The branch, v4-5-stable has been updated via 6e6361e VERSION: Release Samba 4.5.12 for CVE-2017-11103 via 31b6d82 WHATSNEW: Add release notes for Samba 4.5.12 via 229735b CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation via af9d932 VERSION: Bump version up to 4.5.12... from 31052eb VERSION: Disable GIT_SNAPSHOTS for the 4.5.11 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable - Log ----------------------------------------------------------------- commit 6e6361ee4fd28098638850e3eda3d4ac2c3396f4 Author: Bob Campbell <bobcampb...@catalyst.net.nz> Date: Wed Jul 12 15:16:06 2017 +1200 VERSION: Release Samba 4.5.12 for CVE-2017-11103 Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 31b6d82de35ab5b287bc17dc3605c71ab2df1aa7 Author: Bob Campbell <bobcampb...@catalyst.net.nz> Date: Wed Jul 12 15:15:26 2017 +1200 WHATSNEW: Add release notes for Samba 4.5.12 Signed-off-by: Bob Campbell <bobcampb...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 229735bf7dc2ec1ce7e6074491f151784f46e7de Author: Jeffrey Altman <jalt...@secure-endpoints.com> Date: Wed Apr 12 15:40:42 2017 -0400 CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 (based on heimdal commit 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea) Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Garming Sam <garm...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 57 +++++++++++++++++++++++++++++++++++++-- source4/heimdal/lib/krb5/ticket.c | 4 +-- 3 files changed, 58 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 22871d4..b5eaa03 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=5 -SAMBA_VERSION_RELEASE=11 +SAMBA_VERSION_RELEASE=12 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 0c022e7..a519b6c 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,57 @@ ============================== + Release Notes for Samba 4.5.12 + July 12, 2017 + ============================== + + +This is a security release in order to address the following defect: + +o CVE-2017-11103 (Orpheus' Lyre mutual authentication validation bypass) + +======= +Details +======= + +o CVE-2017-11103 (Heimdal): + All versions of Samba from 4.0.0 onwards using embedded Heimdal + Kerberos are vulnerable to a man-in-the-middle attack impersonating + a trusted server, who may gain elevated access to the domain by + returning malicious replication or authorization data. + + Samba binaries built against MIT Kerberos are not vulnerable. + + +Changes since 4.5.11: +--------------------- + +o Jeffrey Altman <jalt...@secure-endpoints.com> + * BUG 12894: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================== Release Notes for Samba 4.5.11 July 6, 2017 ============================== @@ -85,8 +138,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.5.10 diff --git a/source4/heimdal/lib/krb5/ticket.c b/source4/heimdal/lib/krb5/ticket.c index 064bbfb..5a317c7 100644 --- a/source4/heimdal/lib/krb5/ticket.c +++ b/source4/heimdal/lib/krb5/ticket.c @@ -641,8 +641,8 @@ _krb5_extract_ticket(krb5_context context, /* check server referral and save principal */ ret = _krb5_principalname2krb5_principal (context, &tmp_principal, - rep->kdc_rep.ticket.sname, - rep->kdc_rep.ticket.realm); + rep->enc_part.sname, + rep->enc_part.srealm); if (ret) goto out; if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){ -- Samba Shared Repository