CVE-2020-10704

NameCVE-2020-10704
DescriptionA flaw was found when using samba as an Active Directory Domain Controller. Due to the way samba handles certain requests as an Active Directory Domain Controller LDAP server, an unauthorized user can cause a stack overflow leading to a denial of service. The highest threat from this vulnerability is to system availability. This issue affects all samba versions before 4.10.15, before 4.11.8 and before 4.12.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs960188

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
samba (PTS)jessie2:4.2.14+dfsg-0+deb8u9vulnerable
jessie (security)2:4.2.14+dfsg-0+deb8u13vulnerable
stretch (security), stretch2:4.5.16+dfsg-1+deb9u2vulnerable
buster2:4.9.5+dfsg-5vulnerable
buster (security)2:4.9.5+dfsg-5+deb10u1vulnerable
bullseye, sid2:4.11.5+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
sambasource(unstable)(unfixed)960188

Notes

[buster] - samba <postponed> (Can be fixed along in future DSA)
[stretch] - samba <postponed> (Can be fixed along in future DSA)
[jessie] - samba <postponed> (Minor issue and the patch is very invisible, eg. http://paste.debian.net/plain/1143919 is not even complete)
https://bugzilla.samba.org/show_bug.cgi?id=14334
https://www.samba.org/samba/security/CVE-2020-10704.html

Search for package or bug name: Reporting problems