Alpine: libsmbclient, pam-winbind, multiple samba packages: security update to 4.2.7-r0 (deprecated)

medium Tenable Self-Hosted Container Security Plugin ID 400986

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before
4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a
UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
(CVE-2015-7560)

- The internal DNS server in Samba 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x
before 4.4.0rc4, when an AD DC is configured, allows remote authenticated users to cause a denial of
service (out-of-bounds read) or possibly obtain sensitive information from process memory by uploading a
crafted DNS TXT record. (CVE-2016-0771)

See Also

https://git.alpinelinux.org/aports/commit/?id=a7b59db29dee86bbffce822cd486c84f5ce3fb43

https://git.alpinelinux.org/aports/commit/?id=e44afa81c87bd2e939a9335a4a0f79e9d2e29a6b

Plugin Details

Severity: Medium

ID: 400986

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.5

Percentile: 51.63

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:N/A:P

CVSS Score Source: CVE-2016-0771

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2015-7560

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/15/2016

Vulnerability Publication Date: 3/8/2016

Reference Information

CVE: CVE-2015-7560, CVE-2016-0771

BID: 84267, 84273