samba - regression update

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

• CVE-2015-5370
  Jouni Knuutinen from Synopsys discovered flaws in the Samba DCE-RPC
  code which can lead to denial of service (crashes and high cpu
  consumption) and man-in-the-middle attacks.
• CVE-2016-2110
  Stefan Metzmacher of SerNet and the Samba Team discovered that the
  feature negotiation of NTLMSSP does not protect against downgrade
  attacks.
• CVE-2016-2111
  When Samba is configured as domain controller, it allows remote
  attackers to spoof the computer name of a secure channel’s endpoint,
  and obtain sensitive session information. This flaw corresponds to
  the same vulnerability as CVE-2015-0005 for Windows, discovered by
  Alberto Solino from Core Security.
• CVE-2016-2112
  Stefan Metzmacher of SerNet and the Samba Team discovered that a
  man-in-the-middle attacker can downgrade LDAP connections to avoid
  integrity protection.
• CVE-2016-2113
  Stefan Metzmacher of SerNet and the Samba Team discovered that
  man-in-the-middle attacks are possible for client triggered LDAP
  connections and ncacn_http connections.
• CVE-2016-2114
  Stefan Metzmacher of SerNet and the Samba Team discovered that Samba
  does not enforce required smb signing even if explicitly configured.
• CVE-2016-2115
  Stefan Metzmacher of SerNet and the Samba Team discovered that SMB
  connections for IPC traffic are not integrity-protected.
• CVE-2016-2118
  Stefan Metzmacher of SerNet and the Samba Team discovered that a
  man-in-the-middle attacker can intercept any DCERPC traffic between
  a client and a server in order to impersonate the client and obtain
  the same privileges as the authenticated user account.

For the oldstable distribution (wheezy), these problems have been fixed
in version 2:3.6.6-6+deb7u9. The oldstable distribution is not affected
by CVE-2016-2113 and CVE-2016-2114.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.2.10+dfsg-0+deb8u1. The issues were addressed by upgrading
to the new upstream version 4.2.10, which includes additional changes
and bugfixes. The depending libraries ldb, talloc, tdb and tevent
required as well an update to new upstream versions for this update.

For the unstable distribution (sid), these problems have been fixed in
version 2:4.3.7+dfsg-1.

Please refer to

• 
  https://www.samba.org/samba/latest_news.html#4.4.2
• 
  https://www.samba.org/samba/history/samba-4.2.0.html
• 
  https://www.samba.org/samba/history/samba-4.2.10.html

for further details (in particular for new options and defaults).

We’d like to thank Andreas Schneider and Guenther Deschner (Red Hat),
Stefan Metzmacher and Ralph Boehme (SerNet) and Aurelien Aptel (SUSE)
for the massive backporting work required to support Samba 3.6 and Samba
4.2 and Andrew Bartlett (Catalyst), Jelmer Vernooij and Mathieu Parent
for their help in preparing updates of Samba and the underlying
infrastructure libraries.

We recommend that you upgrade your samba packages.