators to calling code (CVE-2019-10218).

When the password contains multi-byte (non-ASCII) characters, the
check password script does not receive the full password string
(CVE-2019-14833).

Users with the "get changes" extended access right can crash the AD
DC LDAP server by requesting an attribute using the range= syntax
(CVE-2019-14847).

An authenticated user can crash the DCE/RPC DNS management server by
creating records with matching the zone name (CVE-2019-14861).

The DelegationNotAllowed Kerberos feature restriction was not being
applied when processing protocol transition requests (S4U2Self), in
the AD DC KDC (CVE-2019-14870).
                

References

SRPMS

7/core