Debian Security Advisory
DSA-2617-1 samba -- several issues
- Date Reported:
- 02 Feb 2013
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2013-0213, CVE-2013-0214.
- More information:
Jann Horn had reported two vulnerabilities in Samba, a popular cross-platform network file and printer sharing suite. In particular, these vulnerabilities affect to SWAT, the Samba Web Administration Tool.
Clickjacking issue in SWAT
An attacker can integrate a SWAT page into a malicious web page via a frame or iframe and then overlaid by other content. If an authenticated valid user interacts with this malicious web page, she might perform unintended changes in the Samba settings.
Potential Cross-site request forgery
An attacker can persuade a valid SWAT user, who is logged in as root, to click in a malicious link and trigger arbitrary unintended changes in the Samba settings. In order to be vulnerable, the attacker needs to know the victim's password.
For the stable distribution (squeeze), these problems have been fixed in version 2:3.5.6~dfsg-3squeeze9.
For the testing distribution (wheezy), these problems have been fixed in version 2:3.6.6-5.
For the unstable distribution (sid), these problems have been fixed in version 2:3.6.6-5.
We recommend that you upgrade your samba packages.
- CVE-2013-0213: Clickjacking issue in SWAT