TODO: $VERSION, $CVE

===========================================================
== Subject:     Spotlight server-side Share Path Disclosure
==
== CVE ID#:     $CVE
==
== Versions:    All versions of Samba prior to $VERSION
==
== Summary:     As part of the Spotlight protocol Samba
==              discloses the server-side abolute path of
==              shares and files and directories in search
==              results.
===========================================================

===========
Description
===========

As part of the Spotlight protocol, the initial request
returns a path associated with the sharename targetted by
the RPC request. Samba returns the real server-side share
path at this point, as well as returning the abosolute
server-side path of results in search queries by clients.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)

==========
Workaround
==========

As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight ("spotlight =
yes|true").

=======
Credits
=======

Originally reported by Ralph Boehme and Stefan Metzmacher
of SerNet and the Samba team.

Patches provided by Ralph Boehme of SerNet and the Samba
team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================