On 02/26/2015 07:29 PM, McGraw, Robert P wrote:
https://www.samba.org/samba/security/CVE-2015-0240 shows the following in the
header
CVE-2015-0240.html:
===========================================================
== Subject: Unexpected code execution in smbd.
==
== CVE ID#: CVE-2015-0240
==
== Versions: Samba 3.5.0 to 4.2.0rc4
==
== Summary: Unauthenticated code execution attack on
== smbd file services.
==
===========================================================
The latest samba patch is 119758-33, but not sure what version of
samba this will be.
Pca –r 119758-33 give the following header info.
Keywords: security ldap upgrade services samba man pages
Synopsis: SunOS 5.10_x86: Samba patch
Date: Sep/12/2014
Does anyone know what version number of samba when I install patch
119758-33?
Does anyone know if this patch number fixed the above samba problem or
is there another patch that needs to be added or is added by another
patch ID?
Thanks
Robert
Hi Robert,
I don't find any Solaris patch of CVE-2015-0240 on MOS Article
"Reference Index of CVE IDs and Solaris Patches (Doc ID 1448883.1)"
(https://support.oracle.com/epmos/faces/DocContentDisplay?id=1448883.1)
[Required a credentials].
Try to applied the Samba Workaround from
https://www.samba.org/samba/security/CVE-2015-0240
---8<---
==========
Workaround
==========
On Samba versions 4.0.0 and above, add the line:
rpc_server:netlogon=disabled
to the [global] section of your smb.conf. For Samba versions 3.6.x and
earlier, this workaround is not available.
---8<---
I suppose Oracle Security Team working for release a patch for this
vulnerability
(http://www.oracle.com/us/support/assurance/vulnerability-remediation/security-fixing/index.html).
If you have a valid support identifier number (Support Contract), open a
Service Request (SR) for fix this (a IDR pacthes).
HTH
Michele V.
