---
- branch: MAIN
  date: Wed Jan 30 11:41:44 UTC 2013
  files:
  - new: '1.26'
    old: '1.25'
    path: pkgsrc/net/samba35/Makefile
    pathrev: pkgsrc/net/samba35/Makefile@1.26
    type: modified
  - new: '1.15'
    old: '1.14'
    path: pkgsrc/net/samba35/distinfo
    pathrev: pkgsrc/net/samba35/distinfo@1.15
    type: modified
  id: 20130130T114144Z.d4f51fa3e3cec1efe1a3f7fbd613bba7e0780121
  log: "Update samba35 to 3.5.21.\n\n                   ==============================\n
    \                  Release Notes for Samba 3.5.21\n\t\t\t January 30, 2013\n                   ==============================\n\nThis
    is a security release in order to address\nCVE-2013-0213 (Clickjacking issue in
    SWAT) and\nCVE-2013-0214 (Potential XSRF in SWAT).\n\no  CVE-2013-0213:\n   All
    current released versions of Samba are vulnerable to clickjacking in the\n   Samba
    Web Administration Tool (SWAT). When the SWAT pages are integrated into\n   a
    malicious web page via a frame or iframe and then overlaid by other content,\n
    \  an attacker could trick an administrator to potentially change Samba settings.\n\n
    \  In order to be vulnerable, SWAT must have been installed and enabled\n   either
    as a standalone server launched from inetd or xinetd, or as a\n   CGI plugin to
    Apache. If SWAT has not been installed or enabled (which\n   is the default install
    state for Samba) this advisory can be ignored.\n\no  CVE-2013-0214:\n   All current
    released versions of Samba are vulnerable to a cross-site\n   request forgery
    in the Samba Web Administration Tool (SWAT). By guessing a\n   user's password
    and then tricking a user who is authenticated with SWAT into\n   clicking a manipulated
    URL on a different web page, it is possible to manipulate\n   SWAT.\n\n   In order
    to be vulnerable, the attacker needs to know the victim's password.\n   Additionally
    SWAT must have been installed and enabled either as a standalone\n   server launched
    from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has\n   not been installed
    or enabled (which is the default install state for Samba)\n   this advisory can
    be ignored.\n\nChanges since 3.5.20:\n---------------------\n\no   Kai Blin <kai@samba.org>\n
    \   * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.\n    * BUG 9577:
    CVE-2013-0214: Fix potential XSRF in SWAT.\n"
  module: pkgsrc
  subject: 'CVS commit: pkgsrc/net/samba35'
  unixtime: '1359546104'
  user: taca