The branch, master has been updated
via e09c817 NEWS[4.18.1]: Samba 4.18.1, 4.17.7 and 4.16.10 Security
Releases are available for Download
from 321f33d Acknowledge the fact that some of us moved to IBM.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit e09c817ce8a3368d78e7c67af1d3ac569b59ec00
Author: Jule Anger <jan...@samba.org>
Date: Wed Mar 29 16:02:24 2023 +0200
NEWS[4.18.1]: Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases are
available for Download
Signed-off-by: Jule Anger <jan...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.16.10.html | 59 ++++++
history/samba-4.17.7.html | 70 +++++++
history/samba-4.18.1.html | 68 +++++++
history/security.html | 27 +++
posted_news/20230329-144931.4.18.1.body.html | 35 ++++
posted_news/20230329-144931.4.18.1.headline.html | 3 +
security/CVE-2023-0225.html | 91 +++++++++
security/CVE-2023-0614.html | 249 +++++++++++++++++++++++
security/CVE-2023-0922.html | 111 ++++++++++
10 files changed, 716 insertions(+)
create mode 100644 history/samba-4.16.10.html
create mode 100644 history/samba-4.17.7.html
create mode 100644 history/samba-4.18.1.html
create mode 100644 posted_news/20230329-144931.4.18.1.body.html
create mode 100644 posted_news/20230329-144931.4.18.1.headline.html
create mode 100644 security/CVE-2023-0225.html
create mode 100644 security/CVE-2023-0614.html
create mode 100644 security/CVE-2023-0922.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 1cedfd7..26c680d 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,7 +9,9 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.18.1.html">samba-4.18.1</a></li>
<li><a href="samba-4.18.0.html">samba-4.18.0</a></li>
+ <li><a href="samba-4.17.7.html">samba-4.17.7</a></li>
<li><a href="samba-4.17.6.html">samba-4.17.6</a></li>
<li><a href="samba-4.17.5.html">samba-4.17.5</a></li>
<li><a href="samba-4.17.4.html">samba-4.17.4</a></li>
@@ -17,6 +19,7 @@
<li><a href="samba-4.17.2.html">samba-4.17.2</a></li>
<li><a href="samba-4.17.1.html">samba-4.17.1</a></li>
<li><a href="samba-4.17.0.html">samba-4.17.0</a></li>
+ <li><a href="samba-4.16.10.html">samba-4.16.10</a></li>
<li><a href="samba-4.16.9.html">samba-4.16.9</a></li>
<li><a href="samba-4.16.8.html">samba-4.16.8</a></li>
<li><a href="samba-4.16.7.html">samba-4.16.7</a></li>
diff --git a/history/samba-4.16.10.html b/history/samba-4.16.10.html
new file mode 100644
index 0000000..9114fa9
--- /dev/null
+++ b/history/samba-4.16.10.html
@@ -0,0 +1,59 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.16.10 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.16.10 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.16.10.tar.gz";>Samba
4.16.10 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.16.10.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.16.9-4.16.10.diffs.gz";>Patch
(gzipped) against Samba 4.16.9</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.16.9-4.16.10.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.16.10
+ March 29, 2023
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.16.9
+--------------------
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15270: VE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <r...@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 15270: CVE-2023-0614.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.17.7.html b/history/samba-4.17.7.html
new file mode 100644
index 0000000..6370448
--- /dev/null
+++ b/history/samba-4.17.7.html
@@ -0,0 +1,70 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.17.7 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.17.7 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.17.7.tar.gz";>Samba
4.17.7 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.17.7.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.17.6-4.17.7.diffs.gz";>Patch
(gzipped) against Samba 4.17.6</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.17.6-4.17.7.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.17.7
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.17.6
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <r...@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes).
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.18.1.html b/history/samba-4.18.1.html
new file mode 100644
index 0000000..4bc389e
--- /dev/null
+++ b/history/samba-4.18.1.html
@@ -0,0 +1,68 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.18.1 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.18.1 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.18.1.tar.gz";>Samba
4.18.1 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.18.1.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.18.0-4.18.1.diffs.gz";>Patch
(gzipped) against Samba 4.18.0</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.18.0-4.18.1.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.18.1
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.18.0
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <r...@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 5545d6b..5e68e1d 100755
--- a/history/security.html
+++ b/history/security.html
@@ -32,6 +32,33 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>29 March 2023</td>
+ <td>
+ <a
href="/samba/ftp/patches/security/samba-4.18.1-security-2023-03-29.patch">
+ patch for Samba 4.18.1</a><br/>
+ <a
href="/samba/ftp/patches/security/samba-4.17.7-security-2023-03-29.patch">
+ patch for Samba 4.17.7</a><br/>
+ <a
href="/samba/ftp/patches/security/samba-4.16.10-security-2023-03-29.patch">
+ patch for Samba 4.16.10</a><br/>
+ </td>
+ <td>
+ CVE-2023-0225, CVE-2023-0922 and CVE-2023-0614.
+ Please see announcements for details.
+ </td>
+ <td>All versions of Samba since 4.0 prior to 4.16.10, 4.17.7,
4.18.1.</td>
+ <td>
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0225";>CVE-2023-0225</a>,
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0922";>CVE-2023-0922</a>,
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0614";>CVE-2023-0614</a>.
+ </td>
+ <td>
+<a href="/samba/security/CVE-2023-0225.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-0922.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-0614.html">Announcement</a>.
+ </td>
+ </tr>
+
<tr>
<td>15 December 2022</td>
<td>
diff --git a/posted_news/20230329-144931.4.18.1.body.html
b/posted_news/20230329-144931.4.18.1.body.html
new file mode 100644
index 0000000..a7b6fac
--- /dev/null
+++ b/posted_news/20230329-144931.4.18.1.body.html
@@ -0,0 +1,35 @@
+<!-- BEGIN: posted_news/20230329-144931.4.18.1.body.html -->
+<h5><a name="4.18.1">29 March 2023</a></h5>
+<p class=headline>Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases are
available for Download</p>
+<p>
+<a href="/samba/security/CVE-2023-0225.html">CVE-2023-0225</a>,
+<a href="/samba/security/CVE-2023-0922.html">CVE-2023-0922</a> and
+<a href="/samba/security/CVE-2023-0614.html">CVE-2023-0614</a>.
+</p>
+
+<p>
+The uncompressed Samba tarball has been signed using GnuPG (ID
AA99442FB680B620).
+</p>
+
+<p>
+The Samba 4.18.1 source code can be
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.18.1.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.18.0-4.18.1.diffs.gz";>patch
against Samba 4.18.0</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.18.1.html";>the
release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.17.7 source code can be
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.17.7.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.17.6-4.17.7.diffs.gz";>patch
against Samba 4.17.6</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.17.7.html";>the
release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.16.10 source code can be
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.16.10.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.16.9-4.16.10.diffs.gz";>patch
against Samba 4.16.9</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.16.10.html";>the
release notes for more info</a>.
+</p>
+
+<!-- END: posted_news/20230329-144931.4.18.1.body.html -->
diff --git a/posted_news/20230329-144931.4.18.1.headline.html
b/posted_news/20230329-144931.4.18.1.headline.html
new file mode 100644
index 0000000..c234e4a
--- /dev/null
+++ b/posted_news/20230329-144931.4.18.1.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20230329-144931.4.18.1.headline.html -->
+<li> 29 March 2023 <a href="#4.18.1">Samba 4.18.1, 4.17.7 and 4.16.10 Security
Releases are available for Download</a></li>
+<!-- END: posted_news/20230329-144931.4.18.1.headline.html -->
diff --git a/security/CVE-2023-0225.html b/security/CVE-2023-0225.html
new file mode 100644
index 0000000..49aa5c5
--- /dev/null
+++ b/security/CVE-2023-0225.html
@@ -0,0 +1,91 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-0225.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC "dnsHostname" attribute can be
+ deleted by unprivileged authenticated users.
+==
+== CVE ID#: CVE-2023-0225
+==
+== Versions: Samba 4.17.0 and later versions
+==
+== Summary: An incomplete access check on dnsHostName allows
+ authenticated but otherwise unprivileged users to
+ delete this attribute from any object in the directory.
+===========================================================
+
+===========
+Description
+===========
+
+In implementing the Validated dnsHostName permission check in Samba's
+Active Directory DC, and therefore applying correctly constraints on
+the values of a dnsHostName value for a computer in a Samba domain
+(CVE-2022-32743), the case where the dnsHostName is deleted, rather
+than modified or added, was incorrectly handled.
+
+Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion
+of the dnsHostName attribute became possible for authenticated but
+otherwise unprivileged users, for any object.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba $VERSIONS have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)
+
+==========
+Workaround
+==========
+
+The AD DC LDAP server is a critical component of the AD DC, and it
+should not be disabled. However it can be disabled by setting
+
+ server services = -ldap
+
+in the smb.conf and restarting Samba
+
+=======
+Credits
+=======
+
+Originally reported by Lukas Mitter of codemanufaktur GmbH.
+
+Patches provided by Joseph Sutton and Douglas Bagnall of Catalyst
+and the Samba Team.
+
+Advisory prepared by Andrew Bartlett of Catalyst and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
diff --git a/security/CVE-2023-0614.html b/security/CVE-2023-0614.html
new file mode 100644
index 0000000..c5e7d14
--- /dev/null
+++ b/security/CVE-2023-0614.html
@@ -0,0 +1,249 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-0614.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Access controlled AD LDAP attributes can be discovered
+==
+== CVE ID#: CVE-2023-0614
+==
+== Versions: All Samba releases since Samba 4.0
+
+==
+== Summary: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
+ CVE-2018-10919 Confidential attribute disclosure via
+ LDAP filters was insufficient and an attacker may be
+ able to obtain confidential BitLocker recovery keys
+ from a Samba AD DC.
+
+ Installations with such secrets in their Samba AD
+ should assume they have been obtained and need
+ replacing.
+===========================================================
+
+===========
+Description
+===========
+
+In Active Directory, there are essentially four different classes of
+attributes.
+
+ - Secret attributes (such as a user, computer or domain trust
+ password) that are never disclosed and are not available to search
+ against over LDAP. This is a hard-coded list, and since Samba 4.8
+ these are additionally encrypted in the DB with a per-DB key.
+
+ - Confidential attributes (marked as such in the schema) that have a
+ default access restriction allowing access only to the owner of the
+ object.
+
+ While a Samba AD Domain makes these attributes available,
+ thankfully by default it will not have any of these confidential
+ attributes set, as they are only added by clients after
+ configuration (typically via a GPO).
+
+ Examples of confidential data stored in Active Directory include
+ BitLocker recovery keys, TPM owner passwords, and certificate
+ secret keys stored with Credential Roaming.
+
+ - Access controlled attributes (for reads or writes), Samba will
+ honour the access control specified in the ntSecurityDescriptor.
+
+ - Public attributes for read. Most attributes in Active Directory
+ are available to read by all authenticated users.
+
+Because the access control rules for a given attribute are not
+consistent between objects, Samba implemented access control
+restrictions only after matching objects against the filter.
+
+Taking each of the above classes in turn:
+
+ - Secret attributes are prevented from disclosure firstly by
--
Samba Website Repository
