Back to bug 1311893

Who When What Removed Added
Adam Mariš 2016-02-25 09:49:59 UTC CC security-response-team
Red Hat Bugzilla 2016-02-25 09:49:59 UTC Doc Type --- Bug Fix
Adam Mariš 2016-02-25 10:17:19 UTC Blocks 1311915
Huzaifa S. Sidhpurwala 2016-03-29 09:11:23 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=new,rhel-5/samba3x=new,rhel-6/samba4=new,rhel-6/samba=new,rhel-7/samba=new,rhes-3.1/samba=new,fedora-all/samba=affected impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=notaffected,rhel-5/samba3x=notaffected,rhel-6/samba4=notaffected,rhel-6/samba=notaffected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected
Huzaifa S. Sidhpurwala 2016-03-31 06:29:59 UTC Depends On 1322690
Huzaifa S. Sidhpurwala 2016-03-31 06:30:09 UTC Depends On 1322691
Huzaifa S. Sidhpurwala 2016-03-31 06:30:17 UTC Depends On 1322692
Huzaifa S. Sidhpurwala 2016-03-31 06:37:59 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=notaffected,rhel-5/samba3x=notaffected,rhel-6/samba4=notaffected,rhel-6/samba=notaffected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=notaffected,rhel-5/samba3x=notaffected,rhel-6/samba4=notaffected,rhel-6/samba=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected
Huzaifa S. Sidhpurwala 2016-03-31 06:38:37 UTC Depends On 1322688, 1322689
Huzaifa S. Sidhpurwala 2016-03-31 06:39:10 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=notaffected,rhel-5/samba3x=notaffected,rhel-6/samba4=notaffected,rhel-6/samba=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=notaffected,rhel-5/samba3x=notaffected,rhel-6/samba4=affected,rhel-6/samba=notaffected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected
Huzaifa S. Sidhpurwala 2016-03-31 08:22:35 UTC CC abokovoy, madam
Huzaifa S. Sidhpurwala 2016-03-31 08:24:35 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=notaffected,rhel-5/samba3x=notaffected,rhel-6/samba4=affected,rhel-6/samba=notaffected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba4=affected,rhel-6/samba=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected
Huzaifa S. Sidhpurwala 2016-03-31 08:28:23 UTC Depends On 1322684, 1322686, 1322687
Huzaifa S. Sidhpurwala 2016-03-31 08:32:48 UTC CC rhack
Michael Adam 2016-04-01 20:43:32 UTC CC huzaifas
Flags needinfo?(huzaifas)
Huzaifa S. Sidhpurwala 2016-04-04 02:32:55 UTC CC sisharma
Flags needinfo?(huzaifas) needinfo?(sisharma)
Siddharth Sharma 2016-04-04 08:05:01 UTC Flags needinfo?(sisharma)
Summer Long 2016-04-06 02:28:17 UTC CC slong
Doc Text Several flaws were found in Samba's NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to cause a protocol downgrade. The attacker could also mislead the client or server into sending data in plain text, even if encryption explicitly is requested. LDAP (with NTLMSSP authentication) is used as a client by various administrative Samba-project tools (for example, "net", "samba-tool", "ldbsearch", or "ldbedit").

This flaw affects all possible roles in which Samba can operate, and is related to CVE-2016-2112 and CVE-2016-2113.
Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba4=affected,rhel-6/samba=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:Px=affected,rhel-6/samba4=affected,rhel-6/samba=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3
Tomas Hoger 2016-04-06 07:04:10 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:Px=affected,rhel-6/samba4=affected,rhel-6/samba=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3 impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected
Huzaifa S. Sidhpurwala 2016-04-07 10:33:41 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected
Huzaifa S. Sidhpurwala 2016-04-07 10:42:50 UTC Depends On 1324800
Huzaifa S. Sidhpurwala 2016-04-07 10:42:59 UTC Depends On 1324801
Huzaifa S. Sidhpurwala 2016-04-07 10:43:07 UTC Depends On 1324802
Huzaifa S. Sidhpurwala 2016-04-07 10:43:17 UTC Depends On 1324803
Huzaifa S. Sidhpurwala 2016-04-07 10:43:25 UTC Depends On 1324804
Huzaifa S. Sidhpurwala 2016-04-07 10:43:34 UTC Depends On 1324805
Huzaifa S. Sidhpurwala 2016-04-07 10:43:42 UTC Depends On 1324806
Huzaifa S. Sidhpurwala 2016-04-07 10:43:52 UTC Depends On 1324807
Huzaifa S. Sidhpurwala 2016-04-08 15:59:34 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected,rhel-6.2.z/samba4=affected,rhel-6.4.z/samba4=affected,rhel-6.5.z/samba4=affected,rhel-6.6.z/samba4=affected
Huzaifa S. Sidhpurwala 2016-04-08 16:03:06 UTC Depends On 1325382
Huzaifa S. Sidhpurwala 2016-04-08 16:03:18 UTC Depends On 1325383
Huzaifa S. Sidhpurwala 2016-04-08 16:03:28 UTC Depends On 1325384
Huzaifa S. Sidhpurwala 2016-04-08 16:03:40 UTC Depends On 1325385
Huzaifa S. Sidhpurwala 2016-04-09 08:42:50 UTC Doc Text Several flaws were found in Samba's NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to cause a protocol downgrade. The attacker could also mislead the client or server into sending data in plain text, even if encryption explicitly is requested. LDAP (with NTLMSSP authentication) is used as a client by various administrative Samba-project tools (for example, "net", "samba-tool", "ldbsearch", or "ldbedit").

This flaw affects all possible roles in which Samba can operate, and is related to CVE-2016-2112 and CVE-2016-2113. 		Several flaws were found in Samba's NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear encryption and integrity flags causing data to be transmitted as plain text, hereby causing a protocol downgrade. The attacker could also mislead the client or server into sending data in plain text, even if encryption explicitly is requested.
Huzaifa S. Sidhpurwala 2016-04-10 11:15:59 UTC Depends On 1325645
Huzaifa S. Sidhpurwala 2016-04-10 11:23:48 UTC Depends On 1325649
Huzaifa S. Sidhpurwala 2016-04-10 11:24:03 UTC Depends On 1325650
Huzaifa S. Sidhpurwala 2016-04-10 11:24:15 UTC Depends On 1325651
Huzaifa S. Sidhpurwala 2016-04-11 05:21:14 UTC Whiteboard impact=moderate,public=no,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected,rhel-6.2.z/samba4=affected,rhel-6.4.z/samba4=affected,rhel-6.5.z/samba4=affected,rhel-6.6.z/samba4=affected impact=moderate,public=20160412,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected,rhel-6.2.z/samba4=affected,rhel-6.4.z/samba4=affected,rhel-6.5.z/samba4=affected,rhel-6.6.z/samba4=affected
Martin Prpič 2016-04-11 07:10:29 UTC Doc Text Several flaws were found in Samba's NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear encryption and integrity flags causing data to be transmitted as plain text, hereby causing a protocol downgrade. The attacker could also mislead the client or server into sending data in plain text, even if encryption explicitly is requested. Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.
Huzaifa S. Sidhpurwala 2016-04-11 10:33:29 UTC Whiteboard impact=moderate,public=20160412,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected,rhel-6.2.z/samba4=affected,rhel-6.4.z/samba4=affected,rhel-6.5.z/samba4=affected,rhel-6.6.z/samba4=affected impact=moderate,public=20160412,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected,rhel-6.2.z/samba4=affected,rhel-6.4.z/samba4=affected,rhel-6.5.z/samba4=affected,rhel-6.6.z/samba4=affected,rhel-5.6.z/samba3x=affected,rhel-5.9.z/samba3x=affected
Huzaifa S. Sidhpurwala 2016-04-11 10:37:14 UTC Depends On 1325832
Huzaifa S. Sidhpurwala 2016-04-11 10:39:10 UTC Depends On 1325838
Jose A. Rivera 2016-04-12 12:29:39 UTC Status NEW ON_QA
Fixed In Version 4.2.11-1
Tomas Hoger 2016-04-12 12:38:13 UTC Status ON_QA NEW
Fixed In Version 4.2.11-1
Huzaifa S. Sidhpurwala 2016-04-12 14:20:59 UTC Depends On 1326361
Huzaifa S. Sidhpurwala 2016-04-12 14:21:27 UTC Depends On 1326362
Huzaifa S. Sidhpurwala 2016-04-12 14:22:06 UTC Depends On 1326364
Huzaifa S. Sidhpurwala 2016-04-12 14:22:14 UTC Depends On 1326365
Huzaifa S. Sidhpurwala 2016-04-12 14:26:29 UTC Depends On 1326368
Huzaifa S. Sidhpurwala 2016-04-12 14:26:48 UTC Depends On 1326369
Huzaifa S. Sidhpurwala 2016-04-12 14:29:52 UTC Depends On 1326370
Huzaifa S. Sidhpurwala 2016-04-12 17:09:20 UTC Group security, qe_staff
Summary EMBARGOED CVE-2016-2110 samba: Man-in-the-middle attacks possible with NTLMSSP authentication CVE-2016-2110 samba: Man-in-the-middle attacks possible with NTLMSSP authentication
Siddharth Sharma 2016-04-12 17:27:46 UTC Depends On 1326453
Tomas Hoger 2016-04-12 20:34:01 UTC Fixed In Version samba 4.4.2, samba 4.3.8, samba 4.2.11
Tomas Hoger 2016-04-13 11:56:19 UTC Depends On 1326369
Tomas Hoger 2016-04-13 11:58:53 UTC Depends On 1326368
Tomas Hoger 2016-04-13 11:59:04 UTC Depends On 1326370
Tomas Hoger 2016-04-13 12:03:03 UTC Depends On 1326365
Tomas Hoger 2016-04-13 12:03:11 UTC Depends On 1326364
Tomas Hoger 2016-04-13 12:03:13 UTC Depends On 1326362
Tomas Hoger 2016-04-13 12:03:17 UTC Depends On 1326361
Tomas Hoger 2016-04-13 12:47:49 UTC Fixed In Version samba 4.4.2, samba 4.3.8, samba 4.2.11 samba 4.4.1, samba 4.3.7, samba 4.2.10
Huzaifa S. Sidhpurwala 2016-04-19 05:28:19 UTC Status NEW CLOSED
Resolution --- ERRATA
Last Closed 2016-04-19 01:28:19 UTC
Product Security DevOps Team 2019-09-29 13:45:06 UTC Whiteboard impact=moderate,public=20160412,reported=20160224,source=upstream,cvss2=4.3/AV:A/AC:M/Au:N/C:P/I:P/A:N,cwe=CWE-300,rhel-5/samba=affected,rhel-5/samba3x=affected,rhel-6/samba=affected,rhel-6/samba4=affected,rhel-7/samba=affected,rhes-3.1/samba=affected,fedora-all/samba=affected,rhel-4/samba=affected,rhel-5.6.z/samba=affected,rhel-5.9.z/samba=affected,rhel-6.2.z/samba=affected,rhel-6.4.z/samba=affected,rhel-6.5.z/samba=affected,rhel-6.6.z/samba=affected,rhel-7.1.z/samba=affected,rhel-6.2.z/samba4=affected,rhel-6.4.z/samba4=affected,rhel-6.5.z/samba4=affected,rhel-6.6.z/samba4=affected,rhel-5.6.z/samba3x=affected,rhel-5.9.z/samba3x=affected

Back to bug 1311893