The branch, master has been updated via 1d1e4d5 NEWS[4.17.3]: Samba 4.17.3, 4.16.7 and 4.15.12 Security Releases are available for Download from 0e65e3e NEWS[4.17.2]: Samba 4.17.2, 4.16.6 and 4.15.11 Security Releases Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 1d1e4d5b32742b436f1b56e47e7788c45bdf5942 Author: Jule Anger <jan...@samba.org> Date: Tue Nov 15 08:10:55 2022 +0100 NEWS[4.17.3]: Samba 4.17.3, 4.16.7 and 4.15.12 Security Releases are available for Download Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.15.12.html | 44 ++++++++++ history/{samba-4.16.6.html => samba-4.16.7.html} | 35 ++++---- history/samba-4.17.3.html | 45 ++++++++++ history/security.html | 22 +++++ posted_news/20221115-072401.4.17.3.body.html | 30 +++++++ posted_news/20221115-072401.4.17.3.headline.html | 3 + security/CVE-2022-42898.html | 101 +++++++++++++++++++++++ 8 files changed, 267 insertions(+), 16 deletions(-) create mode 100644 history/samba-4.15.12.html copy history/{samba-4.16.6.html => samba-4.16.7.html} (51%) create mode 100644 history/samba-4.17.3.html create mode 100644 posted_news/20221115-072401.4.17.3.body.html create mode 100644 posted_news/20221115-072401.4.17.3.headline.html create mode 100644 security/CVE-2022-42898.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 9348c26..945c471 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,9 +9,11 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.17.3.html">samba-4.17.3</a></li> <li><a href="samba-4.17.2.html">samba-4.17.2</a></li> <li><a href="samba-4.17.1.html">samba-4.17.1</a></li> <li><a href="samba-4.17.0.html">samba-4.17.0</a></li> + <li><a href="samba-4.16.7.html">samba-4.16.7</a></li> <li><a href="samba-4.16.6.html">samba-4.16.6</a></li> <li><a href="samba-4.16.5.html">samba-4.16.5</a></li> <li><a href="samba-4.16.4.html">samba-4.16.4</a></li> @@ -19,6 +21,7 @@ <li><a href="samba-4.16.2.html">samba-4.16.2</a></li> <li><a href="samba-4.16.1.html">samba-4.16.1</a></li> <li><a href="samba-4.16.0.html">samba-4.16.0</a></li> + <li><a href="samba-4.15.12.html">samba-4.15.12</a></li> <li><a href="samba-4.15.11.html">samba-4.15.11</a></li> <li><a href="samba-4.15.10.html">samba-4.15.10</a></li> <li><a href="samba-4.15.9.html">samba-4.15.9</a></li> diff --git a/history/samba-4.15.12.html b/history/samba-4.15.12.html new file mode 100644 index 0000000..34ccc83 --- /dev/null +++ b/history/samba-4.15.12.html @@ -0,0 +1,44 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.15.12 - Release Notes</title> +</head> +<body> +<H2>Samba 4.15.12 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.12.tar.gz">Samba 4.15.12 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.15.12.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.11-4.15.12.diffs.gz">Patch (gzipped) against Samba 4.15.11</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.15.11-4.15.12.diffs.asc">Signature</a> +</p> +<p> +<pre> + =============================== + Release Notes for Samba 4.15.12 + November 15, 2022 + =============================== + + +This is a security release in order to address the following defects: + +o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against + integer overflows when parsing a PAC on a 32-bit system, which + allowed an attacker with a forged PAC to corrupt the heap. + https://www.samba.org/samba/security/CVE-2022-42898.html + +Changes since 4.15.11 +--------------------- +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15203: CVE-2022-42898 + +o Nicolas Williams <n...@twosigma.com> + * BUG 15203: CVE-2022-42898 + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.16.6.html b/history/samba-4.16.7.html similarity index 51% copy from history/samba-4.16.6.html copy to history/samba-4.16.7.html index 4423bf2..6aa8756 100644 --- a/history/samba-4.16.6.html +++ b/history/samba-4.16.7.html @@ -2,38 +2,41 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> -<title>Samba 4.16.6 - Release Notes</title> +<title>Samba 4.16.7 - Release Notes</title> </head> <body> -<H2>Samba 4.16.6 Available for Download</H2> +<H2>Samba 4.16.7 Available for Download</H2> <p> -<a href="https://download.samba.org/pub/samba/stable/samba-4.16.6.tar.gz">Samba 4.16.6 (gzipped)</a><br> -<a href="https://download.samba.org/pub/samba/stable/samba-4.16.6.tar.asc">Signature</a> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.7.tar.gz">Samba 4.16.7 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.16.7.tar.asc">Signature</a> </p> <p> -<a href="https://download.samba.org/pub/samba/patches/samba-4.16.5-4.16.6.diffs.gz">Patch (gzipped) against Samba 4.16.5</a><br> -<a href="https://download.samba.org/pub/samba/patches/samba-4.16.5-4.16.6.diffs.asc">Signature</a> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.6-4.16.7.diffs.gz">Patch (gzipped) against Samba 4.16.6</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.16.6-4.16.7.diffs.asc">Signature</a> </p> <p> <pre> ============================== - Release Notes for Samba 4.16.6 - October 25, 2022 + Release Notes for Samba 4.16.7 + November 15, 2022 ============================== -This is a security release in order to address the following defect: +This is a security release in order to address the following defects: -o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI - unwrap_des() and unwrap_des3() routines of Heimdal (included - in Samba). - https://www.samba.org/samba/security/CVE-2022-3437.html +o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against + integer overflows when parsing a PAC on a 32-bit system, which + allowed an attacker with a forged PAC to corrupt the heap. + https://www.samba.org/samba/security/CVE-2022-42898.html -Changes since 4.16.5 ---------------------- +Changes since 4.16.6 +-------------------- o Joseph Sutton <josephsut...@catalyst.net.nz> - * BUG 15134: CVE-2022-3437. + * BUG 15203: CVE-2022-42898 + +o Nicolas Williams <n...@twosigma.com> + * BUG 15203: CVE-2022-42898 </pre> diff --git a/history/samba-4.17.3.html b/history/samba-4.17.3.html new file mode 100644 index 0000000..562b067 --- /dev/null +++ b/history/samba-4.17.3.html @@ -0,0 +1,45 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.17.3 - Release Notes</title> +</head> +<body> +<H2>Samba 4.17.3 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.3.tar.gz">Samba 4.17.3 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.17.3.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.2-4.17.3.diffs.gz">Patch (gzipped) against Samba 4.17.2</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.17.2-4.17.3.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.17.3 + November 15, 2022 + ============================== + + +This is a security release in order to address the following defects: + + +o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against + integer overflows when parsing a PAC on a 32-bit system, which + allowed an attacker with a forged PAC to corrupt the heap. + https://www.samba.org/samba/security/CVE-2022-42898.html + +Changes since 4.17.2 +-------------------- +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15203: CVE-2022-42898 + +o Nicolas Williams <n...@twosigma.com> + * BUG 15203: CVE-2022-42898 + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index 5bbfad7..64c9dec 100755 --- a/history/security.html +++ b/history/security.html @@ -32,6 +32,28 @@ link to full release notes for each release.</p> <td><em>Details</em></td> </tr> + <tr> + <td>15 November 2022</td> + <td><a href="/samba/ftp/patches/security/samba-4.17.3-security-2022-11-15.patch"> + patch for Samba 4.17.3</a><br /> + <a href="/samba/ftp/patches/security/samba-4.16.7-security-2022-11-15.patch"> + patch for Samba 4.16.7</a><br /> + <a href="/samba/ftp/patches/security/samba-4.15.12-security-2022-11-15.patch"> + patch for Samba 4.15.12</a><br /> + </td> + <td>Samba's Kerberos libraries and AD DC failed to guard against integer + overflows when parsing a PAC on a 32-bit system, which allowed an attacker + with a forged PAC to corrupt the heap. + </td> + <td>All versions of Samba prior to 4.15.12, 4.16.7, 4.17.3.</td> + <td> +<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898">CVE-2022-42898</a>. + </td> + <td> +<a href="/samba/security/CVE-2022-42898.html">Announcement</a>. + </td> + + <tr> <td>25 October 2022</td> <td><a href="/samba/ftp/patches/security/samba-4.17.2-security-2022-10-25.patch"> diff --git a/posted_news/20221115-072401.4.17.3.body.html b/posted_news/20221115-072401.4.17.3.body.html new file mode 100644 index 0000000..d270dda --- /dev/null +++ b/posted_news/20221115-072401.4.17.3.body.html @@ -0,0 +1,30 @@ +<!-- BEGIN: posted_news/20221115-072401.4.17.3.body.html --> +<h5><a name="4.17.3">15 November 2022</a></h5> +<p class=headline>Samba 4.17.3, 4.16.7 and 4.15.12 Security Releases are available for Download</p> +<p> +These are Security Releases in order to address +<a href="/samba/security/CVE-2022-42898.html">CVE-2022-42898</a> and +</p> +<p> +<p> +The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620). +</p> + +<p> +The 4.17.3 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.17.3.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.17.2-4.17.3.diffs.gz">patch against Samba 4.17.2</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.17.3.html">the release notes for more info</a>. +</p> + +<p> +The 4.16.7 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.16.7.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.16.6-4.16.7.diffs.gz">patch against Samba 4.16.6</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.16.7.html">the release notes for more info</a>. +</p> + +<p> +The 4.15.12 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.15.12.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.15.11-4.15.12.diffs.gz">patch against Samba 4.15.11</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.15.12.html">the release notes for more info</a>. +</p> +<!-- END: posted_news/20221115-072401.4.17.3.body.html --> diff --git a/posted_news/20221115-072401.4.17.3.headline.html b/posted_news/20221115-072401.4.17.3.headline.html new file mode 100644 index 0000000..dea8434 --- /dev/null +++ b/posted_news/20221115-072401.4.17.3.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20221115-072401.4.17.3.headline.html --> +<li> 15 November 2022 <a href="#4.17.3">Samba 4.17.3, 4.16.7 and 4.15.12 Security Releases are available for Download</a></li> +<!-- END: posted_news/20221115-072401.4.17.3.headline.html --> diff --git a/security/CVE-2022-42898.html b/security/CVE-2022-42898.html new file mode 100644 index 0000000..3824c1a --- /dev/null +++ b/security/CVE-2022-42898.html @@ -0,0 +1,101 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2022-42898.html:</H2> + +<p> +<pre> +=========================================================== +== Subject: Samba buffer overflow vulnerabilities on 32-bit +== systems +== +== CVE ID#: CVE-2022-42898 +== +== Versions: All versions of Samba prior to 4.15.12, 4.16.7, 4.17.3 +== +== Summary: Samba's Kerberos libraries and AD DC failed to guard +== against integer overflows when parsing a PAC on a 32-bit +== system, which allowed an attacker with a forged PAC to +== corrupt the heap. +=========================================================== + +=========== +Description +=========== + +The Kerberos libraries used by Samba provide a mechanism for +authenticating a user or service by means of tickets that can contain +Privilege Attribute Certificates (PACs). + +Both the Heimdal and MIT Kerberos libraries, and so the embedded +Heimdal shipped by Samba suffer from an integer multiplication +overflow when calculating how many bytes to allocate for a buffer for +the parsed PAC. + +On a 32-bit system an overflow allows placement of 16-byte chunks of +entirely attacker- controlled data. + +(Because the user's control over this calculation is limited to an +unsigned 32-bit value, 64-bit systems are not impacted). + +The server most vulnerable is the KDC, as it will parse an +attacker-controlled PAC in the S4U2Proxy handler. + +The secondary risk is to Kerberos-enabled file server installations in +a non-AD realm. A non-AD Heimdal KDC controlling such a realm may +pass on an attacker-controlled PAC within the service ticket. + +================== +Patch Availability +================== + +Patches addressing these issues have been posted to: + + https://www.samba.org/samba/security/ + +Additionally, Samba 4.15.12, 4.16.7, and 4.17.3 have been issued +as security releases to correct the defect. Samba administrators are +advised to upgrade to these releases or apply the patch as soon +as possible. + +================== +CVSSv3 calculation +================== + +CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4) + +========================== +Workaround and mitigations +========================== + +* No workaround on 32-bit systems as an AD DC +* file servers are only impacted if in a non-AD domain +* 64-bit systems are not exploitable. + +======= +Credits +======= + +Originally reported by Greg Hudson with the aid of oss-fuzz. + +Patches provided by Nicolas Williams of Heimdal and Joseph Sutton of +Catlyst and the Samba team. + +Advisory by Joseph Sutton and Andrew Bartlett of Catalyst and the +Samba Team based on text and analysis by Greg Hudson. + +========================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +========================================================== + +</pre> +</body> +</html> -- Samba Website Repository