cifs-utils-6.5-1.5 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10334-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cifs-utils-6.5-1.5 on GA media These are all security issues fixed in the cifs-utils-6.5-1.5 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10334 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-1886/ SUSE CVE CVE-2009-1886 page https://www.suse.com/security/cve/CVE-2009-1888/ SUSE CVE CVE-2009-1888 page https://www.suse.com/security/cve/CVE-2009-2813/ SUSE CVE CVE-2009-2813 page https://www.suse.com/security/cve/CVE-2009-2906/ SUSE CVE CVE-2009-2906 page https://www.suse.com/security/cve/CVE-2009-2948/ SUSE CVE CVE-2009-2948 page https://www.suse.com/security/cve/CVE-2010-0547/ SUSE CVE CVE-2010-0547 page https://www.suse.com/security/cve/CVE-2010-0728/ SUSE CVE CVE-2010-0728 page https://www.suse.com/security/cve/CVE-2010-0787/ SUSE CVE CVE-2010-0787 page https://www.suse.com/security/cve/CVE-2012-1586/ SUSE CVE CVE-2012-1586 page openSUSE Tumbleweed cifs-utils-6.5-1.5 cifs-utils-devel-6.5-1.5 pam_cifscreds-6.5-1.5 cifs-utils-6.5-1.5 as a component of openSUSE Tumbleweed cifs-utils-devel-6.5-1.5 as a component of openSUSE Tumbleweed pam_cifscreds-6.5-1.5 as a component of openSUSE Tumbleweed Multiple format string vulnerabilities in client/client.c in smbclient in Samba 3.2.0 through 3.2.12 might allow context-dependent attackers to execute arbitrary code via format string specifiers in a filename. CVE-2009-1886 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 critical 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-1886.html CVE-2009-1886 https://bugzilla.suse.com/513360 SUSE Bug 513360 https://bugzilla.suse.com/515479 SUSE Bug 515479 The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory. CVE-2009-1888 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-1888.html CVE-2009-1888 https://bugzilla.suse.com/513360 SUSE Bug 513360 https://bugzilla.suse.com/515479 SUSE Bug 515479 Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances involving user accounts that lack home directories. CVE-2009-2813 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 moderate 6 AV:N/AC:M/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2813.html CVE-2009-2813 https://bugzilla.suse.com/515479 SUSE Bug 515479 https://bugzilla.suse.com/539517 SUSE Bug 539517 https://bugzilla.suse.com/543115 SUSE Bug 543115 smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break notification reply packet. CVE-2009-2906 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 low 4 AV:N/AC:L/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2906.html CVE-2009-2906 https://bugzilla.suse.com/515479 SUSE Bug 515479 https://bugzilla.suse.com/543115 SUSE Bug 543115 mount.cifs in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8 and 3.4 before 3.4.2, when mount.cifs is installed suid root, does not properly enforce permissions, which allows local users to read part of the credentials file and obtain the password by specifying the path to the credentials file and using the --verbose or -v option. CVE-2009-2948 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 low 1.9 AV:L/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2948.html CVE-2009-2948 https://bugzilla.suse.com/515479 SUSE Bug 515479 https://bugzilla.suse.com/542150 SUSE Bug 542150 https://bugzilla.suse.com/543115 SUSE Bug 543115 client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. CVE-2010-0547 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 moderate 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0547.html CVE-2010-0547 https://bugzilla.suse.com/577868 SUSE Bug 577868 https://bugzilla.suse.com/577925 SUSE Bug 577925 https://bugzilla.suse.com/583535 SUSE Bug 583535 https://bugzilla.suse.com/583536 SUSE Bug 583536 https://bugzilla.suse.com/594263 SUSE Bug 594263 https://bugzilla.suse.com/597421 SUSE Bug 597421 https://bugzilla.suse.com/602694 SUSE Bug 602694 https://bugzilla.suse.com/709819 SUSE Bug 709819 smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled, runs with the CAP_DAC_OVERRIDE capability, which allows remote authenticated users to bypass intended file permissions via standard filesystem operations with any client. CVE-2010-0728 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 important 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0728.html CVE-2010-0728 https://bugzilla.suse.com/586683 SUSE Bug 586683 client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.2, 3.4.0, and 3.4.5 allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. CVE-2010-0787 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0787.html CVE-2010-0787 https://bugzilla.suse.com/550002 SUSE Bug 550002 https://bugzilla.suse.com/602694 SUSE Bug 602694 https://bugzilla.suse.com/620680 SUSE Bug 620680 mount.cifs in cifs-utils 2.6 allows local users to determine the existence of arbitrary files or directories via the file path in the second argument, which reveals their existence in an error message. CVE-2012-1586 openSUSE Tumbleweed:cifs-utils-6.5-1.5 openSUSE Tumbleweed:cifs-utils-devel-6.5-1.5 openSUSE Tumbleweed:pam_cifscreds-6.5-1.5 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-1586.html CVE-2012-1586 https://bugzilla.suse.com/754443 SUSE Bug 754443