CVE-2013-0172

NameCVE-2013-0172
DescriptionSamba 4.0.x before 4.0.1, in certain Active Directory domain-controller configurations, does not properly interpret Access Control Entries that are based on an objectClass, which allows remote authenticated users to bypass intended restrictions on modifying LDAP directory objects by leveraging (1) objectClass access by a user, (2) objectClass access by a group, or (3) write access to an attribute.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs699188

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)bullseye (security), bullseye2:4.13.13+dfsg-1~deb11u6fixed
bookworm2:4.17.12+dfsg-0+deb12u2fixed
bookworm (security)2:4.17.12+dfsg-0+deb12u1fixed
trixie2:4.22.4+dfsg-1~deb13u1fixed
forky2:4.23.0+dfsg-2fixed
sid2:4.23.0+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasource(unstable)(not affected)
samba4source(unstable)4.0.0~beta2+dfsg1-3.1high699188

Notes

- samba <not-affected> (Only affects Active Directory functionality)
https://lists.samba.org/archive/samba-technical/2013-January/089911.html
Search for package or bug name: Reporting problems