[Pkg-samba-maint] Bug#987308: cifs-utils: CVE-2021-20208: cifs.upcall kerberos auth leak in container

Salvatore Bonaccorso carnil at debian.org
Wed Apr 21 12:30:05 BST 2021


Source: cifs-utils
Version: 2:6.11-2
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.samba.org/show_bug.cgi?id=14651
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>

Hi,

The following vulnerability was published for cifs-utils.

CVE-2021-20208[0]:
| A flaw was found in cifs-utils in versions before 6.13. A user when
| mounting a krb5 CIFS file system from within a container can use
| Kerberos credentials of the host. The highest threat from this
| vulnerability is to data confidentiality and integrity.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-20208
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20208
[1] https://bugzilla.samba.org/show_bug.cgi?id=14651
[2] https://lists.samba.org/archive/samba-technical/2021-April/136467.html
[3] https://git.samba.org/cifs-utils.git/?p=cifs-utils.git;a=commit;h=e461afd8cfa6d0781ae0c5c10e89b6ef1ca6da32

Regards,
Salvatore



More information about the Pkg-samba-maint mailing list