[Pkg-samba-maint] Bug#868209: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, known as Orpheus Lyre

Andrew Bartlett abartlet at samba.org
Thu Jul 13 07:45:14 UTC 2017


On Thu, 2017-07-13 at 18:05 +1200, Andrew Bartlett wrote:
> On Thu, 2017-07-13 at 07:14 +0200, Raphael Hertzog wrote:
> > Source: samba
> > Severity: grave
> > Tags: security patch
> > Version: 2:4.1.11+dfsg-1
> > 
> > Hi,
> > 
> > the following vulnerability was published for samba (due to its embedded
> > copy of heimdal). I checked the build logs for unstable and apparently it
> > does use this copy (I don't know the status for older releases).
> > 
> > CVE-2017-11103[0]: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
> > 
> > A dedicated website is here:
> > https://orpheus-lyre.info/
> > 
> > The samba announce and patch are here:
> > https://www.samba.org/samba/security/CVE-2017-11103.html
> > https://download.samba.org/pub/samba/patches/security/samba-4.x.y-CVE-2017-11103.patch
> > 
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > 
> > For further information see:
> > 
> > [0] https://security-tracker.debian.org/tracker/CVE-2017-11103
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
> > 
> > Please adjust the affected versions in the BTS as needed.
> 
> Proposed updates are in jessie and stretch branches at:
> 
> git://git.samba.org/abartlet/samba-debian.git
> 
> I've only built them, not tested them.  Then again, the upstream
> patches were not manually tested either (we relied on autobuild), such
> was the rush...
> 
> I can upload the built binaries if you want to test them or comment.

Unsigned packages (sorry) are at:

https://seafile.catalyst.net.nz/d/8f9c648216c3452497cb/

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



More information about the Pkg-samba-maint mailing list