Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66]) by www.NetBSD.org (Postfix) with ESMTP id 1759863EC52 for ; Wed, 30 Jan 2013 11:41:46 +0000 (UTC) Received: by mail.netbsd.org (Postfix, from userid 605) id EC46514A14F; Wed, 30 Jan 2013 11:41:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mail.netbsd.org (Postfix) with ESMTP id D33F614A144 for ; Wed, 30 Jan 2013 11:41:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at NetBSD.org Received: from mail.netbsd.org ([127.0.0.1]) by localhost (mail.NetBSD.org [127.0.0.1]) (amavisd-new, port 10025) with ESMTP id QSLxy5Y12yYd for ; Wed, 30 Jan 2013 11:41:45 +0000 (UTC) Received: from cvs.netbsd.org (cvs.NetBSD.org [IPv6:2001:4f8:3:7:2e0:81ff:fe30:95bd]) by mail.netbsd.org (Postfix) with ESMTP id 08E1C14A12D for ; Wed, 30 Jan 2013 11:41:45 +0000 (UTC) Received: by cvs.netbsd.org (Postfix, from userid 500) id EE66F175DD; Wed, 30 Jan 2013 11:41:44 +0000 (UTC) Content-Disposition: inline Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" MIME-Version: 1.0 Date: Wed, 30 Jan 2013 11:41:44 +0000 From: "Takahiro Kambe" Subject: CVS commit: pkgsrc/net/samba35 To: pkgsrc-changes@NetBSD.org Reply-To: taca@netbsd.org X-Mailer: log_accum Message-Id: <20130130114144.EE66F175DD@cvs.netbsd.org> Sender: pkgsrc-changes-owner@NetBSD.org List-Id: pkgsrc-changes.NetBSD.org Precedence: bulk Module Name: pkgsrc Committed By: taca Date: Wed Jan 30 11:41:44 UTC 2013 Modified Files: pkgsrc/net/samba35: Makefile distinfo Log Message: Update samba35 to 3.5.21. ============================== Release Notes for Samba 3.5.21 January 30, 2013 ============================== This is a security release in order to address CVE-2013-0213 (Clickjacking issue in SWAT) and CVE-2013-0214 (Potential XSRF in SWAT). o CVE-2013-0213: All current released versions of Samba are vulnerable to clickjacking in the Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into a malicious web page via a frame or iframe and then overlaid by other content, an attacker could trick an administrator to potentially change Samba settings. In order to be vulnerable, SWAT must have been installed and enabled either as a standalone server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has not been installed or enabled (which is the default install state for Samba) this advisory can be ignored. o CVE-2013-0214: All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By guessing a user's password and then tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. In order to be vulnerable, the attacker needs to know the victim's password. Additionally SWAT must have been installed and enabled either as a standalone server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has not been installed or enabled (which is the default install state for Samba) this advisory can be ignored. Changes since 3.5.20: --------------------- o Kai Blin * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT. * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT. To generate a diff of this commit: cvs rdiff -u -r1.25 -r1.26 pkgsrc/net/samba35/Makefile cvs rdiff -u -r1.14 -r1.15 pkgsrc/net/samba35/distinfo Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.