The branch, master has been updated
via 8c8039a NEWS[4.19.1]: Samba 4.19.1, 4.18.8 and 4.17.12 Security
Releases are available for Download
from d080755 NEWS[4.18.7]: Samba 4.18.7 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 8c8039aeb3a19a31c420f1462fd5788dbfd3b91c
Author: Jule Anger <jan...@samba.org>
Date: Tue Oct 10 16:05:46 2023 +0200
NEWS[4.19.1]: Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are
available for Download
Signed-off-by: Jule Anger <jan...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/security.html | 30 ++++++
posted_news/20231009-222505.4.19.1.body.html | 37 +++++++
posted_news/20231009-222505.4.19.1.headline.html | 3 +
security/CVE-2023-3961.html | 106 ++++++++++++++++++++
security/CVE-2023-4091.html | 107 ++++++++++++++++++++
security/CVE-2023-4154.html | 122 +++++++++++++++++++++++
security/CVE-2023-42669.html | 89 +++++++++++++++++
security/CVE-2023-42670.html | 98 ++++++++++++++++++
9 files changed, 595 insertions(+)
create mode 100644 posted_news/20231009-222505.4.19.1.body.html
create mode 100644 posted_news/20231009-222505.4.19.1.headline.html
create mode 100644 security/CVE-2023-3961.html
create mode 100644 security/CVE-2023-4091.html
create mode 100644 security/CVE-2023-4154.html
create mode 100644 security/CVE-2023-42669.html
create mode 100644 security/CVE-2023-42670.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 34f8f37..98f3fa7 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,7 +9,9 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.19.1.html">samba-4.19.1</a></li>
<li><a href="samba-4.19.0.html">samba-4.19.0</a></li>
+ <li><a href="samba-4.18.8.html">samba-4.18.8</a></li>
<li><a href="samba-4.18.7.html">samba-4.18.7</a></li>
<li><a href="samba-4.18.6.html">samba-4.18.6</a></li>
<li><a href="samba-4.18.5.html">samba-4.18.5</a></li>
@@ -18,6 +20,7 @@
<li><a href="samba-4.18.2.html">samba-4.18.2</a></li>
<li><a href="samba-4.18.1.html">samba-4.18.1</a></li>
<li><a href="samba-4.18.0.html">samba-4.18.0</a></li>
+ <li><a href="samba-4.17.12.html">samba-4.17.12</a></li>
<li><a href="samba-4.17.11.html">samba-4.17.11</a></li>
<li><a href="samba-4.17.10.html">samba-4.17.10</a></li>
<li><a href="samba-4.17.9.html">samba-4.17.9</a></li>
diff --git a/history/security.html b/history/security.html
index f788763..d359aff 100755
--- a/history/security.html
+++ b/history/security.html
@@ -31,6 +31,36 @@ link to full release notes for each release.</p>
<td><em>CVE ID #</em></td>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>10 October 2023</td>
+ <td>
+ <a
href="/samba/ftp/patches/security/samba-4.19.1-security-2023-10-10.patch">
+ patch for Samba 4.19.1</a><br/>
+ <a
href="/samba/ftp/patches/security/samba-4.18.8-security-2023-10-10.patch">
+ patch for Samba 4.18.8</a><br/>
+ <a
href="/samba/ftp/patches/security/samba-4.17.12-security-2023-10-10.patch">
+ patch for Samba 4.17.12</a><br/>
+ </td>
+ <td>
+ CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669, and
CVE-2023-42670.
+ Please see announcements for details.
+ </td>
+ <td>Please refer to the advisories.</td>
+ <td>
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3961";>CVE-2023-3961</a>,
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4154";>CVE-2023-4154</a>,
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4091";>CVE-2023-4091</a>,
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42669";>CVE-2023-42669</a>,
+<a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42670";>CVE-2023-42670</a>.
+ </td>
+ <td>
+<a href="/samba/security/CVE-2023-3961.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-4154.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-4091.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-42669.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-42670.html">Announcement</a>.
+ </td>
+ </tr>
<tr>
<td>19 July 2023</td>
diff --git a/posted_news/20231009-222505.4.19.1.body.html
b/posted_news/20231009-222505.4.19.1.body.html
new file mode 100644
index 0000000..d0214a3
--- /dev/null
+++ b/posted_news/20231009-222505.4.19.1.body.html
@@ -0,0 +1,37 @@
+<!-- BEGIN: posted_news/20231009-222505.4.19.1.body.html -->
+<h5><a name="4.19.1">10 October 2023</a></h5>
+<p class=headline>Samba 4.19.1, 4.18.8 and 4.17.12 Security Releases are
available for Download</p>
+<p>
+<a href="/samba/security/CVE-2023-3961.html">CVE-2023-3961</a>,
+<a href="/samba/security/CVE-2023-4091.html">CVE-2023-4091</a>,
+<a href="/samba/security/CVE-2023-4154.html">CVE-2023-4154</a>,
+<a href="/samba/security/CVE-2023-42669.html">CVE-2023-42669</a> and
+<a href="/samba/security/CVE-2023-42670.html">CVE-2023-42670</a>.
+</p>
+
+<p>
+The uncompressed Samba tarball has been signed using GnuPG (ID
AA99442FB680B620).
+</p>
+
+<p>
+The Samba 4.19.1 source code can be
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.19.1.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.19.0-4.19.1.diffs.gz";>patch
against Samba 4.19.0</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.19.1.html";>the
release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.18.8 source code can be
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.18.8.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.18.7-4.18.8.diffs.gz";>patch
against Samba 4.18.7</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.18.8.html";>the
release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.17.12 source code can be
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.17.12.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.17.11-4.17.12.diffs.gz";>patch
against Samba 4.17.11</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.17.12.html";>the
release notes for more info</a>.
+</p>
+
+<!-- END: posted_news/20231009-222505.4.19.1.body.html -->
diff --git a/posted_news/20231009-222505.4.19.1.headline.html
b/posted_news/20231009-222505.4.19.1.headline.html
new file mode 100644
index 0000000..d9fdf5e
--- /dev/null
+++ b/posted_news/20231009-222505.4.19.1.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20231009-222505.4.19.1.headline.html -->
+<li> 10 October 2023 <a href="#4.19.1">Samba 4.19.1, 4.18.8 and 4.17.12
Security Releases are available for Download</a></li>
+<!-- END: posted_news/20231009-222505.4.19.1.headline.html -->
diff --git a/security/CVE-2023-3961.html b/security/CVE-2023-3961.html
new file mode 100644
index 0000000..b2d3d84
--- /dev/null
+++ b/security/CVE-2023-3961.html
@@ -0,0 +1,106 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-3961.html:</H2>
+
+<p>
+<pre>
+============================================================
+== Subject: smbd allows client access to unix domain sockets
+== on the file system.
+==
+== CVE ID#: CVE-2023-3961
+==
+== Versions: All versions starting with 4.16.0
+==
+== Summary: Unsanitized pipe names allow SMB clients to connect
+== as root to existing unix domain sockets on the
+== file system.
+============================================================
+
+===========
+Description
+===========
+
+The SMB 1/2/3 protocols allow clients to connect to named
+pipes via the IPC$ (Inter-Process Communication) share
+for the process of inter-process communication between
+SMB clients and servers.
+
+Since Samba 4.16.0, Samba internally connects client pipe names
+to unix domain sockets within a private directory, allowing clients
+to connect to services listening on those sockets. This is
+usually used to connect SMB clients to remote proceedure
+call (RPC) services, such as SAMR LSA, or SPOOLSS, which Samba
+starts on demand.
+
+However, insufficient sanitization was done on the incoming
+client pipe name, meaning that a client sending a pipe name
+containing unix directory traversal characters (../)
+could cause Samba to connect to unix domain sockets
+outside of the private directory meant to restrict the
+services a client could connect to. Samba connects
+to the unix domain sockets as root, meaning if a client
+could send a pipe name that resolved to an external
+service using an existing unix domain socket, the client would
+be able to connect to it without filesystem permissions
+restricting access.
+
+Depending on the service the client can connect to,
+the client may be able to trigger adverse events such
+as denial of service, crashing the service, or potentially
+compromising it.
+
+There are no current known exploits for this bug.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8)
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+Originally discovered by Jeremy Allison of the Samba team
+and CIQ. Inc.
+
+Patches provided by Jeremy Allison of the Samba team and
+CIQ. Inc.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
diff --git a/security/CVE-2023-4091.html b/security/CVE-2023-4091.html
new file mode 100644
index 0000000..df7e888
--- /dev/null
+++ b/security/CVE-2023-4091.html
@@ -0,0 +1,107 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-4091.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: SMB clients can truncate files with
+== read-only permissions
+==
+== CVE ID#: CVE-2023-4091
+==
+== Versions: All Samba versions
+==
+== Summary: SMB client can truncate files to 0 bytes
+== by opening files with OVERWRITE disposition
+== when using the acl_xattr Samba VFS module
+== with the smb.conf setting
+== "acl_xattr:ignore system acls = yes"
+===========================================================
+
+===========
+Description
+===========
+
+The SMB protocol allows opening files where the client
+requests read-only access, but then implicitly truncating
+the opened file if the client specifies a separate OVERWRITE
+create disposition.
+
+This operation requires write access to the file, and in the
+default Samba configuration the operating system kernel will
+deny access to open a read-only file for read/write (which
+the truncate operation requires).
+
+However, when Samba has been configured to ignore kernel
+file system permissions, Samba will truncate a file when the
+underlying operating system kernel would deny the operation.
+
+Affected Samba configurations are the ones where kernel
+file-system permission checks are bypassed, relying on
+Samba's own permission enforcement. The error is that this
+check is done against the client request for read-only
+access, and not the implicitly requested read-write (for
+truncate) one.
+
+The widely used Samba VFS module "acl_xattr" when configured
+with the module configuration parameter "acl_xattr:ignore
+system acls = yes" is the only upstream Samba module that
+allows this behavior and is the only known method of
+reproducing this security flaw.
+
+If (as is the default) the module configuration parameter
+"acl_xattr:ignore system acls=no", then the Samba server is
+not vulnerable to this attack.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
+been issued as security releases to correct the defect.
+Samba administrators are advised to upgrade to these
+releases or apply the patch as soon as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+Originally reported by Sri Nagasubramanian <snagasubraman...@nasuni.com>
+from Nasuni.
+
+Patches provided by Ralph Böhme of SerNet and the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
diff --git a/security/CVE-2023-4154.html b/security/CVE-2023-4154.html
new file mode 100644
index 0000000..08abebc
--- /dev/null
+++ b/security/CVE-2023-4154.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-4154.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC password exposure to privileged
+== users and RODCs
+==
+== CVE ID#: CVE-2023-4154
+==
+== Versions: All versions since Samba 4.0.0
+==
+== Summary: An RODC and a user with the GET_CHANGES
+== right can view all attributes, including
+== secrets and passwords.
+==
+== Additionally, the access check fails open
+== on error conditions.
+===========================================================
+
+===========
+Description
+===========
+
+In normal operation, passwords and (most) secrets are never disclosed
+over LDAP in Active Directory.
+
+However, due to a design flaw in Samba's implementation of the DirSync
+control, Active Directory accounts authorized to do some replication,
+but not to replicate sensitive attributes, can instead replicate
+critical domain passwords and secrets.
+
+In a default installation, this means that RODC DC accounts (which
+should only be permitted to replicate some passwords) can instead
+obtain all domain secrets, including the core AD secret: the krbtgt
+password.
+
+RODCs are given this permission as part of their installation for DRS
+replication. This vulnerability removes the RODC / DC distinction.
+
+Secondly, and just as problematically, the access check for this
+functionality did not account for error conditions - errors like
+out of memory were regarded as success. This is sometimes described
+as "fail open". In these error conditions, some of which (eg out of
+memory) may be influenced by a low-privileged attacker, access to the
+secret attributes could be obtained!
+
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+For password disclosure to RODCs and other privileged accounts:
+CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)
+
+For the fail open on the DirSync access check:
+CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
+
+=================================
+Workaround and mitigating factors
+=================================
+
+If no RODC accounts are in use in the domain, and DirSync users set
+LDAP_DIRSYNC_OBJECT_SECURITY then there is no need to give this right
+to any users. If only privileged accounts have this right, only the
+error path vulnerability exists.
+
+Since Windows 2003 and in all versions of Samba, it has not been
+required to assign accounts this "Get Changes" / GUID_DRS_GET_CHANGES
+right to use LDAP DirSync, provided that the
+LDAP_DIRSYNC_OBJECT_SECURITY it set in the control.
+
+If any unprivileged accounts do have this right, and either no longer
+use DirSync or use LDAP_DIRSYNC_OBJECT_SECURITY, this should be
+removed.
+
+GUID_DRS_GET_CHANGES / 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 is an
+extended right set in the ntSecurityDescriptor on the NC root (the DN
+at the top of each partition). These are for example the domain DN,
+configuration DN etc. The domain DN is the most important.
+
+=======
+Credits
+=======
+
+Originally reported by Andrew Bartlett of Catalyst and the Samba Team
+during routine code review.
+
+Patches provided by Andrew Bartlett of Catalyst and the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
diff --git a/security/CVE-2023-42669.html b/security/CVE-2023-42669.html
new file mode 100644
index 0000000..2b1821d
--- /dev/null
+++ b/security/CVE-2023-42669.html
@@ -0,0 +1,89 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-42669.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: "rpcecho" development server allows Denial
+ of Service via sleep() call on AD DC
+==
+== CVE ID#: CVE-2023-42669
+==
+== Versions: All versions of Samba since Samba 4.0.0
+==
+== Summary: Calls to the rpcecho server on the AD DC can request
--
Samba Website Repository
