The branch, master has been updated via 52725a6 Fix typos. via 6aa8ada Advisory CVE-2018-1057: Add latest changes from Andrew. via ae45dc4 Add Samba 4.7.6, 4.6.14 and 4.5.16. from eb22034 team: Update URL for my home page
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 52725a68c9b15a1ccfb598b912a611f0671d3d1d Author: Karolin Seeger <ksee...@samba.org> Date: Tue Mar 13 10:07:29 2018 +0100 Fix typos. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 6aa8ada977d0f13622bca3e36e904036476c6935 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Mar 13 09:41:18 2018 +0100 Advisory CVE-2018-1057: Add latest changes from Andrew. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit ae45dc43e49ad36c62b55471d1a4894888b2201a Author: Karolin Seeger <ksee...@samba.org> Date: Tue Mar 13 08:22:44 2018 +0100 Add Samba 4.7.6, 4.6.14 and 4.5.16. Add security advisories and update sec site. Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.5.16.html | 75 +++++++++++++++++++ history/samba-4.6.14.html | 75 +++++++++++++++++++ history/samba-4.7.6.html | 75 +++++++++++++++++++ history/security.html | 19 +++++ posted_news/20180313-072335.4.7.6.body.html | 24 ++++++ posted_news/20180313-072335.4.7.6.headline.html | 3 + security/CVE-2018-1050.html | 75 +++++++++++++++++++ security/CVE-2018-1057.html | 98 +++++++++++++++++++++++++ 9 files changed, 447 insertions(+) create mode 100644 history/samba-4.5.16.html create mode 100644 history/samba-4.6.14.html create mode 100644 history/samba-4.7.6.html create mode 100644 posted_news/20180313-072335.4.7.6.body.html create mode 100644 posted_news/20180313-072335.4.7.6.headline.html create mode 100644 security/CVE-2018-1050.html create mode 100644 security/CVE-2018-1057.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index fadbcd2..7215d25 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,12 +9,14 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.7.6.html">samba-4.7.6</a></li> <li><a href="samba-4.7.5.html">samba-4.7.5</a></li> <li><a href="samba-4.7.4.html">samba-4.7.4</a></li> <li><a href="samba-4.7.3.html">samba-4.7.3</a></li> <li><a href="samba-4.7.2.html">samba-4.7.2</a></li> <li><a href="samba-4.7.1.html">samba-4.7.1</a></li> <li><a href="samba-4.7.0.html">samba-4.7.0</a></li> + <li><a href="samba-4.6.14.html">samba-4.6.14</a></li> <li><a href="samba-4.6.13.html">samba-4.6.13</a></li> <li><a href="samba-4.6.12.html">samba-4.6.12</a></li> <li><a href="samba-4.6.11.html">samba-4.6.11</a></li> @@ -29,6 +31,7 @@ <li><a href="samba-4.6.2.html">samba-4.6.2</a></li> <li><a href="samba-4.6.1.html">samba-4.6.1</a></li> <li><a href="samba-4.6.0.html">samba-4.6.0</a></li> + <li><a href="samba-4.5.16.html">samba-4.5.16</a></li> <li><a href="samba-4.5.15.html">samba-4.5.15</a></li> <li><a href="samba-4.5.14.html">samba-4.5.14</a></li> <li><a href="samba-4.5.13.html">samba-4.5.13</a></li> diff --git a/history/samba-4.5.16.html b/history/samba-4.5.16.html new file mode 100644 index 0000000..5251b3d --- /dev/null +++ b/history/samba-4.5.16.html @@ -0,0 +1,75 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.5.16 - Release Notes</title> +</head> +<body> +<H2>Samba 4.5.16 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.5.16.tar.gz">Samba 4.5.16 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.5.16.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.5.15-4.5.16.diffs.gz">Patch (gzipped) against Samba 4.5.15</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.5.15-4.5.16.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.5.16 + March 13, 2018 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2018-1050 (Denial of Service Attack on external print server.) +o CVE-2018-1057 (Authenticated users can change other users' password.) + + +======= +Details +======= + +o CVE-2018-1050: + All versions of Samba from 4.0.0 onwards are vulnerable to a denial of + service attack when the RPC spoolss service is configured to be run as + an external daemon. Missing input sanitization checks on some of the + input parameters to spoolss RPC calls could cause the print spooler + service to crash. + + There is no known vulnerability associated with this error, merely a + denial of service. If the RPC spoolss service is left by default as an + internal service, all a client can do is crash its own authenticated + connection. + +o CVE-2018-1057: + On a Samba 4 AD DC the LDAP server in all versions of Samba from + 4.0.0 onwards incorrectly validates permissions to modify passwords + over LDAP allowing authenticated users to change any other users' + passwords, including administrative users. + + Possible workarounds are described at a dedicated page in the Samba wiki: + https://wiki.samba.org/index.php/CVE-2018-1057 + + +Changes since 4.5.15: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 11343: CVE-2018-1050: Codenomicon crashes in spoolss server code. + +o Ralph Boehme <s...@samba.org> + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.6.14.html b/history/samba-4.6.14.html new file mode 100644 index 0000000..da41784 --- /dev/null +++ b/history/samba-4.6.14.html @@ -0,0 +1,75 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.6.14 - Release Notes</title> +</head> +<body> +<H2>Samba 4.6.14 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.6.14.tar.gz">Samba 4.6.14 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.6.14.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.6.13-4.6.14.diffs.gz">Patch (gzipped) against Samba 4.6.13</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.6.13-4.6.14.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.6.14 + March 13, 2018 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2018-1050 (Denial of Service Attack on external print server.) +o CVE-2018-1057 (Authenticated users can change other users' password.) + + +======= +Details +======= + +o CVE-2018-1050: + All versions of Samba from 4.0.0 onwards are vulnerable to a denial of + service attack when the RPC spoolss service is configured to be run as + an external daemon. Missing input sanitization checks on some of the + input parameters to spoolss RPC calls could cause the print spooler + service to crash. + + There is no known vulnerability associated with this error, merely a + denial of service. If the RPC spoolss service is left by default as an + internal service, all a client can do is crash its own authenticated + connection. + +o CVE-2018-1057: + On a Samba 4 AD DC the LDAP server in all versions of Samba from + 4.0.0 onwards incorrectly validates permissions to modify passwords + over LDAP allowing authenticated users to change any other users' + passwords, including administrative users. + + Possible workarounds are described at a dedicated page in the Samba wiki: + https://wiki.samba.org/index.php/CVE-2018-1057 + + +Changes since 4.6.12: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 11343: CVE-2018-1050: Codenomicon crashes in spoolss server code. + +o Ralph Boehme <s...@samba.org> + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.7.6.html b/history/samba-4.7.6.html new file mode 100644 index 0000000..d6eae24 --- /dev/null +++ b/history/samba-4.7.6.html @@ -0,0 +1,75 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.7.6 - Release Notes</title> +</head> +<body> +<H2>Samba 4.7.6 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.7.6.tar.gz">Samba 4.7.6 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.7.6.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.7.5-4.7.6.diffs.gz">Patch (gzipped) against Samba 4.7.5</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.7.5-4.7.6.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================= + Release Notes for Samba 4.7.6 + March 13, 2018 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2018-1050 (Denial of Service Attack on external print server.) +o CVE-2018-1057 (Authenticated users can change other users' password.) + + +======= +Details +======= + +o CVE-2018-1050: + All versions of Samba from 4.0.0 onwards are vulnerable to a denial of + service attack when the RPC spoolss service is configured to be run as + an external daemon. Missing input sanitization checks on some of the + input parameters to spoolss RPC calls could cause the print spooler + service to crash. + + There is no known vulnerability associated with this error, merely a + denial of service. If the RPC spoolss service is left by default as an + internal service, all a client can do is crash its own authenticated + connection. + +o CVE-2018-1057: + On a Samba 4 AD DC the LDAP server in all versions of Samba from + 4.0.0 onwards incorrectly validates permissions to modify passwords + over LDAP allowing authenticated users to change any other users' + passwords, including administrative users. + + Possible workarounds are described at a dedicated page in the Samba wiki: + https://wiki.samba.org/index.php/CVE-2018-1057 + + +Changes since 4.7.5: +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 11343: CVE-2018-1050: Codenomicon crashes in spoolss server code. + +o Ralph Boehme <s...@samba.org> + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13272: CVE-2018-1057: Unprivileged user can change any user (and admin) + password. + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index 79958ea..d81359a 100755 --- a/history/security.html +++ b/history/security.html @@ -22,6 +22,25 @@ link to full release notes for each release.</p> </tr> <tr> + <td>13 Mar 2018</td> + <td><a href="/samba/ftp/patches/security/samba-4.7.5-security-2018-03-13.patch"> + patch for Samba 4.7.5</a><br /> + <a href="/samba/ftp/patches/security/samba-4.6.13-security-2018-03-13.patch"> + patch for Samba 4.6.13</a><br /> + <a href="/samba/ftp/patches/security/samba-4.5.15-security-2018-03-13.patch"> + patch for Samba 4.5.15</a><br /> + <td>Numerous CVEs. Please see the announcements for details. + </td> + <td>please refer to the advisories</td> + <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1050">CVE-2018-1050</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1057">CVE-2018-1057</a> + </td> + <td><a href="/samba/security/CVE-2018-1050.html">Announcement</a>, + <a href="/samba/security/CVE-2018-1057.html">Announcement</a> + </td> + </tr> + + <tr> <td>21 Nov 2017</td> <td><a href="/samba/ftp/patches/security/samba-4.7.2-security-2017-11-21.patch"> patch for Samba 4.7.2</a><br /> diff --git a/posted_news/20180313-072335.4.7.6.body.html b/posted_news/20180313-072335.4.7.6.body.html new file mode 100644 index 0000000..b18d328 --- /dev/null +++ b/posted_news/20180313-072335.4.7.6.body.html @@ -0,0 +1,24 @@ +<!-- BEGIN: posted_news/20180313-072335.4.7.6.body.html --> +<h5><a name="4.7.6">13 March 2018</a></h5> +<p class=headline>Samba 4.7.6, 4.6.14 and 4.5.16 Security Releases Available for Download</p> +<p> +These are security releases in order to address +<a href="/samba/security/CVE-2018-1050.html">CVE-2018-1050</a> +(Denial of Service Attack on external print server) and <a href="/samba/security/CVE-2018-1057.html">CVE-2018-1057</a> + (Authenticated users can change other users' password). +</p> +<p> +The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).<br> +The 4.7.6 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.7.6.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.7.5-4.7.6.diffs.gz">patch against Samba 4.7.5</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.7.6.html">the release notes for more info</a>. +<br> +The 4.6.14 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.6.14.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.6.13-4.6.14.diffs.gz">patch against Samba 4.6.13</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.6.14.html">the release notes for more info</a>. +<br> +The 4.5.16 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.5.16.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.5.15-4.5.16.diffs.gz">patch against Samba 4.5.15</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.5.16.html">the release notes for more info</a>. +</p> +<!-- END: posted_news/20180313-072335.4.7.6.body.html --> diff --git a/posted_news/20180313-072335.4.7.6.headline.html b/posted_news/20180313-072335.4.7.6.headline.html new file mode 100644 index 0000000..b55fd81 --- /dev/null +++ b/posted_news/20180313-072335.4.7.6.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20180313-072335.4.7.6.headline.html --> +<li> 13 March 2018 <a href="#4.7.6">Samba 4.7.6, 4.6.14 and 4.5.16 Security Releases Available for Download</a></li> +<!-- END: posted_news/20180313-072335.4.7.6.headline.html --> diff --git a/security/CVE-2018-1050.html b/security/CVE-2018-1050.html new file mode 100644 index 0000000..549fab9 --- /dev/null +++ b/security/CVE-2018-1050.html @@ -0,0 +1,75 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2018-1050.html + +<p> +<pre> +==================================================================== +== Subject: Denial of Service Attack on external print server. +== +== CVE ID#: CVE-2018-1050 +== +== Versions: All versions of Samba from 4.0.0 onwards. +== +== Summary: Missing null pointer checks may crash the external +== print server process. +== +==================================================================== + +=========== +Description +=========== + +All versions of Samba from 4.0.0 onwards are vulnerable to a denial of +service attack when the RPC spoolss service is configured to be run as +an external daemon. Missing input sanitization checks on some of the +input parameters to spoolss RPC calls could cause the print spooler +service to crash. + +There is no known vulnerability associated with this error, merely a +denial of service. If the RPC spoolss service is left by default as an +internal service, all a client can do is crash its own authenticated +connection. + +================== +Patch Availability +================== + +A patch addressing this defect has been posted to + + http://www.samba.org/samba/security/ + +Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as +security releases to correct the defect. Patches against older Samba +versions are available at http://samba.org/samba/patches/. Samba +vendors and administrators running affected versions are advised to +upgrade or apply the patch as soon as possible. + +========== +Workaround +========== + +Ensure the parameter: + +rpc_server:spoolss = external + +is not set in the [global] section of your smb.conf. + +======= +Credits +======= + +This problem was found by the Synopsys Defensics intelligent fuzz +testing tool. Jeremy Allison of Google and the Samba Team provided +the fix. +</pre> +</body> +</html> diff --git a/security/CVE-2018-1057.html b/security/CVE-2018-1057.html new file mode 100644 index 0000000..a030602 --- /dev/null +++ b/security/CVE-2018-1057.html @@ -0,0 +1,98 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2018-1057.html + +<p> +<pre> +==================================================================== +== Subject: Authenticated users can change other users' password +== +== CVE ID#: CVE-2018-1057 +== +== Versions: All versions of Samba from 4.0.0 onwards. +== +== Summary: On a Samba 4 AD DC any authenticated user can change +== other users' passwords over LDAP, including the +== passwords of administrative users and service +== accounts. +== +==================================================================== + +=========== +Description +=========== + +On a Samba 4 AD DC the LDAP server in all versions of Samba from +4.0.0 onwards incorrectly validates permissions to modify passwords +over LDAP allowing authenticated users to change any other users' +passwords, including administrative users and privileged service +accounts (eg Domain Controllers). + +The LDAP server incorrectly validates certain LDAP password +modifications against the "Change Password" privilege, but then +performs a password reset operation. + +The change password right in AD is an extended object access right +with the GUID ab721a53-1e2f-11d0-9819-00aa0040529b. + +By default user objects grant the change password right to the +authenticated user's own user object (self) and to everyone +(world). Computer objects grant the change password right to +everyone. + +The corresponding ACEs expressed in SDDL are + +self: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) +world: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) + +The components of these ACEs are + +OA: object access allowed +CR: extended rights +PS: trustee: self +WD: trustee: world/everyone + +The problematic ACE is the one for world/everyone. + +The Windows GUI shows this as "Change password" right granted to +"Everyone". + +========== +Workaround +========== + +Possible workarounds are described at a dedicated page in the Samba wiki: + +https://wiki.samba.org/index.php/CVE-2018-1057 -- Samba Website Repository