---
- branch: pkgsrc-2012Q4
  date: Sat Feb  2 10:12:23 UTC 2013
  files:
  - new: 1.226.2.1
    old: '1.226'
    path: pkgsrc/net/samba/Makefile
    pathrev: pkgsrc/net/samba/Makefile@1.226.2.1
    type: modified
  - new: 1.87.2.1
    old: '1.87'
    path: pkgsrc/net/samba/distinfo
    pathrev: pkgsrc/net/samba/distinfo@1.87.2.1
    type: modified
  id: 20130202T101223Z.eb9ce34b871ae6a74e0f817b7a6d30b7e82ee915
  log: "Pullup ticket #4054 - requested by taca\nnet/samba: security update\n\nRevisions
    pulled up:\n- net/samba/Makefile                                            1.228
    via patch\n- net/samba/distinfo                                            1.88\n\n---\n
    \  Module Name:\tpkgsrc\n   Committed By:\ttaca\n   Date:\t\tWed Jan 30 11:42:55
    UTC 2013\n\n   Modified Files:\n   \tpkgsrc/net/samba: Makefile distinfo\n\n   Log
    Message:\n   Update samba to 3.6.12.\n\n                      ==============================\n
    \                     Release Notes for Samba 3.6.12\n                             January
    30, 2013\n                      ==============================\n\n   This is a
    security release in order to address\n   CVE-2013-0213 (Clickjacking issue in
    SWAT) and\n   CVE-2013-0214 (Potential XSRF in SWAT).\n\n   o  CVE-2013-0213:\n
    \     All current released versions of Samba are vulnerable to clickjacking in
    the\n      Samba Web Administration Tool (SWAT). When the SWAT pages are integrated
    into\n      a malicious web page via a frame or iframe and then overlaid by other
    content,\n      an attacker could trick an administrator to potentially change
    Samba settings.\n\n      In order to be vulnerable, SWAT must have been installed
    and enabled\n      either as a standalone server launched from inetd or xinetd,
    or as a\n      CGI plugin to Apache. If SWAT has not been installed or enabled
    (which\n      is the default install state for Samba) this advisory can be ignored.\n\n
    \  o  CVE-2013-0214:\n      All current released versions of Samba are vulnerable
    to a cross-site\n      request forgery in the Samba Web Administration Tool (SWAT).
    By guessing a\n      user's password and then tricking a user who is authenticated
    with SWAT into\n      clicking a manipulated URL on a different web page, it is
    possible to manipulate\n      SWAT.\n\n      In order to be vulnerable, the attacker
    needs to know the victim's password.\n      Additionally SWAT must have been installed
    and enabled either as a standalone\n      server launched from inetd or xinetd,
    or as a CGI plugin to Apache. If SWAT has\n      not been installed or enabled
    (which is the default install state for Samba)\n      this advisory can be ignored.\n\n
    \  Changes since 3.6.11:\n   --------------------\n\n   o   Kai Blin <kai@samba.org>\n
    \      * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.\n       * BUG
    9577: CVE-2013-0214: Fix potential XSRF in SWAT.\n"
  module: pkgsrc
  subject: 'CVS commit: [pkgsrc-2012Q4] pkgsrc/net/samba'
  unixtime: '1359799943'
  user: tron