Bug 24658 - samba new security issues CVE-2019-3880 and CVE-2018-16860
Summary: samba new security issues CVE-2019-3880 and CVE-2018-16860
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Buchan Milne
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-12 22:08 CEST by David Walser
Modified: 2019-10-31 13:26 CET (History)
2 users (show)

See Also:
Source RPM: samba-4.7.12-1.2.mga6.src.rpm
CVE: CVE-2019-3880 CVE-2018-16860
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-04-12 22:08:02 CEST 
Samba has issued an advisory on April 8:
https://www.samba.org/samba/security/CVE-2019-3880.html

The patch to fix it is here:
https://www.samba.org/samba/ftp/patches/security/samba-4.8.10-security-2019-04-08.patch
Comment 1 Marja Van Waes 2019-04-12 23:29:11 CEST 
Assigning to the registered maintainer.

Assignee: bugsquad => bgmilne
CC: (none) => marja11

Comment 2 David Walser 2019-04-22 22:58:28 CEST 
Debian has issued an advisory for this on April 8:
https://www.debian.org/security/2019/dsa-4427
Comment 3 David Walser 2019-04-22 23:16:07 CEST 
Ubuntu has issued an advisory for this on April 8:
https://usn.ubuntu.com/3939-1/
Comment 4 David Walser 2019-05-03 19:42:34 CEST 
openSUSE has issued an advisory for this on April 10:
https://lists.opensuse.org/opensuse-updates/2019-04/msg00095.html
Comment 5 Stig-Ørjan Smelror 2019-05-14 19:15:41 CEST 
New release, 4.10.3, fixes CVE-2018-16860

https://www.samba.org/samba/history/samba-4.10.3.html

Status comment: (none) => Fixed upstream in 4.10.3
CVE: (none) => CVE-2019-3880 CVE-2018-16860
CC: (none) => smelror

Comment 6 David Walser 2019-05-14 20:26:18 CEST 
https://www.samba.org/samba/security/CVE-2018-16860.html

building with MIT krb5 would also fix it.

Summary: samba new security issue CVE-2019-3880 => samba new security issues CVE-2019-3880 and CVE-2018-16860
Whiteboard: (none) => MGA6TOO
Version: 6 => Cauldron

Comment 7 David Walser 2019-05-15 15:24:18 CEST 
samba-4.10.3-1.mga7 uploaded for Cauldron.

Whiteboard: MGA6TOO => (none)
Status comment: Fixed upstream in 4.10.3 => (none)
Version: Cauldron => 6

Comment 8 David Walser 2019-08-11 20:49:46 CEST 
Debian advisory for CVE-2018-16860 from May 14:
https://www.debian.org/security/2019/dsa-4443
Comment 9 David Walser 2019-08-11 21:25:04 CEST 
and from Ubuntu:
https://usn.ubuntu.com/3976-1/
Comment 10 David Walser 2019-10-31 13:26:31 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD
Note You need to log in before you can comment on or make changes to this bug.