samba - security update

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

• CVE-2015-3223
  Thilo Uttendorfer of Linux Information Systems AG discovered that a
  malicious request can cause the Samba LDAP server to hang, spinning
  using CPU. A remote attacker can take advantage of this flaw to
  mount a denial of service.
• CVE-2015-5252
  Jan Yenya Kasprzak and the Computer Systems Unit team at Faculty
  of Informatics, Masaryk University discovered that insufficient
  symlink verification could allow data access outside an exported
  share path.
• CVE-2015-5296
  Stefan Metzmacher of SerNet discovered that Samba does not ensure
  that signing is negotiated when creating an encrypted client
  connection to a server. This allows a man-in-the-middle attacker to
  downgrade the connection and connect using the supplied credentials
  as an unsigned, unencrypted connection.
• CVE-2015-5299
  It was discovered that a missing access control check in the VFS
  shadow_copy2 module could allow unauthorized users to access
  snapshots.
• CVE-2015-5330
  Douglas Bagnall of Catalyst discovered that the Samba LDAP server
  is vulnerable to a remote memory read attack. A remote attacker can
  obtain sensitive information from daemon heap memory by sending
  crafted packets and then either read an error message, or a
  database value.
• CVE-2015-7540
  It was discovered that a malicious client can send packets that
  cause the LDAP server provided by the AD DC in the samba daemon
  process to consume unlimited memory and be terminated.
• CVE-2015-8467
  Andrew Bartlett of the Samba Team and Catalyst discovered that a
  Samba server deployed as an AD DC can expose Windows DCs in the same
  domain to a denial of service via the creation of multiple machine
  accounts. This issue is related to the MS15-096 / CVE-2015-2535
  security issue in Windows.

For the oldstable distribution (wheezy), these problems have been fixed
in version 2:3.6.6-6+deb7u6. The oldstable distribution (wheezy) is only
affected by CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.1.17+dfsg-2+deb8u1. The fixes for CVE-2015-3223 and
CVE-2015-5330 required an update to ldb 2:1.1.17-2+deb8u1 to correct the
defects.

For the unstable distribution (sid), these problems have been fixed in
version 2:4.1.22+dfsg-1. The fixes for CVE-2015-3223 and CVE-2015-5330
required an update to ldb 2:1.1.24-1 to correct the defects.

We recommend that you upgrade your samba packages.