Debian Bug report logs -
#930748
samba: CVE-2019-12435: Samba AD DC Denial of Service in DNS management server (dnsserver)
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 19 Jun 2019 19:51:01 UTC
Severity: important
Tags: security, upstream
Found in version samba/2:4.9.5+dfsg-4
Fixed in version 2:4.9.5+dfsg-5
Done: Mathieu Parent <math.parent@gmail.com>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#930748
; Package src:samba
.
(Wed, 19 Jun 2019 19:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 19 Jun 2019 19:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: samba
Version: 2:4.9.5+dfsg-4
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for samba.
CVE-2019-12435[0]:
| Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer
| dereference, leading to Denial of Service. This is related to the AD
| DC DNS management server (dnsserver) RPC server process.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12435
[1] https://www.samba.org/samba/security/CVE-2019-12435.html
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#930748
; Package src:samba
.
(Wed, 19 Jun 2019 20:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Mathieu Parent <math.parent@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 19 Jun 2019 20:15:03 GMT) (full text, mbox, link).
Message #10 received at 930748@bugs.debian.org (full text, mbox, reply):
Le mer. 19 juin 2019 à 21:51, Salvatore Bonaccorso <carnil@debian.org> a écrit :
>
> Source: samba
> Version: 2:4.9.5+dfsg-4
> Severity: important
> Tags: security upstream
>
> Hi,
Hi,
> The following vulnerability was published for samba.
>
> CVE-2019-12435[0]:
> | Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer
> | dereference, leading to Denial of Service. This is related to the AD
> | DC DNS management server (dnsserver) RPC server process.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-12435
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12435
> [1] https://www.samba.org/samba/security/CVE-2019-12435.html
I've just created a pre-approval unblock request to choose between
uploading 4.9.9 (including stability fixes) or 4.9.5+patch.
Regards
--
Mathieu Parent
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#930748
; Package src:samba
.
(Wed, 19 Jun 2019 20:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 19 Jun 2019 20:45:03 GMT) (full text, mbox, link).
Message #15 received at 930748@bugs.debian.org (full text, mbox, reply):
Hey,
On Wed, Jun 19, 2019 at 10:12:15PM +0200, Mathieu Parent wrote:
> > The following vulnerability was published for samba.
> >
> > CVE-2019-12435[0]:
> > | Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer
> > | dereference, leading to Denial of Service. This is related to the AD
> > | DC DNS management server (dnsserver) RPC server process.
> >
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2019-12435
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12435
> > [1] https://www.samba.org/samba/security/CVE-2019-12435.html
>
> I've just created a pre-approval unblock request to choose between
> uploading 4.9.9 (including stability fixes) or 4.9.5+patch.
Ack! Thank you Mathieu.
Regards,
Salvatore
Reply sent
to Mathieu Parent <math.parent@gmail.com>
:
You have taken responsibility.
(Thu, 20 Jun 2019 07:48:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Thu, 20 Jun 2019 07:48:04 GMT) (full text, mbox, link).
Message #20 received at 930748-done@bugs.debian.org (full text, mbox, reply):
Version: 2:4.9.5+dfsg-5
Le mer. 19 juin 2019 à 22:41, Salvatore Bonaccorso <carnil@debian.org> a écrit :
>
> Hey,
>
> On Wed, Jun 19, 2019 at 10:12:15PM +0200, Mathieu Parent wrote:
> > > The following vulnerability was published for samba.
> > >
> > > CVE-2019-12435[0]:
> > > | Samba 4.9.x before 4.9.9 and 4.10.x before 4.10.5 has a NULL pointer
> > > | dereference, leading to Denial of Service. This is related to the AD
> > > | DC DNS management server (dnsserver) RPC server process.
> > >
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2019-12435
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12435
> > > [1] https://www.samba.org/samba/security/CVE-2019-12435.html
> >
> > I've just created a pre-approval unblock request to choose between
> > uploading 4.9.9 (including stability fixes) or 4.9.5+patch.
>
> Ack! Thank you Mathieu.
I've uploaded 2:4.9.5+dfsg-5 with only targeted fixes.
But I forgot to add the Closes:. CLosing now.
Regards
--
Mathieu Parent
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jun 20 12:56:33 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.