Debian Bug report logs -
#1016449
samba: CVE-2022-2031 CVE-2022-32742 CVE-2022-32744 CVE-2022-32745 CVE-2022-32746
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 31 Jul 2022 19:42:02 UTC
Severity: grave
Tags: security, upstream
Found in version samba/2:4.16.3+dfsg-1
Fixed in version samba/2:4.16.4+dfsg-1
Done: Michael Tokarev <mjt@tls.msk.ru>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>:
Bug#1016449; Package src:samba.
(Sun, 31 Jul 2022 19:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>.
(Sun, 31 Jul 2022 19:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: samba
Version: 2:4.16.3+dfsg-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for samba.
CVE-2022-2031[0]:
| Samba AD users can bypass certain restrictions associated with
| changing passwords
CVE-2022-32742[1]:
| Server memory information leak via SMB1
CVE-2022-32744[2]:
| Samba AD users can forge password change requests for any user
CVE-2022-32745[3]:
| Samba AD users can crash the server process with an LDAP add or modify
| request
CVE-2022-32746[4]:
| Samba AD users can induce a use-after-free in the server process
| with an LDAP add or modify request
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-2031
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031
[1] https://security-tracker.debian.org/tracker/CVE-2022-32742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742
[2] https://security-tracker.debian.org/tracker/CVE-2022-32744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744
[3] https://security-tracker.debian.org/tracker/CVE-2022-32745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745
[4] https://security-tracker.debian.org/tracker/CVE-2022-32746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Michael Tokarev <mjt@tls.msk.ru>:
You have taken responsibility.
(Mon, 01 Aug 2022 12:24:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 01 Aug 2022 12:24:03 GMT) (full text, mbox, link).
Message #10 received at 1016449-close@bugs.debian.org (full text, mbox, reply):
Source: samba
Source-Version: 2:4.16.4+dfsg-1
Done: Michael Tokarev <mjt@tls.msk.ru>
We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1016449@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Tokarev <mjt@tls.msk.ru> (supplier of updated samba package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 27 Jul 2022 18:35:53 +0300
Source: samba
Architecture: source
Version: 2:4.16.4+dfsg-1
Distribution: unstable
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Michael Tokarev <mjt@tls.msk.ru>
Closes: 1016449
Changes:
samba (2:4.16.4+dfsg-1) unstable; urgency=high
.
* new upstream security release fixing:
o CVE-2022-2031: Samba AD users can bypass certain restrictions associated
with changing passwords.
https://www.samba.org/samba/security/CVE-2022-2031.html
o CVE-2022-32742: Server memory information leak via SMB1.
https://www.samba.org/samba/security/CVE-2022-32742.html
o CVE-2022-32744: Samba AD users can forge password change requests
for any user.
https://www.samba.org/samba/security/CVE-2022-32744.html
o CVE-2022-32745: Samba AD users can crash the server process with an LDAP
add or modify request.
https://www.samba.org/samba/security/CVE-2022-32745.html
o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
process with an LDAP add or modify request.
https://www.samba.org/samba/security/CVE-2022-32746.html
* Closes: #1016449, CVE-2022-2031 CVE-2022-32742, CVE-2022-32744,
CVE-2022-32745, CVE-2022-32746
Checksums-Sha1:
84e188fad338254fd99a0c9ed6d4bf63435a496a 4225 samba_4.16.4+dfsg-1.dsc
1543cb87bd5cd7209fba1d27950424c4a14214f5 18140660 samba_4.16.4+dfsg.orig.tar.xz
e02cbb4ae5077fef8b61cdf7acf7be151f336490 263820 samba_4.16.4+dfsg-1.debian.tar.xz
228dd257829ee5a8f5c408e130e1cd424ca8a6fe 6046 samba_4.16.4+dfsg-1_source.buildinfo
Checksums-Sha256:
7cc53dad0dc3158a656fa2e80cefd17390b96d59d359006225217e0474b1f138 4225 samba_4.16.4+dfsg-1.dsc
cdcd5f83461e9c3fed267951935dbafd4836466e07ce1b89d46b40011e099838 18140660 samba_4.16.4+dfsg.orig.tar.xz
43257d4cc8ad34b2743b00d1a94781ddf22005da2b5b2b09f447a700b84b5f92 263820 samba_4.16.4+dfsg-1.debian.tar.xz
d1ad89c9a7eb5e87c891d4eee720a15eab7a670be9a1998d77de96c2b1c2d491 6046 samba_4.16.4+dfsg-1_source.buildinfo
Files:
06ebc8ad4eeea8fa084ed26745d59222 4225 net optional samba_4.16.4+dfsg-1.dsc
b6e17479be8cb800ee96209953a2d4fb 18140660 net optional samba_4.16.4+dfsg.orig.tar.xz
0330ebd136b3d2eb3451fdf8125d6bdc 263820 net optional samba_4.16.4+dfsg-1.debian.tar.xz
44cc20eb15a13edde72b12815533e7c4 6046 net optional samba_4.16.4+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQFDBAEBCAAtFiEEe3O61ovnosKJMUsicBtPaxppPlkFAmLnv7IPHG1qdEB0bHMu
bXNrLnJ1AAoJEHAbT2saaT5ZSUYH/RzVBrMcUOqyvOs5a8Kt7uAQsVCm0o+H9Tec
Ljd6uvVITG9yUdGZ/7Q5kR+yYX7zVZPZd0RRzJ/5E0IBfPcXv9KoUze9E8aa5Y4j
zf+yEgATlkAxsgHzkKMEcZbpXfCngmSxSxzhUUUHS4UxKF5pjhVjFyYNLNlWrWhZ
U5hZE+GhmVx9h9dERtYZIB+d5CCC1qL9c0cfqH1nNvSQbxQOBlhCK+86ehYFDAZN
gDiSlUnxkXCpBVC6uR5ibnN1dMUY9815PIe2wnEDMCceS5WLtduVVUPwlxM1d5W2
YlZ0sFJqLHc3RWWDl+cndUc8WO+xEvuZULslYKiFINFmCW619Zc=
=XSi2
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Aug 1 13:17:52 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon