samba: crypto downgrade
Package(s): | samba | CVE #(s): | CVE-2016-2119 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Created: | July 8, 2016 | Updated: | December 19, 2016 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Description: | From the Slackware advisory:
This release fixes a security issue: Client side SMB2/3 required signing can be downgraded. It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags. This means that the attacker can impersonate a server being connected to by Samba, and return malicious results. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Alerts: |
|