Bug 849224 - (CVE-2013-4496) VUL-0: CVE-2013-4496: samba: Password lockout not enforced for SAMR password changes
(CVE-2013-4496)
VUL-0: CVE-2013-4496: samba: Password lockout not enforced for SAMR password ...
Status: RESOLVED FIXED
: 866844 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle11-sp1:56655 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-11-06 15:46 UTC by Marcus Meissner
Modified: 2016-04-20 10:11 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 9 Marcus Meissner 2014-03-12 10:06:43 UTC
is public

http://www.samba.org/samba/history/samba-4.1.6.html

CVE-2013-4496:
   Samba versions 3.4.0 and above allow the administrator to implement
   locking out Samba accounts after a number of bad password attempts.

   However, all released versions of Samba did not implement this check for
   password changes, such as are available over multiple SAMR and RAP
   interfaces, allowing password guessing attacks.
Comment 10 Marcus Meissner 2014-03-12 10:39:24 UTC
*** Bug 866844 has been marked as a duplicate of this bug. ***
Comment 11 Bernhard Wiedemann 2014-03-12 11:01:29 UTC
This is an autogenerated message for OBS integration:
This bug (849224) was mentioned in
https://build.opensuse.org/request/show/225655 13.1 / samba
https://build.opensuse.org/request/show/225656 12.3 / samba
Comment 13 Bernhard Wiedemann 2014-03-12 15:01:29 UTC
This is an autogenerated message for OBS integration:
This bug (849224) was mentioned in
https://build.opensuse.org/request/show/225704 12.3 / samba
https://build.opensuse.org/request/show/225706 13.1 / samba
Comment 15 Bernhard Wiedemann 2014-03-12 16:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (849224) was mentioned in
https://build.opensuse.org/request/show/225717 Factory / samba
Comment 16 Swamp Workflow Management 2014-03-20 07:06:13 UTC
openSUSE-SU-2014:0404-1: An update that solves two vulnerabilities and has 21 fixes is now available.

Category: security (moderate)
Bug References: 437293,726937,786677,844307,846586,849224,855866,856759,857454,860648,860809,860832,861135,862370,862558,863079,863748,865095,865397,865561,865641,865771,867665
CVE References: CVE-2013-4496,CVE-2013-6442
Sources used:
openSUSE 13.1 (src):    samba-4.1.6-3.18.1
Comment 17 Swamp Workflow Management 2014-03-20 07:11:57 UTC
openSUSE-SU-2014:0405-1: An update that solves three vulnerabilities and has 9 fixes is now available.

Category: security (moderate)
Bug References: 437293,741623,755663,786677,844307,844720,849224,853021,853347,854520,863748,865561
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496
Sources used:
openSUSE 12.3 (src):    samba-3.6.12-59.19.1, samba-doc-3.6.12-59.19.1
Comment 18 Swamp Workflow Management 2014-04-08 15:04:22 UTC
Update released for: cifs-mount, ldapsmb, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtdb-devel, libtdb1, libwbclient-devel, libwbclient0, samba, samba-client, samba-debuginfo, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind
Products:
SLE-DEBUGINFO 11-SP1-TERADATA (x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 19 Swamp Workflow Management 2014-04-08 17:53:08 UTC
Update released for: cifs-mount, ldapsmb, libldb-devel, libldb1, libldb1-32bit, libldb1-64bit, libldb1-x86, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbclient0-32bit, libsmbclient0-64bit, libsmbclient0-x86, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtalloc1-32bit, libtalloc1-64bit, libtalloc1-x86, libtalloc2, libtalloc2-32bit, libtalloc2-64bit, libtalloc2-x86, libtdb-devel, libtdb1, libtdb1-32bit, libtdb1-64bit, libtdb1-x86, libtevent-devel, libtevent0, libtevent0-32bit, libtevent0-64bit, libtevent0-x86, libwbclient-devel, libwbclient0, libwbclient0-32bit, libwbclient0-64bit, libwbclient0-x86, samba, samba-32bit, samba-64bit, samba-client, samba-client-32bit, samba-client-64bit, samba-client-x86, samba-debuginfo, samba-debuginfo-32bit, samba-debuginfo-64bit, samba-debuginfo-x86, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind, samba-winbind-32bit, samba-winbind-64bit, samba-winbind-x86, samba-x86
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP3 (i386, x86_64)
Comment 20 Swamp Workflow Management 2014-04-08 21:05:49 UTC
SUSE-SU-2014:0497-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (important)
Bug References: 726937,786677,844307,847009,849224,863748,865561
CVE References: CVE-2013-4496
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    samba-3.6.3-0.50.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    samba-3.6.3-0.50.1, samba-doc-3.6.3-0.50.1
SUSE Linux Enterprise Server 11 SP3 (src):    samba-3.6.3-0.50.1, samba-doc-3.6.3-0.50.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    samba-3.6.3-0.50.1, samba-doc-3.6.3-0.50.1
Comment 21 Alexander Bergmann 2014-04-09 07:48:15 UTC
Fixed and released. Closing bug.
Comment 22 Swamp Workflow Management 2014-05-28 14:50:38 UTC
Update released for: cifs-mount, ldapsmb, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbclient0-32bit, libsmbclient0-x86, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtalloc1-32bit, libtalloc1-x86, libtdb-devel, libtdb1, libtdb1-32bit, libtdb1-x86, libwbclient-devel, libwbclient0, libwbclient0-32bit, libwbclient0-x86, samba, samba-32bit, samba-client, samba-client-32bit, samba-client-x86, samba-debuginfo, samba-debuginfo-32bit, samba-debuginfo-x86, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind, samba-winbind-32bit, samba-winbind-x86, samba-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, s390x, x86_64)
SLE-SERVER 11-SP1-LTSS (i386, s390x, x86_64)
Comment 23 Swamp Workflow Management 2014-05-28 18:05:29 UTC
SUSE-SU-2014:0723-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 783384,799641,800982,829969,844720,849224,853021,853347
CVE References: CVE-2012-6150,CVE-2013-0213,CVE-2013-0214,CVE-2013-4124,CVE-2013-4408,CVE-2013-4496
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    samba-3.4.3-1.52.3, samba-doc-3.4.3-1.52.3
Comment 26 Swamp Workflow Management 2014-07-15 20:00:53 UTC
Update released for: cifs-mount, ldapsmb, libldb-devel, libldb1, libldb1-32bit, libldb1-x86, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbclient0-32bit, libsmbclient0-x86, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtalloc1-32bit, libtalloc1-x86, libtalloc2, libtalloc2-32bit, libtalloc2-x86, libtdb-devel, libtdb1, libtdb1-32bit, libtdb1-x86, libtevent-devel, libtevent0, libtevent0-32bit, libtevent0-x86, libwbclient-devel, libwbclient0, libwbclient0-32bit, libwbclient0-x86, samba, samba-32bit, samba-client, samba-client-32bit, samba-client-x86, samba-debuginfo, samba-debuginfo-32bit, samba-debuginfo-x86, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind, samba-winbind-32bit, samba-winbind-x86, samba-x86
Products:
SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64)
SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
Comment 27 Swamp Workflow Management 2014-07-15 23:08:50 UTC
SUSE-SU-2014:0901-1: An update that solves four vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 437293,726937,786677,844307,849224,863748,865561,872396,879390,880962,883758
CVE References: CVE-2013-4496,CVE-2014-0178,CVE-2014-0244,CVE-2014-3493
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    samba-3.4.3-1.54.4, samba-3.6.3-0.33.41.2, samba-doc-3.6.3-0.33.41.2
Comment 28 Swamp Workflow Management 2016-04-20 10:08:12 UTC
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2
Comment 29 Swamp Workflow Management 2016-04-20 10:11:29 UTC
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1