The branch, v4-19-stable has been updated
via 6872b662d0d Merge tag 'samba-4.19.1' into v4-19-stable
via d9e90993b40 VERSION: Disable GIT_SNAPSHOT for the 4.19.1 release.
via a4bdbfef0f0 WHATSNEW: Add release notes for Samba 4.19.1.
via 81b816c6489 CVE-2023-42670 s3-rpc_server: Remove cross-check with
"samba" EPM lookup
via 338021c79ad CVE-2023-42670 s3-rpc_server: Strictly refuse to start
RPC servers in conflict with AD DC
via 2cb41dd7c57 CVE-2023-42669 s3-rpc_server: Disable rpcecho for
consistency with the AD DC
via 5609c68aa51 CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
default
via 1b321f4424a CVE-2023-4154: Unimplement the original DirSync
behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
via b55e2c328cd CVE-2023-4154 dsdb/tests: Extend attribute read DirSync
tests
via c443a222ba7 CVE-2023-4154 dsdb/tests: Add test for
SEARCH_FLAG_RODC_ATTRIBUTE behaviour
via 93424793e59 CVE-2023-4154 dsdb/tests: Speed up DirSync test by only
checking positive matches once
via f7d30cf9df4 CVE-2023-4154 dsdb/tests: Check that secret attributes
are not visible with DirSync ever.
via ad11a871806 CVE-2023-4154 dsdb/tests: Force the test attribute to
be not-confidential at the start
via b398d8af51b CVE-2023-4154 dsdb/tests: Use self.addCleanup() and
delete_force()
via c04ec1a2f7c CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests
twice
via 52c633afa88 CVE-2023-4154 s4:dsdb:tests: Fix code spelling
via 9cd1ad18af0 CVE-2023-4091: smbd: use open_access_mask for access
check in open_file()
via 2761477b76c CVE-2023-4091: smbtorture: test overwrite dispositions
on read-only file
via 456a758f10c CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that
crashes on bad pipenames.
via 44d59c380af CVE-2023-3961:s3:torture: Add test
SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators
through to the UNIX domain socket code.
via 67c6778534d CVE-2023-3961:s3:smbd: Catch any incoming pipe path
that could exit socket_dir.
via cb9c352457e VERSION: Bump version up to Samba 4.19.1...
from 3e6d7e10b44 CVE-2023-42670 s3-rpc_server: Remove cross-check with
"samba" EPM lookup
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-19-stable
- Log -----------------------------------------------------------------
commit 6872b662d0d451e5a6c502957f9e64d83c0fd76c
Merge: 3e6d7e10b44 d9e90993b40
Author: Jule Anger <jan...@samba.org>
Date: Tue Oct 10 17:05:22 2023 +0200
Merge tag 'samba-4.19.1' into v4-19-stable
samba: tag release samba-4.19.1
commit d9e90993b4049bac99227c8f3c8823df45f7f46d
Author: Jule Anger <jan...@samba.org>
Date: Tue Oct 10 11:04:49 2023 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.19.1 release.
Signed-off-by: Jule Anger <jan...@samba.org>
commit a4bdbfef0f0957aa6dc68b244e33f3799621269f
Author: Jule Anger <jan...@samba.org>
Date: Tue Oct 10 11:04:03 2023 +0200
WHATSNEW: Add release notes for Samba 4.19.1.
Signed-off-by: Jule Anger <jan...@samba.org>
commit 81b816c648939559a58751f6c7b48c11631f6e4d
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 16:23:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 338021c79adac86c44454ef3ba9175fbcf10b7b4
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 12:28:49 2023 +1200
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in
conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 2cb41dd7c57a3974b9d71740cfda53721750635d
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 19:01:03 2023 +1200
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 5609c68aa5175a636dc3080676ebff36de1e971f
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Sep 12 18:59:44 2023 +1200
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 1b321f4424ab677a812bf0953bbdae6bebc3c377
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 8 17:58:27 2023 +1200
CVE-2023-4154: Unimplement the original DirSync behaviour without
LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit b55e2c328cdd8de9ba6044ddb25d2a5ebcafb800
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 22 15:08:17 2023 +1200
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit c443a222ba7eb8ca7d633ff9104b0586faa85cb3
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 8 14:30:19 2023 +1200
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 93424793e594fe34ad36ab58ae2ef878798e085c
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Aug 8 11:18:46 2023 +1200
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive
matches once
When we (expect to) get back a result, do not waste time against a
potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit f7d30cf9df499aa4cef0f8575f97116186e357e0
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 11:56:56 2023 +1200
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with
DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit ad11a8718066542593d246d3f03c1008290dc2f3
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 14:44:28 2023 +1200
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential
at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit b398d8af51b208cdf4c10eaae754e3e6b2a7432f
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 13:15:40 2023 +1200
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit c04ec1a2f7c7f32b8eefcbd2b81786406cc52e05
Author: Andrew Bartlett <abart...@samba.org>
Date: Mon Aug 7 11:55:55 2023 +1200
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 52c633afa885388094e97b90d782db232f939b2f
Author: Andreas Schneider <a...@samba.org>
Date: Wed Aug 2 10:44:32 2023 +0200
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
commit 9cd1ad18af07098588163c0b5b69408e4002a7aa
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 1 13:04:36 2023 +0200
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 2761477b76c2eafd0c851dfdff998e730e433c4c
Author: Ralph Boehme <s...@samba.org>
Date: Tue Aug 1 12:30:00 2023 +0200
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 456a758f10c8163122d1746d40a03df6f3f7b391
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jul 25 17:54:41 2023 -0700
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad
pipenames.
We correctly handle this and just return ENOENT
(NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <j...@samba.org>
commit 44d59c380afbd227243d1dcf65b17cb445357c0f
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jul 25 17:49:21 2023 -0700
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow
bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <j...@samba.org>
commit 67c6778534d8fc1f6ce20cfb67d682b6f16ce1b9
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jul 25 17:41:04 2023 -0700
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit
socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <j...@samba.org>
commit cb9c352457ea6b362fad59125015954a7b469be1
Author: Jule Anger <jan...@samba.org>
Date: Mon Sep 4 14:36:48 2023 +0200
VERSION: Bump version up to Samba 4.19.1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <jan...@samba.org>
(cherry picked from commit a8c5fe34b639f72c045bc0500d0c053842327556)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 73 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index e37fdc9cde9..9d6ab2d76b7 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=0
+SAMBA_VERSION_RELEASE=1
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 439556605ca..f6f6fabd42f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,75 @@
+ ==============================
+ Release Notes for Samba 4.19.1
+ October 10, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+
+o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root
to
+ existing unix domain sockets on the file system.
+ https://www.samba.org/samba/security/CVE-2023-3961.html
+
+o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files
with
+ OVERWRITE disposition when using the acl_xattr Samba VFS
+ module with the smb.conf setting
+ "acl_xattr:ignore system acls = yes"
+ https://www.samba.org/samba/security/CVE-2023-4091.html
+
+o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
+ attributes, including secrets and passwords. Additionally,
+ the access check fails open on error conditions.
+ https://www.samba.org/samba/security/CVE-2023-4154.html
+
+o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
+ server block for a user-defined amount of time, denying
+ service.
+ https://www.samba.org/samba/security/CVE-2023-42669.html
+
+o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
+ listeners, disrupting service on the AD DC.
+ https://www.samba.org/samba/security/CVE-2023-42670.html
+
+
+Changes since 4.19.0
+--------------------
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 15422: CVE-2023-3961.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15424: CVE-2023-4154.
+ * BUG 15473: CVE-2023-42670.
+ * BUG 15474: CVE-2023-42669.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15439: CVE-2023-4091.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.19.0
September 04, 2023
--
Samba Shared Repository
