1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Release Notes Archive</title>
11 <H2>Samba 3.5.21 Available for Download</H2>
15 ==============================
16 Release Notes for Samba 3.5.21
18 ==============================
21 This is a security release in order to address
22 CVE-2013-0213 (Clickjacking issue in SWAT) and
23 CVE-2013-0214 (Potential XSRF in SWAT).
26 All current released versions of Samba are vulnerable to clickjacking in the
27 Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
28 a malicious web page via a frame or iframe and then overlaid by other content,
29 an attacker could trick an administrator to potentially change Samba settings.
31 In order to be vulnerable, SWAT must have been installed and enabled
32 either as a standalone server launched from inetd or xinetd, or as a
33 CGI plugin to Apache. If SWAT has not been installed or enabled (which
34 is the default install state for Samba) this advisory can be ignored.
37 All current released versions of Samba are vulnerable to a cross-site
38 request forgery in the Samba Web Administration Tool (SWAT). By guessing a
39 user's password and then tricking a user who is authenticated with SWAT into
40 clicking a manipulated URL on a different web page, it is possible to manipulate
43 In order to be vulnerable, the attacker needs to know the victim's password.
44 Additionally SWAT must have been installed and enabled either as a standalone
45 server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
46 not been installed or enabled (which is the default install state for Samba)
47 this advisory can be ignored.
53 o Kai Blin <kai@samba.org>
54 * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
55 * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.