The branch, master has been updated via c84ca93 NEWS[4.14.4]: Samba 4.14.4, 4.13.8 and 4.12.15 Available for Download from 470c809 fix Lightspeed address
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit c84ca93f6eb37183b210b042486fd88a3fb6e97b Author: Karolin Seeger <ksee...@samba.org> Date: Mon Apr 26 11:21:29 2021 +0200 NEWS[4.14.4]: Samba 4.14.4, 4.13.8 and 4.12.15 Available for Download Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.12.15.html | 63 ++++++++++++++++ history/samba-4.13.8.html | 63 ++++++++++++++++ history/samba-4.14.4.html | 63 ++++++++++++++++ history/security.html | 19 +++++ posted_news/20210429-080831.4.14.4.body.html | 22 ++++++ posted_news/20210429-080831.4.14.4.headline.html | 4 + security/CVE-2021-20254.html | 96 ++++++++++++++++++++++++ 8 files changed, 333 insertions(+) create mode 100644 history/samba-4.12.15.html create mode 100644 history/samba-4.13.8.html create mode 100644 history/samba-4.14.4.html create mode 100644 posted_news/20210429-080831.4.14.4.body.html create mode 100644 posted_news/20210429-080831.4.14.4.headline.html create mode 100644 security/CVE-2021-20254.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index e7bf5c2..73047a3 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,10 +9,12 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.14.4.html">samba-4.14.4</a></li> <li><a href="samba-4.14.3.html">samba-4.14.3</a></li> <li><a href="samba-4.14.2.html">samba-4.14.2</a></li> <li><a href="samba-4.14.1.html">samba-4.14.1</a></li> <li><a href="samba-4.14.0.html">samba-4.14.0</a></li> + <li><a href="samba-4.13.8.html">samba-4.13.8</a></li> <li><a href="samba-4.13.7.html">samba-4.13.7</a></li> <li><a href="samba-4.13.6.html">samba-4.13.6</a></li> <li><a href="samba-4.13.5.html">samba-4.13.5</a></li> @@ -21,6 +23,7 @@ <li><a href="samba-4.13.2.html">samba-4.13.2</a></li> <li><a href="samba-4.13.1.html">samba-4.13.1</a></li> <li><a href="samba-4.13.0.html">samba-4.13.0</a></li> + <li><a href="samba-4.12.15.html">samba-4.12.15</a></li> <li><a href="samba-4.12.14.html">samba-4.12.14</a></li> <li><a href="samba-4.12.13.html">samba-4.12.13</a></li> <li><a href="samba-4.12.12.html">samba-4.12.12</a></li> diff --git a/history/samba-4.12.15.html b/history/samba-4.12.15.html new file mode 100644 index 0000000..907c80f --- /dev/null +++ b/history/samba-4.12.15.html @@ -0,0 +1,63 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.12.15 - Release Notes</title> +</head> +<body> +<H2>Samba 4.12.15 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.12.15.tar.gz">Samba 4.12.15 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.12.15.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.12.14-4.12.15.diffs.gz">Patch (gzipped) against Samba 4.12.14</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.12.14-4.12.15.diffs.asc">Signature</a> +</p> +<p> +<pre> + =============================== + Release Notes for Samba 4.12.15 + April 29, 2021 + =============================== + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +======= +Details +======= + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.12.14 +--------------------- + +o Volker Lendecke <v...@samba.org> + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.13.8.html b/history/samba-4.13.8.html new file mode 100644 index 0000000..59c8ef3 --- /dev/null +++ b/history/samba-4.13.8.html @@ -0,0 +1,63 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.13.8 - Release Notes</title> +</head> +<body> +<H2>Samba 4.13.8 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.13.8.tar.gz">Samba 4.13.8 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.13.8.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.13.7-4.13.8.diffs.gz">Patch (gzipped) against Samba 4.13.7</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.13.7-4.13.8.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.13.8 + April 29, 2021 + ============================== + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +======= +Details +======= + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.13.7 +-------------------- + +o Volker Lendecke <v...@samba.org> + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.14.4.html b/history/samba-4.14.4.html new file mode 100644 index 0000000..c44797f --- /dev/null +++ b/history/samba-4.14.4.html @@ -0,0 +1,63 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.14.4 - Release Notes</title> +</head> +<body> +<H2>Samba 4.14.4 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.14.4.tar.gz">Samba 4.14.4 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.14.4.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.14.3-4.14.4.diffs.gz">Patch (gzipped) against Samba 4.14.3</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.14.3-4.14.4.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.14.4 + April 29, 2021 + ============================== + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +======= +Details +======= + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.14.3 +-------------------- + +o Volker Lendecke <v...@samba.org> + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index ee397c8..236f922 100755 --- a/history/security.html +++ b/history/security.html @@ -26,6 +26,25 @@ link to full release notes for each release.</p> <td><em>Details</em></td> </tr> + <tr> + <td>29 Apr 2021</td> + <td><a href="/samba/ftp/patches/security/samba-4.12.14-security-2021-04-29.patch"> + patch for Samba 4.14.3</a><br /> + <a href="/samba/ftp/patches/security/samba-4.13.7-security-2021-04-29.patch"> + patch for Samba 4.13.7</a><br /> + <a href="/samba/ftp/patches/security/samba-4.12.14-security-2021-04-29.patch"> + patch for Samba 4.12.14</a><br /> + </td> + <td>Negative idmap cache entries can cause incorrect group entries in + the Samba file server process token. + </td> + <td>All versions since 3.6.0.</td> + <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20254">CVE-2021-20254</a> + </td> + <td><a href="/samba/security/CVE-2021-20254.html">Announcement</a> + </td> + </tr> + <tr> <td>24 Mar 2021</td> <td><a href="/samba/ftp/patches/security/samba-4.14.0-security-2021-03-24.patch"> diff --git a/posted_news/20210429-080831.4.14.4.body.html b/posted_news/20210429-080831.4.14.4.body.html new file mode 100644 index 0000000..154ab62 --- /dev/null +++ b/posted_news/20210429-080831.4.14.4.body.html @@ -0,0 +1,22 @@ +<!-- BEGIN: posted_news/20210429-080831.4.14.4.body.html --> +<h5><a name="4.14.4">29 April 2021</a></h5> +<p class=headline>Samba 4.14.4, 4.13.8 and 4.12.15 Security Releases Available</p> +<p> +These are security releases in order to address <a href="/samba/security/CVE-2021-20254.html">CVE-2021-20254</a> +(Negative idmap cache entries can cause incorrect group entries in the Samba +file server process token). +</p> +<p> +The uncompressed tarballs have been signed using GnuPG (ID AA99442FB680B620). +The 4.14.4 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.14.4.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.14.3-4.14.4.diffs.gz">patch against Samba 4.14.3</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.13.8.html">the 4.14.4 +release notes</a> for more info.</br> +The 4.13.8 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.13.8.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.13.7-4.13.8.diffs.gz">patch against Samba 4.13.7</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.13.8.html">the 4.13.8 release notes</a> for more info.</br> +The 4.12.15 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.12.15.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.12.14-4.12.15.diffs.gz">patch against Samba 4.12.14</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.12.15.html">the 4.12.15 release notes</a> for more info. +</p> +<!-- END: posted_news/20210429-080831.4.14.4.body.html --> diff --git a/posted_news/20210429-080831.4.14.4.headline.html b/posted_news/20210429-080831.4.14.4.headline.html new file mode 100644 index 0000000..564dbb7 --- /dev/null +++ b/posted_news/20210429-080831.4.14.4.headline.html @@ -0,0 +1,4 @@ +<!-- BEGIN: posted_news/20210429-080831.4.14.4.headline.html --> +<li> 29 April 2021 <a href="#4.14.4">Samba 4.14.4, 4.13.8 and 4.12.15 Security +Releases Available</a></li> +<!-- END: posted_news/20210429-080831.4.14.4.headline.html --> diff --git a/security/CVE-2021-20254.html b/security/CVE-2021-20254.html new file mode 100644 index 0000000..bf96419 --- /dev/null +++ b/security/CVE-2021-20254.html @@ -0,0 +1,96 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2021-20254.html + +<p> +<pre> +=========================================================== +== Subject: Negative idmap cache entries can cause incorrect +== group entries in the Samba file server process +== token. +== +== CVE ID#: CVE-2021-20254 +== +== +== Versions: All versions of the Samba file server since +== Samba 3.6.0 +== +== Summary: A coding error converting SIDs to gids could +== allow unexpected group entries in a process token. +== This could allow unauthorized access to files. +=========================================================== + +=========== +Description +=========== + +The Samba smbd file server must map Windows group identities (SIDs) +into unix group ids (gids). The code that performs this had a flaw +that could allow it to read data beyond the end of the array in the +case where a negative cache entry had been added to the mapping +cache. This could cause the calling code to return those values into +the process token that stores the group membership for a user. + +Most commonly this flaw caused the calling code to crash, but an alert +user (Peter Eriksson, IT Department, Linköping University) found this +flaw by noticing an unprivileged user was able to delete a file within +a network share that they should have been disallowed access to. + +Analysis of the code paths has not allowed us to discover a way for a +remote user to be able to trigger this flaw reproducibly or on demand, +but this CVE has been issued out of an abundance of caution. + +================== +Patch Availability +================== + +Patches addressing this issue has been posted to: + + https://www.samba.org/samba/security/ + +Additionally, Samba 4.14.4, 4.13.8 and 4.12.15 have been issued as +security releases to correct the defect. Samba administrators are +advised to upgrade to these releases or apply the patch as soon as +possible. + +================== +CVSSv3 calculation +================== + +CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (6.8) + +================================= +Workaround and mitigating factors +================================= + +None. + +======= +Credits +======= + +Reported by Peter Eriksson, IT Department, Linköping University. + +Volker Lendecke of SerNet and the Samba Team provided the fix. + +Patches backported to supported Samba versions and run though the +Samba security process by Noel Power of SuSE and Andrew Bartlett of +Catalyst. + +Advisory written by Jeremy Allison of Google. + +========================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +========================================================== +</pre> +</body> +</html> -- Samba Website Repository