UbuntuUpdates.org

Package "cifs-utils"

Name: cifs-utils

Description:

Common Internet File System utilities

Latest version: 2:6.9-1ubuntu0.3
Release: focal (20.04)
Level: security
Repository: main
Homepage: https://www.samba.org/~jlayton/cifs-utils/

Links


Download "cifs-utils"


Other versions of "cifs-utils" in Focal

Repository Area Version
base main 2:6.9-1
updates main 2:6.9-1ubuntu0.3

Changelog

Version: 2:6.9-1ubuntu0.3 2025-05-27 20:07:30 UTC

  cifs-utils (2:6.9-1ubuntu0.3) focal-security; urgency=medium

  * Skip checking the Kerberos TGT if a valid service ticket
    is available. (LP: #2099917)
    - d/p/lp2099917-cifs-utils-Skip-TGT-check-if-valid-service.patch
  * SECURITY UPDATE: namespace confusion may lead to disclosing
    sensitive data from host Kerberos credentials cache. (LP: #2099914)
    - d/p/CVE-2025-2312-1.patch: CIFS.upcall to accomodate new
      namespace mount opt.
    - d/p/CVE-2025-2312-2.patch: cifs-utils: add documentation
      for upcall_target.
    - CVE-2025-2312

 -- Matthew Ruffell <email address hidden> Wed, 02 Apr 2025 17:10:02 +1300

Source diff to previous version
2099917 cifs.upcall: If kerberos credential cache already contains a valid service ticket, use that even if TGT is expired
CVE-2025-2312 A flaw was found in cifs-utils. When trying to obtain Kerberos credentials, the cifs.upcall program from the cifs-utils package makes an upcall to th

Version: 2:6.9-1ubuntu0.2 2022-06-02 18:06:20 UTC

  cifs-utils (2:6.9-1ubuntu0.2) focal-security; urgency=medium

  * SECURITY UPDATE: command injection via shell
    - debian/patches/CVE-2020-14342.patch: fix injection in mount.cifs.c.
    - CVE-2020-14342
  * SECURITY UPDATE: krb5 credential use from host
    - debian/patches/CVE-2021-20208-1.patch: try to use container
      namespaces in cifs.upcall.c.
    - debian/patches/CVE-2021-20208-2.patch: fix regression in kerberos
      mount in cifs.upcall.c.
    - CVE-2021-20208
  * SECURITY UPDATE: buffer overflow in ip= command-line argument
    - debian/patches/CVE-2022-27239.patch: fix length check for ip option
      parsing in mount.cifs.c.
    - CVE-2022-27239
  * SECURITY UPDATE: information leak via verbose logging
    - debian/patches/CVE-2022-29869.patch: fix verbose messages on option
      parsing in mount.cifs.c.
    - CVE-2022-29869

 -- Marc Deslauriers <email address hidden> Wed, 01 Jun 2022 12:12:44 -0400

CVE-2020-14342 It was found that cifs-utils' mount.cifs was invoking a shell when requesting the Samba password, which could be used to inject arbitrary commands. A
CVE-2021-20208 A flaw was found in cifs-utils in versions before 6.13. A user when mounting a krb5 CIFS file system from within a container can use Kerberos credent
CVE-2022-27239 In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining
CVE-2022-29869 cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid creden



About   -   Send Feedback to @ubuntu_updates