CVE-2015-5296
Published: 16 December 2015
Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c.
Notes
| Author | Note |
|---|---|
| mdeslaur | 3.2.0 to 4.3.2 3.6 patch in upstream bug |
Priority
CVSS 3 base score: 5.4
Status
| Package | Release | Status |
|---|---|---|
|
samba Launchpad, Ubuntu, Debian |
precise |
Released
(2:3.6.3-2ubuntu2.13)
|
| trusty |
Released
(2:4.1.6+dfsg-1ubuntu2.14.04.11)
|
|
| upstream |
Released
(4.3.3,4.2.7,4.1.22)
|
|
| vivid |
Released
(2:4.1.13+dfsg-4ubuntu3.1)
|
|
| wily |
Released
(2:4.1.17+dfsg-4ubuntu3.1)
|
|
| xenial |
Released
(2:4.3.3+dfsg-1ubuntu1)
|
|
| yakkety |
Released
(2:4.3.3+dfsg-1ubuntu1)
|
|
| zesty |
Released
(2:4.3.3+dfsg-1ubuntu1)
|
|
|
Patches: upstream: https://git.samba.org/?p=samba.git;a=commit;h=d9e943e351a752ba627314da7fb8d2f6f1eb44b3 (4.1) upstream: https://git.samba.org/?p=samba.git;a=commit;h=4c3a492259ceefe3d02df690d4369291627883a2 (4.1) upstream: https://git.samba.org/?p=samba.git;a=commit;h=c634a143a876bd5a724d830c54fe12ef6d68d5fd (4.1) |
||
|
samba4 Launchpad, Ubuntu, Debian |
precise |
Does not exist
(precise was needed)
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.3.3,4.2.7,4.1.22)
|
|
| vivid |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|