The branch, master has been updated
via 7b2d307 NEWS[4.21.6]: Samba 4.21.6 Available for Download
from dbee442 style: use new header with red SAMBA logo
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7b2d307264d4481706ee41ad6ae091dbb8906527
Author: Jule Anger <jan...@samba.org>
Date: Tue Jun 3 08:49:10 2025 +0200
NEWS[4.21.6]: Samba 4.21.6 Available for Download
Signed-off-by: Jule Anger <jan...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 1 +
history/samba-4.21.6.html | 95 ++++++++++++++++++++++++
posted_news/20250603-065054.4.21.6.body.html | 13 ++++
posted_news/20250603-065054.4.21.6.headline.html | 3 +
security/CVE-2025-0620.html | 86 +++++++++++++++++++++
5 files changed, 198 insertions(+)
create mode 100644 history/samba-4.21.6.html
create mode 100644 posted_news/20250603-065054.4.21.6.body.html
create mode 100644 posted_news/20250603-065054.4.21.6.headline.html
create mode 100644 security/CVE-2025-0620.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 294d149..b275364 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -11,6 +11,7 @@
<ul>
<li><a href="samba-4.22.1.html">samba-4.22.1</a></li>
<li><a href="samba-4.22.0.html">samba-4.22.0</a></li>
+ <li><a href="samba-4.21.6.html">samba-4.21.6</a></li>
<li><a href="samba-4.21.5.html">samba-4.21.5</a></li>
<li><a href="samba-4.21.4.html">samba-4.21.4</a></li>
<li><a href="samba-4.21.3.html">samba-4.21.3</a></li>
diff --git a/history/samba-4.21.6.html b/history/samba-4.21.6.html
new file mode 100644
index 0000000..491689b
--- /dev/null
+++ b/history/samba-4.21.6.html
@@ -0,0 +1,95 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.21.6 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.21.6 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.21.6.tar.gz";>Samba
4.21.6 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.21.6.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.21.5-4.21.6.diffs.gz";>Patch
(gzipped) against Samba 4.21.5</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.21.5-4.21.6.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.21.6
+ June 03, 2025
+ ==============================
+
+
+This is the latest stable release of the Samba 4.21 release series.
+It contains the security-relevant bugfix CVE-2025-0620:
+
+ smbd doesn't pick up group membership changes
+ when re-authenticating an expired SMB session:
+ https://www.samba.org/samba/security/CVE-2025-0620.html
+
+
+Description of CVE-2025-0620
+-----------------------------
+
+ With Kerberos authentication SMB sessions typically have an
+ associated lifetime, requiring re-authentication by the
+ client when the session expires. As part of the
+ re-authentication, Samba receives the current group
+ membership information and is expected to reflect this
+ change in further SMB request processing.
+
+ For historic reasons, Samba maintains a cache of
+ associations between a user's impersonation information and
+ connected shares. A recent change in this cache caused Samba
+ to not reflect group membership changes from session
+ re-authentication when processing further SMB requests.
+
+ As a result, when an administrator removes a user from a
+ particular group in Active Directory, this change will not
+ become effective unless the user disconnects from the server
+ and establishes a new connection.
+
+
+Changes since 4.21.5
+--------------------
+
+o Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
+ * BUG 15774: Running "gpo manage motd set" twice fails with
backtrace.
+ * BUG 15829: samba-tool gpo backup creates entity backups it can't
read.
+ * BUG 15839: gp_cert_auto_enroll_ext.py has problem unpacking GUIDs with
+ prepended 0's.
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15707: CVE-2025-0620 [SECURITY] smbd doesn't pick up group
membership
+ changes when re-authenticating an expired SMB session.
+ * BUG 15767: Deadlock between two smbd processes.
+
+o Pavel Filipenský <pfilipen...@samba.org>
+ * BUG 15727: net ad join fails with "Failed to join domain: failed to
create
+ kerberos keytab".
+
+o Andreas Hasenack <andreas.hasen...@canonical.com>
+ * BUG 15774: Running "gpo manage motd set" twice fails with
backtrace.
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 15841: Wide link issue in samba 4.22.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15767: Deadlock between two smbd processes.
+ * BUG 15851: dcerpcd not able to bind to listening port.
+
+o Anoop C S <anoo...@samba.org>
+ * BUG 15819: vfs_ceph_snapshots fails to list snapshots for entries at any
+ level beyond share root.
+
+o Martin Schwenke <mschwe...@ddn.com>
+ * BUG 15858: CTDB does not put nodes running NFS into grace on graceful
+ shutdown.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/posted_news/20250603-065054.4.21.6.body.html
b/posted_news/20250603-065054.4.21.6.body.html
new file mode 100644
index 0000000..06350b8
--- /dev/null
+++ b/posted_news/20250603-065054.4.21.6.body.html
@@ -0,0 +1,13 @@
+<!-- BEGIN: posted_news/20250603-065054.4.21.6.body.html -->
+<h5><a name="4.21.6">03 June 2025</a></h5>
+<p class=headline>Samba 4.21.6 Available for Download</p>
+<p>
+This is the latest stable release of the Samba 4.21 release series.
+</p>
+<p>
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+The source code can be <a
href="https://download.samba.org/pub/samba/stable/samba-4.21.6.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.21.5-4.21.6.diffs.gz";>patch
against Samba 4.21.5</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.21.6.html";>the
release notes for more info</a>.
+</p>
+<!-- END: posted_news/20250603-065054.4.21.6.body.html -->
diff --git a/posted_news/20250603-065054.4.21.6.headline.html
b/posted_news/20250603-065054.4.21.6.headline.html
new file mode 100644
index 0000000..27ee7a2
--- /dev/null
+++ b/posted_news/20250603-065054.4.21.6.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20250603-065054.4.21.6.headline.html -->
+<li> 03 June 2025 <a href="#4.21.6">Samba 4.21.6 Available for
Download</a></li>
+<!-- END: posted_news/20250603-065054.4.21.6.headline.html -->
diff --git a/security/CVE-2025-0620.html b/security/CVE-2025-0620.html
new file mode 100644
index 0000000..7ad80cd
--- /dev/null
+++ b/security/CVE-2025-0620.html
@@ -0,0 +1,86 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2025-0620.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: smbd doesn't pick up group membership changes
+== when re-authenticating an expired SMB session
+==
+== CVE ID#: CVE-2025-0620
+==
+== Versions: All versions starting with 4.21.0
+==
+== Summary: When using Kerberos authentication with SMB,
+== smbd doesn't pick up group membership changes
+== when re-authenticating an expired SMB session
+===========================================================
+
+===========
+Description
+===========
+
+With Kerberos authentication SMB sessions typically have an
+associated lifetime, requiring re-authentication by the
+client when the session expires. As part of the
+re-authentication, Samba receives the current group
+membership information and is expected to reflect this
+change in further SMB request processing.
+
+For historic reasons, Samba maintains a cache of
+associations between a user's impersonation information and
+connected shares. A recent change in this cache caused Samba
+to not reflect group membership changes from session
+re-authentication when processing further SMB requests.
+
+As a result, when an administrator removes a user from a
+particular group in Active Directory, this change will not
+become effective unless the user disconnects from the server
+and establishes a new connection.
+
+==================
+Patch Availability
+==================
+
+The Samba Team decided not to issue a dedicated security release,
+see https://wiki.samba.org/index.php/Samba_Security_Process.
+
+See https://bugzilla.samba.org/show_bug.cgi?id=15707
+
+==================
+CVSSv4 calculation
+==================
+
+CVSS 4.0:
AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:I/V:C/RE:L (7)
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+Originally reported by Anoop C S of the Samba Team.
+
+Patch provided by Ralph Boehme of the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--
Samba Website Repository
