The branch, master has been updated
via 54ef6c8 NEWS[4.23.2]: Samba 4.23.2, 4.22.5 and 4.21.9 Security
Releases are available for Download
from 6527f82 NEWS[4.23.1]: Samba 4.23.1 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 54ef6c87b451492ea3b87319dec82f1f69050117
Author: Jule Anger <[email protected]>
Date: Wed Oct 15 11:14:57 2025 +0200
NEWS[4.23.2]: Samba 4.23.2, 4.22.5 and 4.21.9 Security Releases are
available for Download
Signed-off-by: Jule Anger <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.21.9.html | 47 +++++++++
history/samba-4.22.5.html | 47 +++++++++
history/samba-4.23.2.html | 47 +++++++++
history/security.html | 26 +++++
posted_news/20251015-084830.4.23.2.body.html | 31 ++++++
posted_news/20251015-084830.4.23.2.headline.html | 3 +
security/CVE-2025-10230.html | 118 +++++++++++++++++++++++
security/CVE-2025-9640.html | 88 +++++++++++++++++
9 files changed, 410 insertions(+)
create mode 100644 history/samba-4.21.9.html
create mode 100644 history/samba-4.22.5.html
create mode 100644 history/samba-4.23.2.html
create mode 100644 posted_news/20251015-084830.4.23.2.body.html
create mode 100644 posted_news/20251015-084830.4.23.2.headline.html
create mode 100644 security/CVE-2025-10230.html
create mode 100644 security/CVE-2025-9640.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index a399f14..23ec76f 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,13 +9,16 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.23.2.html">samba-4.23.2</a></li>
<li><a href="samba-4.23.1.html">samba-4.23.1</a></li>
<li><a href="samba-4.23.0.html">samba-4.23.0</a></li>
+ <li><a href="samba-4.22.5.html">samba-4.22.5</a></li>
<li><a href="samba-4.22.4.html">samba-4.22.4</a></li>
<li><a href="samba-4.22.3.html">samba-4.22.3</a></li>
<li><a href="samba-4.22.2.html">samba-4.22.2</a></li>
<li><a href="samba-4.22.1.html">samba-4.22.1</a></li>
<li><a href="samba-4.22.0.html">samba-4.22.0</a></li>
+ <li><a href="samba-4.21.9.html">samba-4.21.9</a></li>
<li><a href="samba-4.21.8.html">samba-4.21.8</a></li>
<li><a href="samba-4.21.7.html">samba-4.21.7</a></li>
<li><a href="samba-4.21.6.html">samba-4.21.6</a></li>
diff --git a/history/samba-4.21.9.html b/history/samba-4.21.9.html
new file mode 100644
index 0000000..aa18688
--- /dev/null
+++ b/history/samba-4.21.9.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.21.9 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.21.9 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.21.9.tar.gz";>Samba
4.21.9 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.21.9.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.21.8-4.21.9.diffs.gz";>Patch
(gzipped) against Samba 4.21.8</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.21.8-4.21.9.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.21.9
+ October 15, 2025
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr.
+ https://www.samba.org/samba/security/CVE-2025-9640.html
+
+o CVE-2025-10230: Command injection via WINS server hook script.
+ https://www.samba.org/samba/security/CVE-2025-10230.html
+
+
+Changes since 4.21.8
+--------------------
+
+o Douglas Bagnall <[email protected]>
+ * BUG 15903: CVE-2025-10230.
+
+o Andrew Walker <[email protected]>
+ * BUG 15885: CVE-2025-9640.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.22.5.html b/history/samba-4.22.5.html
new file mode 100644
index 0000000..8d424e0
--- /dev/null
+++ b/history/samba-4.22.5.html
@@ -0,0 +1,47 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+<head>
+<title>Samba 4.22.5 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.22.5 Available for Download</H2>
+<p>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.22.5.tar.gz";>Samba
4.22.5 (gzipped)</a><br>
+<a
href="https://download.samba.org/pub/samba/stable/samba-4.22.5.tar.asc";>Signature</a>
+</p>
+<p>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.22.4-4.22.5.diffs.gz";>Patch
(gzipped) against Samba 4.22.4</a><br>
+<a
href="https://download.samba.org/pub/samba/patches/samba-4.22.4-4.22.5.diffs.asc";>Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.22.5
+ October 15, 2025
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr.
+ https://www.samba.org/samba/security/CVE-2025-9640.html
+
+o CVE-2025-10230: Command injection via WINS server hook script.
+ https://www.samba.org/samba/security/CVE-2025-10230.html
+
+
+Changes since 4.22.4
+--------------------
+
+o Douglas Bagnall <[email protected]>
+ * BUG 15903: CVE-2025-10230.
+
+o Andrew Walker <[email protected]>
+ * BUG 15885: CVE-2025-9640.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.23.2.html b/history/samba-4.23.2.html
new file mode 100644
index 0000000..38108f7
--- /dev/null
+++ b/history/samba-4.23.2.html
@@ -0,0 +1,47 @@
++<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
++ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
++<html xmlns="http://www.w3.org/1999/xhtml";>
++<head>
++<title>Samba 4.23.2 - Release Notes</title>
++</head>
++<body>
++<H2>Samba 4.23.2 Available for Download</H2>
++<p>
++<a
href="https://download.samba.org/pub/samba/stable/samba-4.23.2.tar.gz";>Samba
4.23.2 (gzipped)</a><br>
++<a
href="https://download.samba.org/pub/samba/stable/samba-4.23.2.tar.asc";>Signature</a>
++</p>
++<p>
++<a
href="https://download.samba.org/pub/samba/patches/samba-4.23.1-4.23.2.diffs.gz";>Patch
(gzipped) against Samba 4.23.1</a><br>
++<a
href="https://download.samba.org/pub/samba/patches/samba-4.23.1-4.23.2.diffs.asc";>Signature</a>
++</p>
++<p>
++<pre>
++ ==============================
++ Release Notes for Samba 4.23.2
++ October 15, 2025
++ ==============================
++
++
++This is a security release in order to address the following defects:
++
++o CVE-2025-9640: Uninitialized memory disclosure via vfs_streams_xattr.
++ https://www.samba.org/samba/security/CVE-2025-9640.html
++
++o CVE-2025-10230: Command injection via WINS server hook script.
++ https://www.samba.org/samba/security/CVE-2025-10230.html
++
++
++Changes since 4.23.1
++--------------------
++
++o Douglas Bagnall <[email protected]>
++ * BUG 15903: CVE-2025-10230.
++
++o Andrew Walker <[email protected]>
++ * BUG 15885: CVE-2025-9640.
++
++
++</pre>
++</p>
++</body>
++</html>
diff --git a/history/security.html b/history/security.html
index d359aff..67b0b55 100755
--- a/history/security.html
+++ b/history/security.html
@@ -31,6 +31,32 @@ link to full release notes for each release.</p>
<td><em>CVE ID #</em></td>
<td><em>Details</em></td>
</tr>
+
+ <tr>
+ <td>15 October 2025</td>
+ <td>
+ <a
href="/samba/ftp/patches/security/samba-4.23.2-security-2025-10-15.patch">
+ patch for Samba 4.23.2</a><br/>
+ <a
href="/samba/ftp/patches/security/samba-4.22.5-security-2025-10-15.patch">
+ patch for Samba 4.22.5</a><br/>
+ <a
href="/samba/ftp/patches/security/samba-4.21.9-security-2025-10-15.patch">
+ patch for Samba 4.21.9</a><br/>
+ </td>
+ <td>
+ CVE-2025-10230 and CVE-2025-9640.
+ Please see announcements for details.
+ </td>
+ <td>Please refer to the advisories.</td>
+ <td>
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10230";>CVE-2025-10230</a>,
+ <a
href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9640";>CVE-2025-9640</a>.
+ </td>
+ <td>
+ <a href="/samba/security/CVE-2025-10230.html">Announcement</a>,
+ <a href="/samba/security/CVE-2025-9640.html">Announcement</a>.
+ </td>
+ </tr>
+
<tr>
<td>10 October 2023</td>
<td>
diff --git a/posted_news/20251015-084830.4.23.2.body.html
b/posted_news/20251015-084830.4.23.2.body.html
new file mode 100644
index 0000000..60ac6b3
--- /dev/null
+++ b/posted_news/20251015-084830.4.23.2.body.html
@@ -0,0 +1,31 @@
+<!-- BEGIN: posted_news/20251015-084830.4.23.2.body.html -->
+<h5><a name="4.23.2">15 October 2025</a></h5>
+<p class=headline>Samba 4.23.2, 4.22.5 and 4.21.9 Security Releases are
available for Download</p>
+<p>
+<a href="/samba/security/CVE-2025-10230.html">CVE-2025-10230</a> and
+<a href="/samba/security/CVE-2025-9640.html">CVE-2025-9640</a>.
+</p>
+
+<p>
+The uncompressed tarball has been signed using GnuPG (ID AA99442FB680B620).
+<p>
+
+<p>
+The 4.23.2 source code can be <a
href="https://download.samba.org/pub/samba/stable/samba-4.23.2.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.23.1-4.23.2.diffs.gz";>patch
against Samba 4.23.1</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.23.2.html";>the
release notes for more info</a>.
+</p>
+
+<p>
+The 4.22.5 source code can be <a
href="https://download.samba.org/pub/samba/stable/samba-4.22.5.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.22.4-4.22.5.diffs.gz";>patch
against Samba 4.22.4</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.22.5.html";>the
release notes for more info</a>.
+</p>
+
+<p>
+The 4.21.9 source code can be <a
href="https://download.samba.org/pub/samba/stable/samba-4.21.9.tar.gz";>downloaded
now</a>.
+A <a
href="https://download.samba.org/pub/samba/patches/samba-4.21.8-4.21.9.diffs.gz";>patch
against Samba 4.21.8</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.21.9.html";>the
release notes for more info</a>.
+</p>
+
+<!-- END: posted_news/20251015-084830.4.23.2.body.html -->
diff --git a/posted_news/20251015-084830.4.23.2.headline.html
b/posted_news/20251015-084830.4.23.2.headline.html
new file mode 100644
index 0000000..62c24f8
--- /dev/null
+++ b/posted_news/20251015-084830.4.23.2.headline.html
@@ -0,0 +1,3 @@
+<!-- BEGIN: posted_news/20251015-084830.4.23.2.headline.html -->
+<li> 15 October 2025 <a href="#4.23.2">Samba 4.23.2, 4.22.5 and 4.21.9
Security Releases are available for Download</a></li>
+<!-- END: posted_news/20251015-084830.4.23.2.headline.html -->
diff --git a/security/CVE-2025-10230.html b/security/CVE-2025-10230.html
new file mode 100644
index 0000000..d35412c
--- /dev/null
+++ b/security/CVE-2025-10230.html
@@ -0,0 +1,118 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2025-10230.html:</H2>
+
+<p>
+<pre>
+=================================================================
+== Subject: Command injection via WINS server hook script
+==
+== CVE ID#: CVE-2025-10230
+==
+== Versions: All versions since 4.0
+==
+== Summary: If the 'wins hook' parameter is set on a domain
+== controller with the WINS server enabled,
+== unauthenticated remote code execution is possible.
+=================================================================
+
+===========
+Description
+===========
+
+If a Samba server has WINS support enabled (it is off by default), and
+it has a 'wins hook' parameter specified, the program specified by
+that parameter will be run whenever a WINS name is changed.
+
+The WINS server used by the Samba Active Directory Domain Controller
+did not validate the names passed to the wins hook program, and it
+passed them by inserting them into a string run by a shell.
+
+WINS is an obsolete and trusting protocol, and clients can request any
+name that fits within the 15 character NetBIOS limit. This includes
+some shell metacharacters, making it possible to run arbitrary
+commands on the host.
+
+The WINS server used by Samba when it is not a domain controller is
+unaffected.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.23.2, 4.22.5, and 4.21.9 have been issued as
+security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon as
+possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0)
+
+==========
+Workaround
+==========
+
+Avoid setting the 'wins hook' parameter in the smb.conf of a Samba AD
+Domain Controller.
+
+The 'wins hook' parameter is only effective when 'wins
support' is
+enabled. In other words, this combination is safe, regardless of 'wins
+hook':
+
+ server role = domain controller
+ wins support = no
+
+The default value for 'wins support' is 'no', so it is
safe (though
+pointless) for 'wins hook' occurs if 'wins support' does
not.
+
+It does NOT help to have 'wins hook' set to a non-existent or
+non-executable path, but an explicitly empty value
+
+ wins hook =
+
+is OK.
+
+When 'server role' is not 'domain controller' (or its
synonyms 'active
+directory domain controller', 'dc'), the server is not affected.
+Specifically, 'member' or 'standalone' servers use a
different WINS
+server that is not vulnerable.
+
+The 'wins hook' parameter is unlikely to be useful on a domain
+controller, and administrators who use it might want to reconsider
+that choice even on a patched server. It may not be supported in
+future Samba releases.
+
+=======
+Credits
+=======
+
+Reported by Igor Morgenstern of Aisle Research.
+
+Patches provided by Douglas Bagnall of the Samba team and Catalyst IT.
+
+This advisory written by Douglas Bagnall.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2025-9640.html b/security/CVE-2025-9640.html
new file mode 100644
index 0000000..09d3f0d
--- /dev/null
+++ b/security/CVE-2025-9640.html
@@ -0,0 +1,88 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
+<html xmlns="http://www.w3.org/1999/xhtml";>
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2025-9640.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: uninitialized memory disclosure via vfs_streams_xattr
+==
+== CVE ID#: CVE-2025-9640
+==
+== Versions: All versions since 3.2
+==
+== Summary: Uninitialised memory can be written into alternate data
+== streams, possibly leaking sensitive data.
+===========================================================
+
+===========
+Description
+===========
+
+An authenticated user can read an unlimited number of samples of
+discarded heap memory, due to a failure to initialise memory in
+streams_xattr_pwrite() in the vfs_streams_xattr file server module.
+
+This is achieved by issuing write requests that creates holes in the
+file.
+
+Samba erases known secrets before freeing the associated memory, which
+somewhat mitigates the data leak.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.23.2, 4.22.5, and 4.21.9 have been issued as
+security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon as
+possible.
+
+====================
+CVSSv3.1 calculation
+====================
+
+AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3)
+
+==========
+Workaround
+==========
+
+Systems that don't use vfs_streams_xattr are not affected. If you are
+not sure, look for the string "streams_xattr" in your smb.conf. If
+there is a line like this
+
+ vfs objects = streams_xattr [and possibly other terms]
+
+removing 'streams_xattr' from the 'vfs objects' list will
avoid the
+vulnerability but will affect functionality.
+
+=======
+Credits
+=======
+
+Reported and fixed by Andrew Walker of IX Systems and the Samba Team.
+
+This advisory written by Douglas Bagnall of Catalyst IT and the Samba
+Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+</pre>
+</body>
+</html>
--
Samba Website Repository
