samba - security update

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

• CVE-2016-2119
  Stefan Metzmacher discovered that client-side SMB2/3 required
  signing can be downgraded, allowing a man-in-the-middle attacker to
  impersonate a server being connected to by Samba, and return
  malicious results.
• CVE-2016-2123
  Trend Micro’s Zero Day Initiative and Frederic Besler discovered
  that the routine ndr_pull_dnsp_name, used to parse data from the
  Samba Active Directory ldb database, contains an integer overflow
  flaw, leading to an attacker-controlled memory overwrite. An
  authenticated user can take advantage of this flaw for remote
  privilege escalation.
• CVE-2016-2125
  Simo Sorce of Red Hat discovered that the Samba client code always
  requests a forwardable ticket when using Kerberos authentication. A
  target server, which must be in the current or trusted domain/realm,
  is given a valid general purpose Kerberos Ticket Granting Ticket
  (TGT), which can be used to fully impersonate the authenticated user
  or service.
• CVE-2016-2126
  Volker Lendecke discovered several flaws in the Kerberos PAC
  validation. A remote, authenticated, attacker can cause the winbindd
  process to crash using a legitimate Kerberos ticket due to incorrect
  handling of the PAC checksum. A local service with access to the
  winbindd privileged pipe can cause winbindd to cache elevated access
  permissions.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.2.14+dfsg-0+deb8u2. In addition, this update contains
several changes originally targeted for the upcoming jessie point
release.

We recommend that you upgrade your samba packages.