The branch, master has been updated
via a6c387d NEWS[4.19.3]: Samba 4.19.3 Available for Download
from 4ce4e3e NEWS[4.19.2]: Samba 4.19.2 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit a6c387d97d24de18a023465777e35dadeb47013b
Author: Jule Anger <jan...@samba.org>
Date: Mon Nov 27 13:10:28 2023 +0100
NEWS[4.19.3]: Samba 4.19.3 Available for Download
Signed-off-by: Jule Anger <jan...@samba.org>
tmp
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 1 +
history/samba-4.19.3.html | 122 +++++++++++++++++++++++
posted_news/20231127-121657.4.19.3.body.html | 13 +++
posted_news/20231127-121657.4.19.3.headline.html | 3 +
security/CVE-2018-14628.html | 121 ++++++++++++++++++++++
5 files changed, 260 insertions(+)
create mode 100644 history/samba-4.19.3.html
create mode 100644 posted_news/20231127-121657.4.19.3.body.html
create mode 100644 posted_news/20231127-121657.4.19.3.headline.html
create mode 100644 security/CVE-2018-14628.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index ef2d992..05d409d 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.19.3.html">samba-4.19.3.</a></li>
<li><a href="samba-4.19.2.html">samba-4.19.2</a></li>
<li><a href="samba-4.19.1.html">samba-4.19.1</a></li>
<li><a href="samba-4.19.0.html">samba-4.19.0</a></li>
diff --git a/history/samba-4.19.3.html b/history/samba-4.19.3.html
new file mode 100644
index 0000000..584e293
--- /dev/null
+++ b/history/samba-4.19.3.html
@@ -0,0 +1,122 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.19.3 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.19.3 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.gz";>Samba
4.19.3 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.gz";>Patch
(gzipped) against Samba 4.19.2</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.19.3
+ November 27, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+It contains the security-relevant bugfix CVE-2018-14628:
+
+ Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+ allow read of object tombstones over LDAP
+ (Administrator action required!)
+ https://www.samba.org/samba/security/CVE-2018-14628.html
+
+
+Description of CVE-2018-14628
+-----------------------------
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+Action required in order to resolve CVE-2018-14628!
+---------------------------------------------------
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+ samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+ Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to
provision default?
+ Owner mismatch: SY (in ref) DA(in current)
+ Group mismatch: SY (in ref) DA(in current)
+ Part dacl is different between reference and current here is the
detail:
+ (A;;LCRPLORC;;;AU) ACE is not present in the reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the
reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the
reference
+ (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the
current
+ (A;;LCRP;;;BA) ACE is not present in the current
+ [y/N/all/none] y
+ Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted
Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+
+Changes since 4.19.2
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15520: sid_strings test broken by unix epoch > 1700000000.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15487: smbd crashes if asked to return full information on close of a
+ stream handle with delete on close disposition set.
+ * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
+ smb_fname_fsp_destructor().
+
+o Pavel Filipenský <pfilipen...@samba.org>
+ * BUG 15499: Improve logging for failover scenarios.
+
+o Björn Jacke <b...@sernet.de>
+ * BUG 15093: Files without "read attributes" NFS4 ACL permission
are not
+ listed in directories.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
+ AD LDAP to normal users.
+ * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
+ accounts.
+
+o Christof Schmitt <c...@samba.org>
+ * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15513: Samba doesn't build with Python 3.12.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/posted_news/20231127-121657.4.19.3.body.html
b/posted_news/20231127-121657.4.19.3.body.html
new file mode 100644
index 0000000..03afe16
--- /dev/null
+++ b/posted_news/20231127-121657.4.19.3.body.html
@@ -0,0 +1,13 @@
+<!-- BEGIN: posted_news/20231127-121657.4.19.3.body.html -->
+<h5><a name="4.19.3">27 November 2023</a></h5>
+<p class=headline>Samba 4.19.3 Available for Download</p>
+<p>
+This is the latest stable release of the Samba 4.19 release series.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be <a
href="https://download.samba.org/pub/samba/stable/samba-4.19.3.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.19.2-4.19.3.diffs.gz";>patch
against Samba 4.19.2</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.19.3.html";>the
release notes for more info</a>.
+</p>
+<!-- END: posted_news/20231127-121657.4.19.3.body.html -->
diff --git a/posted_news/20231127-121657.4.19.3.headline.html
b/posted_news/20231127-121657.4.19.3.headline.html
new file mode 100644
index 0000000..b1f889c
--- /dev/null
+++ b/posted_news/20231127-121657.4.19.3.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20231127-121657.4.19.3.headline.html -->
+<li> 27 November 2023 <a href="#4.19.3">Samba 4.19.3 Available for
Download</a></li>
+<!-- END: posted_news/20231127-121657.4.19.3.headline.html -->
diff --git a/security/CVE-2018-14628.html b/security/CVE-2018-14628.html
new file mode 100644
index 0000000..0264d04
--- /dev/null
+++ b/security/CVE-2018-14628.html
@@ -0,0 +1,121 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2018-14628.html:</H2>
+
+<p>
+<pre>
+====================================================================
+== Subject: Unprivileged read of deleted object tombstones
+== in AD LDAP server
+==
+== CVE ID#: CVE-2018-14628
+==
+== Versions: All versions of Samba from 4.0.0 onwards.
+==
+== Summary: Wrong ntSecurityDescriptor values for "CN=Deleted
Objects"
+== allow read of object tombstones over LDAP
+== (Administrator action required!)
+==
+====================================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+===================================================
+Action required in order to resolve CVE-2018-14628!
+===================================================
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+ samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+ Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to
provision default?
+ Owner mismatch: SY (in ref) DA(in current)
+ Group mismatch: SY (in ref) DA(in current)
+ Part dacl is different between reference and current here is the
detail:
+ (A;;LCRPLORC;;;AU) ACE is not present in the reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the
reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the
reference
+ (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the
current
+ (A;;LCRP;;;BA) ACE is not present in the current
+ [y/N/all/none] y
+ Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted
Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+==================
+Patch Availability
+==================
+
+The Samba Team decided not to issue a dedicated security release,
+see https://wiki.samba.org/index.php/Samba_Security_Process.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=13595
+
+==========
+Workaround
+==========
+
+The administrator can manually change the ntSecurityDescriptor
+attribute for the "CN=Deleted Objects" containers to the
+following SDDL:
+
+ O:SYG:SYD:PAI(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)(A;;RPLC;;;BA)
+
+It basically means System has FullAccess, while Builtin\Administrators
+has ReadProperty and ListChildren rights.
+
+There's a separate "CN=Deleted Objects" container in the root
+of each naming context/partition (expect the schema partition).
+The fix should be applied to all (typically 4) partitions,
+while the domain partition is the most important one.
+
+=======
+Credits
+=======
+
+The initial bugs were found by the Andrew Bartlett of Catalyst.
+Andrew Bartlett of Catalyst and the Samba Team did the investigation
+and Stefan Metzmacher of SerNet provided the final fix.
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--
Samba Website Repository
