CVE-2016-2113

NameCVE-2016-2113
DescriptionSamba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-3548-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)wheezy2:3.6.6-6+deb7u7vulnerable
wheezy (security)2:3.6.6-6+deb7u14fixed
jessie2:4.2.14+dfsg-0+deb8u6fixed
jessie (security)2:4.2.14+dfsg-0+deb8u8fixed
stretch2:4.5.12+dfsg-2fixed
stretch (security)2:4.5.8+dfsg-2+deb9u2fixed
buster, sid2:4.6.7+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasource(unstable)2:4.3.7+dfsg-1medium
sambasourcejessie2:4.2.10+dfsg-0+deb8u1mediumDSA-3548-1
sambasourcewheezy2:3.6.6-6+deb7u9mediumDSA-3548-1

Notes

[wheezy] - samba <not-affected> (Affects Samba 4.0.0 to 4.4.0)
https://www.samba.org/samba/security/CVE-2016-2113.html

Search for package or bug name: Reporting problems