| Description: | Samba is an open-source implementation of the Server Message Block (SMB) orCommon Internet File System (CIFS) protocol, which allows PC-compatiblemachines to share files, printers, and other information.It was discovered that the Samba Web Administration Tool (SWAT) did notprotect against being opened in a web page frame. A remote attacker couldpossibly use this flaw to conduct a clickjacking attack against SWAT usersor users with an active SWAT session. (CVE-2013-0213)A flaw was found in the Cross-Site Request Forgery (CSRF) protectionmechanism implemented in SWAT. An attacker with the knowledge of a victim'spassword could use this flaw to bypass CSRF protections and conduct a CSRFattack against the victim SWAT user. (CVE-2013-0214)An integer overflow flaw was found in the way Samba handled an ExtendedAttribute (EA) list provided by a client. A malicious client could send aspecially crafted EA list that triggered an overflow, causing the server toloop and reprocess the list using an excessive amount of memory.(CVE-2013-4124)Note: This issue did not affect the default configuration of the Sambaserver.Red Hat would like to thank the Samba project for reporting CVE-2013-0213and CVE-2013-0214. Upstream acknowledges Jann Horn as the original reporterof CVE-2013-0213 and CVE-2013-0214.All users of Samba are advised to upgrade to these updated packages, whichcontain backported patches to correct these issues. After installing thisupdate, the smb service will be restarted automatically. |