The branch, master has been updated
via 4e1e3f6 NEWS[4.14.1]: Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and
4.12.14 (4.12.13) Security Releases
from 837ed7a update ml etiquette
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4e1e3f656288f06f197d83cbefe74920d544739b
Author: Karolin Seeger <ksee...@samba.org>
Date: Tue Mar 23 09:32:25 2021 +0100
NEWS[4.14.1]: Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13)
Security Releases
Signed-off-by: Karolin Seeger <ksee...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 6 ++
history/samba-4.12.13.html | 62 ++++++++++++++++
history/samba-4.12.14.html | 59 +++++++++++++++
history/samba-4.13.6.html | 62 ++++++++++++++++
history/samba-4.13.7.html | 59 +++++++++++++++
history/samba-4.14.1.html | 62 ++++++++++++++++
history/samba-4.14.2.html | 59 +++++++++++++++
history/security.html | 20 +++++
posted_news/20210324-085952.4.14.1.body.html | 83 +++++++++++++++++++++
posted_news/20210324-085952.4.14.1.headline.html | 4 +
security/CVE-2020-27840.html | 93 ++++++++++++++++++++++++
security/CVE-2021-20277.html | 86 ++++++++++++++++++++++
12 files changed, 655 insertions(+)
create mode 100644 history/samba-4.12.13.html
create mode 100644 history/samba-4.12.14.html
create mode 100644 history/samba-4.13.6.html
create mode 100644 history/samba-4.13.7.html
create mode 100644 history/samba-4.14.1.html
create mode 100644 history/samba-4.14.2.html
create mode 100644 posted_news/20210324-085952.4.14.1.body.html
create mode 100644 posted_news/20210324-085952.4.14.1.headline.html
create mode 100644 security/CVE-2020-27840.html
create mode 100644 security/CVE-2021-20277.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index f079984..81d04cf 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,13 +9,19 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.14.2.html">samba-4.14.2</a></li>
+ <li><a href="samba-4.14.1.html">samba-4.14.1</a></li>
<li><a href="samba-4.14.0.html">samba-4.14.0</a></li>
+ <li><a href="samba-4.13.7.html">samba-4.13.7</a></li>
+ <li><a href="samba-4.13.6.html">samba-4.13.6</a></li>
<li><a href="samba-4.13.5.html">samba-4.13.5</a></li>
<li><a href="samba-4.13.4.html">samba-4.13.4</a></li>
<li><a href="samba-4.13.3.html">samba-4.13.3</a></li>
<li><a href="samba-4.13.2.html">samba-4.13.2</a></li>
<li><a href="samba-4.13.1.html">samba-4.13.1</a></li>
<li><a href="samba-4.13.0.html">samba-4.13.0</a></li>
+ <li><a href="samba-4.12.14.html">samba-4.12.14</a></li>
+ <li><a href="samba-4.12.13.html">samba-4.12.13</a></li>
<li><a href="samba-4.12.12.html">samba-4.12.12</a></li>
<li><a href="samba-4.12.11.html">samba-4.12.11</a></li>
<li><a href="samba-4.12.10.html">samba-4.12.10</a></li>
diff --git a/history/samba-4.12.13.html b/history/samba-4.12.13.html
new file mode 100644
index 0000000..454a204
--- /dev/null
+++ b/history/samba-4.12.13.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.12.13 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.12.13 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.12.13.tar.gz";>Samba
4.12.13 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.12.13.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.12.12-4.12.13.diffs.gz";>Patch
(gzipped) against Samba 4.12.12</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.12.12-4.12.13.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.12.13
+ March 24, 2021
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending
easily
+ crafted DNs as part of a bind request. More serious heap corruption is
likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.12.12
+---------------------
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
+ bad DNs.
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.12.14.html b/history/samba-4.12.14.html
new file mode 100644
index 0000000..e8334c6
--- /dev/null
+++ b/history/samba-4.12.14.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.12.14 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.12.14 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.12.14.tar.gz";>Samba
4.12.14 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.12.14.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.12.13-4.12.14.diffs.gz";>Patch
(gzipped) against Samba 4.12.13</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.12.13-4.12.14.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.12.14
+ March 24, 2021
+ ===============================
+
+
+This is a follow-up release to depend on the correct ldb version. This is only
+needed when building against a system ldb library.
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending
easily
+ crafted DNs as part of a bind request. More serious heap corruption is
likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.12.13
+---------------------
+
+o Release with dependency on ldb version 2.1.5.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.13.6.html b/history/samba-4.13.6.html
new file mode 100644
index 0000000..9f98301
--- /dev/null
+++ b/history/samba-4.13.6.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.13.6 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.13.6 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.13.6.tar.gz";>Samba
4.13.6 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.13.6.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.13.5-4.13.6.diffs.gz";>Patch
(gzipped) against Samba 4.13.5</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.13.5-4.13.6.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.13.6
+ March 24, 2021
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending
easily
+ crafted DNs as part of a bind request. More serious heap corruption is
likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.13.5
+--------------------
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
+ bad DNs.
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.13.7.html b/history/samba-4.13.7.html
new file mode 100644
index 0000000..d2f8773
--- /dev/null
+++ b/history/samba-4.13.7.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.13.7 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.13.7 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.13.7.tar.gz";>Samba
4.13.7 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.13.7.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.13.6-4.13.7.diffs.gz";>Patch
(gzipped) against Samba 4.13.6</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.13.6-4.13.7.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.13.7
+ March 24, 2021
+ ==============================
+
+
+This is a follow-up release to depend on the correct ldb version. This is only
+needed when building against a system ldb library.
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending
easily
+ crafted DNs as part of a bind request. More serious heap corruption is
likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.13.6
+--------------------
+
+o Release with dependency on ldb version 2.2.1.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.14.1.html b/history/samba-4.14.1.html
new file mode 100644
index 0000000..2e9f58d
--- /dev/null
+++ b/history/samba-4.14.1.html
@@ -0,0 +1,62 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.14.1 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.14.1 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.14.1.tar.gz";>Samba
4.14.1 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.14.1.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.14.0-4.14.1.diffs.gz";>Patch
(gzipped) against Samba 4.14.0</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.14.0-4.14.1.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.14.1
+ March 24, 2021
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending
easily
+ crafted DNs as part of a bind request. More serious heap corruption is
likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.14.0
+--------------------
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
+ bad DNs.
+ * BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.14.2.html b/history/samba-4.14.2.html
new file mode 100644
index 0000000..5cd752f
--- /dev/null
+++ b/history/samba-4.14.2.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.14.2 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.14.2 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.14.2.tar.gz";>Samba
4.14.2 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.14.2.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.14.1-4.14.2.diffs.gz";>Patch
(gzipped) against Samba 4.14.1</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.14.1-4.14.2.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.14.2
+ March 24, 2021
+ ==============================
+
+
+This is a follow-up release to depend on the correct ldb version. This is only
+needed when building against a system ldb library.
+
+This is a security release in order to address the following defects:
+
+o CVE-2020-27840: Heap corruption via crafted DN strings.
+o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
+
+
+=======
+Details
+=======
+
+o CVE-2020-27840:
+ An anonymous attacker can crash the Samba AD DC LDAP server by sending
easily
+ crafted DNs as part of a bind request. More serious heap corruption is
likely
+ also possible.
+
+o CVE-2021-20277:
+ User-controlled LDAP filter strings against the AD DC LDAP server may crash
+ the LDAP server.
+
+For more details, please refer to the security advisories.
+
+
+Changes since 4.14.1
+--------------------
+
+o Release with dependency on ldb version 2.3.0.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index b314df2..ee397c8 100755
--- a/history/security.html
+++ b/history/security.html
@@ -26,6 +26,26 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>24 Mar 2021</td>
+ <td><a
href="/samba/ftp/patches/security/samba-4.14.0-security-2021-03-24.patch">
+ patch for Samba 4.14.0</a><br />
+ <a
href="/samba/ftp/patches/security/samba-4.13.5-security-2021-03-24.patch">
+ patch for Samba 4.13.5</a><br />
+ <a
href="/samba/ftp/patches/security/samba-4.12.12-security-2021-03-24.patch">
+ patch for Samba 4.12.12</a><br />
+ </td>
+ <td>CVE-2020-27840 and CVE-2021-20277. Please see announcements for
details.
+ </td>
+ <td>Please refer to the advisories.</td>
+ <td><a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27840";>CVE-2020-27840</a>,
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20277";>CVE-2021-20277</a>.
+ </td>
+ <td><a href="/samba/security/CVE-2020-27840.html">Announcement</a>,
+ <a href="/samba/security/CVE-2021-20277.html">Announcement</a>.
+ </td>
+ </tr>
+
<tr>
<td>29 Oct 2020</td>
<td><a
href="/samba/ftp/patches/security/samba-4.13.0-security-2020-10-29.patch">
diff --git a/posted_news/20210324-085952.4.14.1.body.html
b/posted_news/20210324-085952.4.14.1.body.html
new file mode 100644
index 0000000..0403ae1
--- /dev/null
+++ b/posted_news/20210324-085952.4.14.1.body.html
@@ -0,0 +1,83 @@
+<!-- BEGIN: posted_news/20210324-085952.4.14.1.body.html -->
+<h5><a name="4.14.1">24 March 2021</a></h5>
+<p class=headline>Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14 (4.12.13)
+Security Releases</p>
+<p>
+These are security releases in order to address <a
+href="/samba/security/CVE-2020-27840.html">CVE-2020-27840</a>
+(Heap corruption via crafted DN strings) and <a
+href="/samba/security/CVE-2021-20277.html">CVE-2021-20277</a> (Out of bounds
+read in AD DC LDAP server).
+</p>
+
+<p>
+Please ignore the 4.14.1, 4.13.6 and 4.12.13 releases
+and only use 4.14.2, 4.13.7 and 4.12.14.
+</p>
+
+<p>
+If you are building/using ldb from a system library, you'll
+also need the related updated ldb tarball, otherwise you can ignore it.
+</p>
+
+<p>
+The uncompressed Samba tarballs have been signed using GnuPG (ID
AA99442FB680B620).
+</p>
+<p>
+The uncompressed ldb tarballs have been signed using GnuPG (ID
4793916113084025).
+</p>
+
+<p>
+The Samba 4.14.2 source code can be
+<a
+href="https://download.samba.org/pub/samba/stable/samba-4.14.2.tar.gz";>downloaded
+here</a>.</br>
+Incremental patches for Samba are also available:
+<a
+href="https://download.samba.org/pub/samba/patches/samba-4.14.0-4.14.1.diffs.gz";>patch
+from Samba 4.14.0 to 4.14.1</a> and
+<a
+href="https://download.samba.org/pub/samba/patches/samba-4.14.1-4.14.2.diffs.gz";>patch
--
Samba Website Repository
