pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: pkgsrc/net/samba35



Module Name:    pkgsrc
Committed By:   taca
Date:           Wed Jan 30 11:41:44 UTC 2013

Modified Files:
        pkgsrc/net/samba35: Makefile distinfo

Log Message:
Update samba35 to 3.5.21.

                   ==============================
                   Release Notes for Samba 3.5.21
                         January 30, 2013
                   ==============================

This is a security release in order to address
CVE-2013-0213 (Clickjacking issue in SWAT) and
CVE-2013-0214 (Potential XSRF in SWAT).

o  CVE-2013-0213:
   All current released versions of Samba are vulnerable to clickjacking in the
   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
   a malicious web page via a frame or iframe and then overlaid by other 
content,
   an attacker could trick an administrator to potentially change Samba 
settings.

   In order to be vulnerable, SWAT must have been installed and enabled
   either as a standalone server launched from inetd or xinetd, or as a
   CGI plugin to Apache. If SWAT has not been installed or enabled (which
   is the default install state for Samba) this advisory can be ignored.

o  CVE-2013-0214:
   All current released versions of Samba are vulnerable to a cross-site
   request forgery in the Samba Web Administration Tool (SWAT). By guessing a
   user's password and then tricking a user who is authenticated with SWAT into
   clicking a manipulated URL on a different web page, it is possible to 
manipulate
   SWAT.

   In order to be vulnerable, the attacker needs to know the victim's password.
   Additionally SWAT must have been installed and enabled either as a standalone
   server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT 
has
   not been installed or enabled (which is the default install state for Samba)
   this advisory can be ignored.

Changes since 3.5.20:
---------------------

o   Kai Blin <kai%samba.org@localhost>
    * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
    * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.


To generate a diff of this commit:
cvs rdiff -u -r1.25 -r1.26 pkgsrc/net/samba35/Makefile
cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/samba35/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index