| Name | CVE-2015-3223 |
| Description | The ldb_wildcard_compare function in ldb_match.c in ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles certain zero values, which allows remote attackers to cause a denial of service (infinite loop) via crafted packets. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DSA-3433-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| ldb (PTS) | bullseye (security), bullseye | 2:2.2.3-2~deb11u2 | fixed |
| samba (PTS) | bullseye (security), bullseye | 2:4.13.13+dfsg-1~deb11u6 | fixed |
| bookworm, bookworm (security) | 2:4.17.12+dfsg-0+deb12u1 | fixed |
| trixie | 2:4.20.2+dfsg-7 | fixed |
| sid | 2:4.20.2+dfsg-10 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| ldb | source | jessie | 2:1.1.17-2+deb8u1 | | | |
| ldb | source | (unstable) | 2:1.1.24-1 | | | |
| samba | source | squeeze | (not affected) | | | |
| samba | source | wheezy | 2:3.6.6-6+deb7u6 | | DSA-3433-1 | |
| samba | source | jessie | 2:4.1.17+dfsg-2+deb8u1 | | DSA-3433-1 | |
| samba | source | (unstable) | 2:4.1.22+dfsg-1 | | | |
Notes
[wheezy] - samba <not-affected> (Only affects 4.0.0 to 4.3.2)
[squeeze] - samba <not-affected> (Only affects 4.0.0 to 4.3.2)
[wheezy] - ldb <no-dsa> (Minor issue, only relevant in conjunction with Samba 4, which isn't in wheezy)
[squeeze] - ldb <no-dsa> (Minor issue)
https://www.samba.org/samba/security/CVE-2015-3223.html
https://git.samba.org/?p=samba.git;a=commit;h=fb456954f332c07a645226d59b3b00ec252f8b26 (v4-1-stable)
https://git.samba.org/?p=samba.git;a=commit;h=bb1b783ee9d7259cfc6a1fe882f22189747f8684 (v4-1-stable)
Samba update needs as well fixed ldb