It was reported [1] that Samba's SWAT web configuration interface suffered from a potential clickjacking vulnerability, which allows the SWAT page to be embedded in an attacker's web page using a frame or iframe, and then tricking the user to change Samba settings. This is being fixed by telling the browser to refuse frame embedding via the "X-Frame-Options: DENY" header. [1] https://bugzilla.samba.org/show_bug.cgi?id=9576
Acknowledgements: Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Jann Horn as the original reporter.
This has been corrected in upstream versions 4.0.2, 3.6.12, and 3.5.21. http://www.samba.org/samba/history/samba-4.0.2.html
Created samba4 tracking bugs for this issue Affects: fedora-17 [bug 906003]
Created samba tracking bugs for this issue Affects: fedora-all [bug 906002]
External References: https://www.samba.org/samba/security/CVE-2013-0213 https://www.samba.org/samba/history/samba-4.0.2.html
samba-3.6.12-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
samba-4.0.2-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
samba-3.6.12-1.fc17.1 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Samba upstream wants to remove SWAT in Samba 4.1, see: https://lists.samba.org/archive/samba-technical/2013-February/090572.html
Upstream commit: http://git.samba.org/?p=samba.git;a=commitdiff;h=7122594
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2013:1310 https://rhn.redhat.com/errata/RHSA-2013-1310.html
Statement: (none)
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1542 https://rhn.redhat.com/errata/RHSA-2013-1542.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2014:0305 https://rhn.redhat.com/errata/RHSA-2014-0305.html