[Pkg-samba-maint] Bug#868209: Bug#868209: CVE-2017-11103: MitM attack, impersonation of the Kerberos client, known as Orpheus Lyre

Mathieu Parent math.parent at gmail.com
Thu Jul 13 12:52:01 UTC 2017


Hello,

I'll handle sid, stretch and jessie. With the corresponding versions:
+samba (2:4.6.5+dfsg-4) unstable; urgency=high
+samba (2:4.5.8+dfsg-2+deb9u1) stretch-security; urgency=high
+ samba (2:4.2.14+dfsg-0+deb8u7) jessie-security; urgency=high

The timing was not very good for me, but I have some time this
afternoon to commit+build+upload.

Regards

Mathieu Parent


2017-07-13 9:45 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:
> On Thu, 2017-07-13 at 18:05 +1200, Andrew Bartlett wrote:
>> On Thu, 2017-07-13 at 07:14 +0200, Raphael Hertzog wrote:
>> > Source: samba
>> > Severity: grave
>> > Tags: security patch
>> > Version: 2:4.1.11+dfsg-1
>> >
>> > Hi,
>> >
>> > the following vulnerability was published for samba (due to its embedded
>> > copy of heimdal). I checked the build logs for unstable and apparently it
>> > does use this copy (I don't know the status for older releases).
>> >
>> > CVE-2017-11103[0]: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre
>> >
>> > A dedicated website is here:
>> > https://orpheus-lyre.info/
>> >
>> > The samba announce and patch are here:
>> > https://www.samba.org/samba/security/CVE-2017-11103.html
>> > https://download.samba.org/pub/samba/patches/security/samba-4.x.y-CVE-2017-11103.patch
>> >
>> > If you fix the vulnerability please also make sure to include the
>> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>> >
>> > For further information see:
>> >
>> > [0] https://security-tracker.debian.org/tracker/CVE-2017-11103
>> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
>> >
>> > Please adjust the affected versions in the BTS as needed.
>>
>> Proposed updates are in jessie and stretch branches at:
>>
>> git://git.samba.org/abartlet/samba-debian.git
>>
>> I've only built them, not tested them.  Then again, the upstream
>> patches were not manually tested either (we relied on autobuild), such
>> was the rush...
>>
>> I can upload the built binaries if you want to test them or comment.
>
> Unsigned packages (sorry) are at:
>
> https://seafile.catalyst.net.nz/d/8f9c648216c3452497cb/
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba
>
> _______________________________________________
> Pkg-samba-maint mailing list
> Pkg-samba-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-samba-maint



-- 
Mathieu



More information about the Pkg-samba-maint mailing list