CVE-2012-2111

NameCVE-2012-2111
DescriptionThe (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-2463-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)jessie, jessie (security)2:4.2.14+dfsg-0+deb8u9fixed
stretch, stretch (security)2:4.5.12+dfsg-2+deb9u2fixed
buster, sid2:4.8.2+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasource(unstable)2:3.6.5-1medium
sambasourcesqueeze2:3.5.6~dfsg-3squeeze8mediumDSA-2463-1

Notes

http://www.samba.org/samba/history/samba-3.6.5.html
According to the release notes Samba 3.4.x to 3.6.4 are affected

Search for package or bug name: Reporting problems