CVE-2016-2112

NameCVE-2016-2112
DescriptionThe bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3548-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)wheezy2:3.6.6-6+deb7u7vulnerable
wheezy (security)2:3.6.6-6+deb7u15fixed
jessie (security), jessie2:4.2.14+dfsg-0+deb8u9fixed
stretch (security), stretch2:4.5.12+dfsg-2+deb9u1fixed
buster, sid2:4.7.3+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasource(unstable)2:4.3.7+dfsg-1medium
sambasourcejessie2:4.2.10+dfsg-0+deb8u1mediumDSA-3548-1
sambasourcewheezy2:3.6.6-6+deb7u9mediumDSA-3548-1

Notes

https://www.samba.org/samba/security/CVE-2016-2112.html

Search for package or bug name: Reporting problems