[Bugs] [Bug 13485] New: [CVE 21] samba 4.15.5 CVEs found

bugzilla bugzilla на rosalinux.ru
Ср Авг 23 15:21:15 MSK 2023 

https://bugzilla.rosalinux.ru/show_bug.cgi?id=13485

          Platform: 2021.1
            Bug ID: 13485
           Summary: [CVE 21] samba 4.15.5  CVEs found
    Classification: ROSA-based products
           Product: ROSA Fresh
           Version: All
          Hardware: All
               URL: CVE-2021-20251, CVE-2021-20254, CVE-2021-20277,
                    CVE-2021-23192, CVE-2022-44640, CVE-2023-0614,
                    CVE-2023-34966, CVE-2023-34967, CVE-2023-34968,
                OS: Linux
            Status: CONFIRMED
          Severity: normal
          Priority: Normal
         Component: System (kernel, glibc, systemd, bash, PAM...)
          Assignee: bugs на lists.rosalinux.ru
          Reporter: y.tumanov на rosalinux.ru
        QA Contact: bugs на lists.rosalinux.ru
                CC: e.kosachev на rosalinux.ru, m.novosyolov на rosalinux.ru,
                    s.matveev на rosalinux.ru, y.tumanov на rosalinux.ru
  Target Milestone: ---
             Flags: secteam_verified?

Please patch CVEs for package samba version 4.15.5

INFO (CVEs are): samba 4.15.5
 cves found
CVE-2021-20251
Desc: A flaw was found in samba. A race condition in the password lockout code
may lead to the risk of brute force attacks being successful if special
conditions are met.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20251
Severity: MEDIUM
CVE-2021-20254
Desc: A flaw was found in samba. The Samba smbd file server must map Windows
group identities (SIDs) into unix group ids (gids). The code that performs this
had a flaw that could allow it to read data beyond the end of the array in the
case where a negative cache entry had been added to the mapping cache. This
could cause the calling code to return those values into the process token that
stores the group membership for a user. The highest threat from this
vulnerability is to data confidentiality and integrity.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20254
Severity: MEDIUM
CVE-2021-20277
Desc: A flaw was found in Samba's libldb. Multiple, consecutive leading spaces
in an LDAP attribute can lead to an out-of-bounds memory write, leading to a
crash of the LDAP server process handling the request. The highest threat from
this vulnerability is to system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20277
Severity: HIGH
CVE-2021-23192
Desc: A flaw was found in the way samba implemented DCE/RPC. If a client to a
Samba server sent a very large DCE/RPC request, and chose to fragment it, an
attacker could replace later fragments with their own data, bypassing the
signature requirements.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-23192
Severity: HIGH
CVE-2022-44640
Desc: Heimdal before 7.7.1 allows remote attackers to execute arbitrary code
because of an invalid free in the ASN.1 codec used by the Key Distribution
Center (KDC).
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-44640
Severity: CRITICAL
CVE-2023-0614
Desc: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential
attribute disclosure vi LDAP filters was insufficient and an attacker may be
able to obtain confidential BitLocker recovery keys from a Samba AD DC.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0614
Severity: MEDIUM
CVE-2023-34966
Desc: An infinite loop vulnerability was found in Samba's mdssvc RPC service
for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client,
the core unmarshalling function sl_unpack_loop() did not validate a field in
the network packet that contains the count of elements in an array-like
structure. By passing 0 as the count value, the attacked function will run in
an endless loop consuming 100% CPU. This flaw allows an attacker to issue a
malformed RPC request, triggering an infinite loop, resulting in a denial of
service condition.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34966
Severity: HIGH
CVE-2023-34967
Desc: A Type Confusion vulnerability was found in Samba's mdssvc RPC service
for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data
structure is a key-value style dictionary where the keys are character strings,
and the values can be any of the supported types in the mdssvc protocol. Due to
a lack of type checking in callers of the dalloc_value_for_key() function,
which returns the object associated with a key, a caller may trigger a crash in
talloc_get_size() when talloc detects that the passed-in pointer is not a valid
talloc pointer. With an RPC worker process shared among multiple client
connections, a malicious client or attacker can trigger a process crash in a
shared RPC mdssvc worker process, affecting all other clients this worker
serves.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34967
Severity: MEDIUM
CVE-2023-34968
Desc: A path disclosure vulnerability was found in Samba. As part of the
Spotlight protocol, Samba discloses the server-side absolute path of shares,
files, and directories in the results for search queries. This flaw allows a
malicious client or an attacker with a targeted RPC request to view the
information that is part of the disclosed path.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34968
Severity: MEDIUM

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
----------- следущая часть -----------
Вложение в формате HTML было извлечено…
URL: <http://lists.rosalinux.ru/pipermail/bugs/attachments/20230823/c9a82827/attachment.html>

Подробная информация о списке рассылки Bugs