The branch, master has been updated via e7896e9 NEWS[4.16.4]: Samba 4.16.4, 4.15.9 and 4.14.14 Security Releases Available for Download from 0112f92 NEWS[4.16.3]: Samba 4.16.3 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit e7896e963b75b65d95a52d535bb7d592ff646955 Author: Jule Anger <jan...@samba.org> Date: Wed Jul 27 10:38:46 2022 +0200 NEWS[4.16.4]: Samba 4.16.4, 4.15.9 and 4.14.14 Security Releases Available for Download Signed-off-by: Jule Anger <jan...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.14.14.html | 70 ++++++++++++++ history/samba-4.15.9.html | 70 ++++++++++++++ history/samba-4.16.4.html | 67 ++++++++++++++ history/security.html | 28 ++++++ posted_news/20220727-081708.4.16.4.body.html | 52 +++++++++++ posted_news/20220727-081708.4.16.4.headline.html | 3 + security/CVE-2022-2031.html | 111 +++++++++++++++++++++++ security/CVE-2022-32742.html | 88 ++++++++++++++++++ security/CVE-2022-32744.html | 89 ++++++++++++++++++ security/CVE-2022-32745.html | 81 +++++++++++++++++ security/CVE-2022-32746.html | 94 +++++++++++++++++++ 12 files changed, 756 insertions(+) create mode 100644 history/samba-4.14.14.html create mode 100644 history/samba-4.15.9.html create mode 100644 history/samba-4.16.4.html create mode 100644 posted_news/20220727-081708.4.16.4.body.html create mode 100644 posted_news/20220727-081708.4.16.4.headline.html create mode 100644 security/CVE-2022-2031.html create mode 100644 security/CVE-2022-32742.html create mode 100644 security/CVE-2022-32744.html create mode 100644 security/CVE-2022-32745.html create mode 100644 security/CVE-2022-32746.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 00c4105..523e9f3 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,10 +9,12 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.16.4.html">samba-4.16.4</a></li> <li><a href="samba-4.16.3.html">samba-4.16.3</a></li> <li><a href="samba-4.16.2.html">samba-4.16.2</a></li> <li><a href="samba-4.16.1.html">samba-4.16.1</a></li> <li><a href="samba-4.16.0.html">samba-4.16.0</a></li> + <li><a href="samba-4.15.9.html">samba-4.15.9</a></li> <li><a href="samba-4.15.8.html">samba-4.15.8</a></li> <li><a href="samba-4.15.7.html">samba-4.15.7</a></li> <li><a href="samba-4.15.6.html">samba-4.15.6</a></li> @@ -22,6 +24,7 @@ <li><a href="samba-4.15.2.html">samba-4.15.2</a></li> <li><a href="samba-4.15.1.html">samba-4.15.1</a></li> <li><a href="samba-4.15.0.html">samba-4.15.0</a></li> + <li><a href="samba-4.14.14.html">samba-4.14.14</a></li> <li><a href="samba-4.14.13.html">samba-4.14.13</a></li> <li><a href="samba-4.14.12.html">samba-4.14.12</a></li> <li><a href="samba-4.14.11.html">samba-4.14.11</a></li> diff --git a/history/samba-4.14.14.html b/history/samba-4.14.14.html new file mode 100644 index 0000000..b5f4793 --- /dev/null +++ b/history/samba-4.14.14.html @@ -0,0 +1,70 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.14.14 - Release Notes</title> +</head> +<body> +<H2>Samba 4.14.14 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.14.14.tar.gz">Samba 4.14.14 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.14.14.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.14.13-4.14.14.diffs.gz">Patch (gzipped) against Samba 4.14.13</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.14.13-4.14.14.diffs.asc">Signature</a> +</p> +<p> +<pre> + =============================== + Release Notes for Samba 4.14.14 + July 27, 2022 + =============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with + changing passwords. + https://www.samba.org/samba/security/CVE-2022-2031.html + +o CVE-2022-32744: Samba AD users can forge password change requests for any user. + https://www.samba.org/samba/security/CVE-2022-32744.html + +o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add + or modify request. + https://www.samba.org/samba/security/CVE-2022-32745.html + +o CVE-2022-32746: Samba AD users can induce a use-after-free in the server + process with an LDAP add or modify request. + https://www.samba.org/samba/security/CVE-2022-32746.html + +o CVE-2022-32742: Server memory information leak via SMB1. + https://www.samba.org/samba/security/CVE-2022-32742.html + +Changes since 4.14.13 +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15085: CVE-2022-32742. + +o Andrew Bartlett <abart...@samba.org> + * BUG 15009: CVE-2022-32746. + +o Andreas Schneider <a...@samba.org> + * BUG 15047: CVE-2022-2031. + +o Isaac Boukris <ibouk...@gmail.com> + * BUG 15047: CVE-2022-2031. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15008: CVE-2022-32745. + * BUG 15009: CVE-2022-32746. + * BUG 15047: CVE-2022-2031. + * BUG 15074: CVE-2022-32744. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.15.9.html b/history/samba-4.15.9.html new file mode 100644 index 0000000..173d648 --- /dev/null +++ b/history/samba-4.15.9.html @@ -0,0 +1,70 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.15.9 - Release Notes</title> +</head> +<body> +<H2>Samba 4.15.9 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.9.tar.gz">Samba 4.15.9 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.9.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.8-4.15.9.diffs.gz">Patch (gzipped) against Samba 4.15.8</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.8-4.15.9.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.15.9 + July 27, 2022 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with + changing passwords. + https://www.samba.org/samba/security/CVE-2022-2031.html + +o CVE-2022-32744: Samba AD users can forge password change requests for any user. + https://www.samba.org/samba/security/CVE-2022-32744.html + +o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add + or modify request. + https://www.samba.org/samba/security/CVE-2022-32745.html + +o CVE-2022-32746: Samba AD users can induce a use-after-free in the server + process with an LDAP add or modify request. + https://www.samba.org/samba/security/CVE-2022-32746.html + +o CVE-2022-32742: Server memory information leak via SMB1. + https://www.samba.org/samba/security/CVE-2022-32742.html + +Changes since 4.15.8 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15085: CVE-2022-32742. + +o Andrew Bartlett <abart...@samba.org> + * BUG 15009: CVE-2022-32746. + +o Isaac Boukris <ibouk...@gmail.com> + * BUG 15047: CVE-2022-2031. + +o Andreas Schneider <a...@samba.org> + * BUG 15047: CVE-2022-2031. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15008: CVE-2022-32745. + * BUG 15009: CVE-2022-32746. + * BUG 15047: CVE-2022-2031. + * BUG 15074: CVE-2022-32744. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.16.4.html b/history/samba-4.16.4.html new file mode 100644 index 0000000..acda866 --- /dev/null +++ b/history/samba-4.16.4.html @@ -0,0 +1,67 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.16.4 - Release Notes</title> +</head> +<body> +<H2>Samba 4.16.4 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.4.tar.gz">Samba 4.16.4 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.4.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.3-4.16.4.diffs.gz">Patch (gzipped) against Samba 4.16.3</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.3-4.16.4.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.16.4 + July 27, 2022 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-2031: Samba AD users can bypass certain restrictions associated with + changing passwords. + https://www.samba.org/samba/security/CVE-2022-2031.html + +o CVE-2022-32744: Samba AD users can forge password change requests for any user. + https://www.samba.org/samba/security/CVE-2022-32744.html + +o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add + or modify request. + https://www.samba.org/samba/security/CVE-2022-32745.html + +o CVE-2022-32746: Samba AD users can induce a use-after-free in the server + process with an LDAP add or modify request. + https://www.samba.org/samba/security/CVE-2022-32746.html + +o CVE-2022-32742: Server memory information leak via SMB1. + https://www.samba.org/samba/security/CVE-2022-32742.html + +Changes since 4.16.3 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15085: CVE-2022-32742. + +o Andrew Bartlett <abart...@samba.org> + * BUG 15009: CVE-2022-32746. + +o Andreas Schneider <a...@samba.org> + * BUG 15047: CVE-2022-2031. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15008: CVE-2022-32745. + * BUG 15009: CVE-2022-32746. + * BUG 15047: CVE-2022-2031. + * BUG 15074: CVE-2022-32744. + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index 54118f8..2b9ed15 100755 --- a/history/security.html +++ b/history/security.html @@ -32,6 +32,34 @@ link to full release notes for each release.</p> <td><em>Details</em></td> </tr> + <tr> + <td>27 July 2022</td> + <td><a href="/samba/ftp/patches/security/samba-4.16.4-security-2022-07-27.patch"> + patch for Samba 4.16.4</a><br /> + <a href="/samba/ftp/patches/security/samba-4.15.9-security-2022-07-27.patch"> + patch for Samba 4.15.9</a><br /> + <a href="/samba/ftp/patches/security/samba-4.14.14-security-2022-07-27.patch"> + patch for Samba 4.14.14</a><br /> + </td> + <td>CVE-2022-2031, CVE-2022-32742, CVE-2022-32744, CVE-2022-32745 and CVE-2022-32746. + Please see announcements for details. + </td> + <td>Please refer to the advisories.</td> + <td> +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2031">CVE-2022-2031</a>, +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32742">CVE-2022-32742</a>, +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32744">CVE-2022-32744</a>, +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32745">CVE-2022-32745</a>, +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32746">CVE-2022-32746</a>. + </td> + <td> +<a href="/samba/security/CVE-2022-2031.html">Announcement</a>, +<a href="/samba/security/CVE-2022-32742.html">Announcement</a>, +<a href="/samba/security/CVE-2022-32744.html">Announcement</a>, +<a href="/samba/security/CVE-2022-32745.html">Announcement</a>, +<a href="/samba/security/CVE-2022-32746.html">Announcement</a>. + </td> + <tr> <td>31 January 2022</td> <td><a href="/samba/ftp/patches/security/samba-4.15.5-security-2022-01-31.patch"> diff --git a/posted_news/20220727-081708.4.16.4.body.html b/posted_news/20220727-081708.4.16.4.body.html new file mode 100644 index 0000000..eae2068 --- /dev/null +++ b/posted_news/20220727-081708.4.16.4.body.html @@ -0,0 +1,52 @@ +<!-- BEGIN: posted_news/20220727-081708.4.16.4.body.html --> +<h5><a name="4.16.4">27 July 2022</a></h5> +<p class=headline>Samba 4.16.4, 4.15.9 and 4.14.14 Security Releases are available for Download</p> +<p> +These are Security Releases in order to address +<a href="/samba/security/CVE-2022-2031.html">CVE-2022-2031</a>, +<a href="/samba/security/CVE-2022-32742.html">CVE-2022-32742</a>, +<a href="/samba/security/CVE-2022-32744.html">CVE-2022-32744</a>, +<a href="/samba/security/CVE-2022-32745.html">CVE-2022-32745</a> and +<a href="/samba/security/CVE-2022-32746.html">CVE-2022-32746</a>. +</p> + +<p> +If you are building/using ldb from a system library, you'll +also need the related updated ldb tarball, otherwise you can ignore it. +</p> + +<p> +The uncompressed Samba tarball has been signed using GnuPG (ID AA99442FB680B620). +</p> + +<p> +The uncompressed ldb tarballs have been signed using GnuPG (ID 4793916113084025). +</p> + +<p> +The Samba 4.16.4 source code can be +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.4.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.16.3-4.16.4.diffs.gz">patch against Samba 4.16.3</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.16.4.html">the release notes for more info</a>. +The ldb 2.5.2 release for use with Samba 4.16.4 can be +<a href="https://download.samba.org/pub/ldb/ldb-2.5.2.tar.gz">downloaded here</a>. +</p> + +<p> +The Samba 4.15.9 source code can be +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.9.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.15.8-4.15.9.diffs.gz">patch against Samba 4.15.8</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.15.9.html">the release notes for more info</a>. +The ldb 2.4.4 release for use with Samba 4.15.9 can be +<a href="https://download.samba.org/pub/ldb/ldb-2.4.4.tar.gz">downloaded here</a>. +</p> + +<p> +The Samba 4.14.14 source code can be +<a href="https://download.samba.org/pub/samba/stable/samba-4.14.14.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.14.13-4.14.14.diffs.gz">patch against Samba 4.14.13</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.14.14.html">the release notes for more info</a>. +The ldb 2.3.4 release for use with Samba 4.14.14 can be +<a href="https://download.samba.org/pub/ldb/ldb-2.3.4.tar.gz">downloaded here</a>. +</p> +<!-- END: posted_news/20220727-081708.4.16.4.body.html --> diff --git a/posted_news/20220727-081708.4.16.4.headline.html b/posted_news/20220727-081708.4.16.4.headline.html new file mode 100644 index 0000000..a2e8d28 --- /dev/null +++ b/posted_news/20220727-081708.4.16.4.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20220727-081708.4.16.4.headline.html --> +<li> 27 July 2022 <a href="#4.16.4">Samba 4.16.4, 4.15.9 and 4.14.14 Security Releases are available for Download</a></li> +<!-- END: posted_news/20220727-081708.4.16.4.headline.html --> diff --git a/security/CVE-2022-2031.html b/security/CVE-2022-2031.html new file mode 100644 index 0000000..36e9247 --- /dev/null +++ b/security/CVE-2022-2031.html @@ -0,0 +1,111 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2022-2031.html:</H2> + +<p> +<pre> +=========================================================== +== Subject: Samba AD users can bypass certain restrictions +== associated with changing passwords. +== +== CVE ID#: CVE-2022-2031 +== +== Versions: All versions of Samba prior to 4.16.4 +== +== Summary: The KDC and the kpasswd service share a single account +== and set of keys, allowing them to decrypt each other's +== tickets. A user who has been requested to change their +== password can exploit this to obtain and use tickets to +== other services. +=========================================================== + +=========== +Description +=========== + +The KDC and the kpasswd service share a single account and set of +keys. In certain cases, this makes the two services susceptible to +confusion. + +When a user's password has expired, that user is requested to change +their password. Until doing so, the user is restricted to only +acquiring tickets to kpasswd. + +However, a vulnerability meant that the kpasswd's principal, when +canonicalized, was set to that of the TGS (Ticket-Granting Service), +thus yielding TGTs from ordinary kpasswd requests. These TGTs could be +used to perform an Elevation of Privilege attack by obtaining service +tickets and using services in the forest. This vulnerability existed +in versions of Samba built with Heimdal Kerberos. + +A separate vulnerability in Samba versions below 4.16, and in Samba +built with MIT Kerberos, led the KDC to accept kpasswd tickets as if +they were TGTs, with the same overall outcome. + +On the reverse side of the issue, password changes could be effected +by presenting TGTs as if they were kpasswd tickets. TGTs having +potentially longer lifetimes than kpasswd tickets, the value of a +stolen cache containing a TGT was hence increased to an attacker, with +the possibility of indefinite control over an account by means of a +password change. + +Finally, kpasswd service tickets would be accepted for changes to +one's own password, contrary to the requirement that tickets be +acquired with an initial KDC request in such cases. + +As part of the mitigations, the lifetime of kpasswd tickets has been +restricted to a maximum of two minutes. The KDC will not longer accept +TGTs with two minutes or less left to live, to make sure it does not +accept kpasswd tickets. + +================== +Patch Availability +================== + +Patches addressing these issues have been posted to: + + https://www.samba.org/samba/security/ + +Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued +as security releases to correct the defect. Samba administrators are +advised to upgrade to these releases or apply the patch as soon +as possible. + +================== +CVSSv3 calculation +================== + +CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) + +========== +Workaround +========== + +kpasswd is not a critical protocol for the AD DC in most installations, it can +be disabled by setting "kpasswd port = 0" in the smb.conf. + +======= +Credits +======= + +Originally reported by Luke Howard. + +Patches provided by Joseph Sutton and Andreas Schneider of the Samba +team. + +========================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +========================================================== + +</pre> +</body> +</html> diff --git a/security/CVE-2022-32742.html b/security/CVE-2022-32742.html new file mode 100644 index 0000000..4dcaf8f --- /dev/null +++ b/security/CVE-2022-32742.html @@ -0,0 +1,88 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2022-32742.html:</H2> + +<p> +<pre> +==================================================================== +== Subject: Server memory information leak via SMB1. +== +== CVE ID#: CVE-2022-32742 +== +== Versions: All versions of Samba. +== -- Samba Website Repository