CVE-2014-3560.html:

===========================================================
== Subject:     Remote code execution in nmbd
==
== CVE ID#:     CVE-2014-3560
==
== Versions:    Samba 4.0.0 to 4.1.10
==
== Summary:     Samba 4.0.0 to 4.1.10 are affected by a
==              remote code execution attack on
==		unauthenticated nmbd NetBIOS name services.
==
===========================================================

===========
Description
===========

All current versions of Samba 4.x.x are vulnerable to a remote code
execution vulnerability in the nmbd NetBIOS name services daemon.

A malicious browser can send packets that may overwrite the heap of
the target nmbd NetBIOS name services daemon. It may be possible to
use this to generate a remote code execution vulnerability as the
superuser (root).

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.1.11 and 4.0.21 have been issued as security
releases to correct the defect. Patches against older Samba versions
are available at http://samba.org/samba/patches/. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.

==========
Workaround
==========

Do not run nmbd, the NetBIOS name services daemon.

=======
Credits
=======

This problem was found and the fix provided by Volker Lendecke, a
Samba Team member working for SerNet <vl@sernet.de>
https://www.sernet.de.