Issue metadata
Sign in to add a comment
|
CrOS: Vulnerability reported in net-fs/samba |
||||||||||||||||||||
Issue descriptionAutomated analysis has detected that the following third party packages have had vulnerabilities publicly reported. NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package. Package Name: net-fs/samba Package Version: [cpe:/a:samba:samba:4.5.3 cpe:/a:samba:samba:4.8.0] Advisory: CVE-2017-12150 Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-12150 CVSS severity score: 5.8/10.0 Confidence: high Description: It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce "SMB signing" when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
,
Oct 1
would be nice if we could improve vomit so that it told us what branch/release/whatever it was reporting against samba-4.8.0 is in R68+. if we do builds for older branches, vomit might report them. i know we're talking about lakitu doing older branches than CrOS, but they'd be responsible for keeping things sane. i've filed b/117109161 for improving the reporting.
,
Oct 1
Previously, we were missing CVEs for Samba so they may have reconfigured it to alert on all CVEs. I double checked and 4.8 is not affected.
,
Oct 4
,
Jan 8
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by mnissler@chromium.org
, Oct 1Status: WontFix (was: Untriaged)