Saiu a versão 4.0.2 do Samba
2013/1/30 Karolin Seeger <ksee...@samba.org> > Release Announcements > --------------------- > > Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security releases in > order > to address CVE-2013-0213 (Clickjacking issue in SWAT) and > CVE-2013-0214 (Potential XSRF in SWAT). > > o CVE-2013-0213: > All current released versions of Samba are vulnerable to clickjacking > in the > Samba Web Administration Tool (SWAT). When the SWAT pages are > integrated into > a malicious web page via a frame or iframe and then overlaid by other > content, > an attacker could trick an administrator to potentially change Samba > settings. > > In order to be vulnerable, SWAT must have been installed and enabled > either as a standalone server launched from inetd or xinetd, or as a > CGI plugin to Apache. If SWAT has not been installed or enabled (which > is the default install state for Samba) this advisory can be ignored. > > o CVE-2013-0214: > All current released versions of Samba are vulnerable to a cross-site > request forgery in the Samba Web Administration Tool (SWAT). By > guessing a > user's password and then tricking a user who is authenticated with SWAT > into > clicking a manipulated URL on a different web page, it is possible to > manipulate > SWAT. > > In order to be vulnerable, the attacker needs to know the victim's > password. > Additionally SWAT must have been installed and enabled either as a > standalone > server launched from inetd or xinetd, or as a CGI plugin to Apache. If > SWAT has > not been installed or enabled (which is the default install state for > Samba) > this advisory can be ignored. > > > Changes: > ======== > > o Kai Blin <k...@samba.org> > * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT. > * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT. > > > ####################################### > Reporting bugs & Development Discussion > ####################################### > > Please discuss this release on the samba-technical mailing list or by > joining the #samba-technical IRC channel on irc.freenode.net. > > If you do report problems then please try to send high quality > feedback. If you don't provide vital information to help us track down > the problem then you will probably be ignored. All bug reports should > be filed under the Samba 4.0 product in the project's Bugzilla > database (https://bugzilla.samba.org/). > > > ====================================================================== > == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > ====================================================================== > > ================ > Download Details > ================ > > The uncompressed tarballs and patch files have been signed > using GnuPG (ID 6568B7EA). The source code can be downloaded > from: > > http://download.samba.org/samba/ftp/stable/ > > The release notes are available online at: > > http://www.samba.org/samba/history/samba-4.0.2.html > http://www.samba.org/samba/history/samba-3.6.12.html > http://www.samba.org/samba/history/samba-3.5.21.html > > Binary packages will be made available on a volunteer basis from > > http://download.samba.org/samba/ftp/Binary_Packages/ > > Our Code, Our Bugs, Our Responsibility. > (https://bugzilla.samba.org/) > > --Enjoy > The Samba Team > -- .............................................................................. *Com Deus todas as coisas são possíveis* ::: LinuxPro<http://www.linuxpro.com.br> *"A qualidade nunca se obtém por acaso; ela é sempre o resultado do esforço inteligente." (John Ruskin) "A mente que se abre a uma nova ideia jamais volta ao seu tamanho original" (Albert Einstein)* ------------------------- Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd