Headline
CVE-2013-4496: Samba - Release Notes Archive
Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts.
Samba 4.1.6 Available for Download
=============================
Release Notes for Samba 4.1.6
March 11, 2014
=============================
This is a security release in order to address CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake).
o CVE-2013-4496: Samba versions 3.4.0 and above allow the administrator to implement locking out Samba accounts after a number of bad password attempts.
However, all released versions of Samba did not implement this check for password changes, such as are available over multiple SAMR and RAP interfaces, allowing password guessing attacks.
o CVE-2013-6442: Samba versions 4.0.0 and above have a flaw in the smbcacls command. If smbcacls is used with the "-C|–chown name" or "-G|–chgrp name" command options it will remove the existing ACL on the object being modified, leaving the file or directory unprotected.
Changes since 4.1.5:
o Jeremy Allison jra@samba.org * BUG 10327: CVE-2013-6442: ensure we don’t lose an existing ACL when setting owner or group owner.
o Andrew Bartlett abartlet@samba.org * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password changes.
o Stefan Metzmacher metze@samba.org * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password changes.