Login
Newsletter
Werbung

Sicherheit: Cross-Site Scripting in Samba
Aktuelle Meldungen Distributionen
Name: Cross-Site Scripting in Samba
ID: USN-1182-1
Distribution: Ubuntu
Plattformen: Ubuntu 8.04 LTS, Ubuntu 10.04 LTS, Ubuntu 10.10, Ubuntu 11.04
Datum: Mi, 3. August 2011, 01:56
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2522
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2694
Applikationen: Samba

Originalnachricht


--===============7562778953454692021==
Content-Type: multipart/signed; micalg="pgp-sha512";
protocol="application/pgp-signature"; boundary="=-n2U7RugI/I6R9WlK+JKN"


--=-n2U7RugI/I6R9WlK+JKN
Content-Type: text/plain; charset="UTF-8
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-1182-1
August 02, 2011

samba vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

An attacker could use a malicious URL to reconfigure Samba or steal
information.

Software Description:
- samba: SMB/CIFS file, print, and login server for Unix

Details:

Yoshihiro Ishikawa discovered that the Samba Web Administration Tool (SWAT)
was vulnerable to cross-site request forgeries (CSRF). If a Samba
administrator were tricked into clicking a link on a specially crafted web
page, an attacker could trigger commands that could modify the Samba
configuration. (CVE-2011-2522)

Nobuhiro Tsuji discovered that the Samba Web Administration Tool (SWAT) did
not properly sanitize its input when processing password change requests,
resulting in cross-site scripting (XSS) vulnerabilities. With cross-site
scripting vulnerabilities, if a user were tricked into viewing server
output during a crafted server request, a remote attacker could exploit
this to modify the contents, or steal confidential data, within the same
domain. (CVE-2011-2694)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.04:
swat 2:3.5.8~dfsg-1ubuntu2.3

Ubuntu 10.10:
swat 2:3.5.4~dfsg-1ubuntu8.5

Ubuntu 10.04 LTS:
swat 2:3.4.7~dfsg-1ubuntu3.7

Ubuntu 8.04 LTS:
swat 3.0.28a-1ubuntu4.15

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1182-1
CVE-2011-2522, CVE-2011-2694

Package Information:
https://launchpad.net/ubuntu/+source/samba/2:3.5.8~dfsg-1ubuntu2.3
https://launchpad.net/ubuntu/+source/samba/2:3.5.4~dfsg-1ubuntu8.5
https://launchpad.net/ubuntu/+source/samba/2:3.4.7~dfsg-1ubuntu3.7
https://launchpad.net/ubuntu/+source/samba/3.0.28a-1ubuntu4.15



--×2U7RugI/I6R9WlK+JKN
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAABCgAGBQJOOEo9AAoJEGVp2FWnRL6TuAQP/2S8V6k7BwXGFWaV9BurZoFr
4RHgqw+gZbbM/N41X4ApDg9cUHaOFh0rWCvRox2y59cLx8QSPq6R+0EDf2NKSu0s
qqzsbIXl5055/jFtOG9UeLaoENhMSzy0vnHhdjO5toSwgcSlTvNsdePKk1B9+CkL
HMDpZCYn8gLkmkERZE/20DzCqjUaJNtbdk0LTGnAsA1iOZvu75HyTwD8UQOGAOzG
YpQCN/6OLZcXpTo6g9QJLoS+LyL83LRlE8JFaf+1rqA982M1FGCB0gsLCBArC71b
JwxDyrrIZRGDmn7dLq38OykIzSk1vn9EM4EZD9V5hWM2bAuLYIqki9Ae0/lJaP+h
VBQnLPVOyCj2Iu1GeCS82AnAtzZg8PkWU/pV6FMzeqSIVm0mPJ2AwkkaNZ15ZORn
gCIboHG9wBVY7C20WEp3cxvNeqtwUdkYVeCMOTWxPROOUX8qnDOaN8MItkZhDPy3
qOVDUmfKdM8QFOGNlKyCgNt74CBBFXFhmtXr8yaRDK/A2pnbnJT46z4980bBlveP
SoakHTC6iDO+aYwSygIYqdLFpTNL5pTkZqA4zjyOWcNnMiArthim8Xo+Ep4k1M+W
878zKEbKxVN2y8pGMmzzCBe1oQENDbp8R4nNrpCQtswrUVVgwT8yW4ZK6YRsI8BC
53JLCvPhrMxVZmDtFNB4
=0bx7
-----END PGP SIGNATURE-----

--=-n2U7RugI/I6R9WlK+JKN--



--===============7562778953454692021==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
ubuntu-security-announce mailing list
ubuntu-security-announce@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce

--===============7562778953454692021==--
Pro-Linux
Traut euch!
Neue Nachrichten
Werbung