[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 76f370e libgpo: Fix CID 1422263 Resource leak via 4806f05 libgpo: Fix CID 1422262 Explicit null dereferenced from 33f88ab s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 76f370edae59d11143edb5983e3277b33d9af422 Author: Volker LendeckeDate: Tue Nov 21 20:41:47 2017 +0100 libgpo: Fix CID 1422263 Resource leak Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed Nov 22 02:03:17 CET 2017 on sn-devel-144 commit 4806f0505e3ab6cd1aedd0e79c81e3a87afb9b18 Author: Volker Lendecke Date: Tue Nov 21 20:30:08 2017 +0100 libgpo: Fix CID 1422262 Explicit null dereferenced Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison --- Summary of changes: libgpo/pygpo.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index a54ddb9..d7bb173 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -175,12 +175,16 @@ static int py_ads_init(ADS *self, PyObject *args, PyObject *kwds) } if (lp_obj) { + bool ok; lp_ctx = pytalloc_get_type(lp_obj, struct loadparm_context); if (lp_ctx == NULL) { return -1; } + ok = lp_load_initial_only(lp_ctx->szConfigFile); + if (!ok) { + return -1; + } } - if (!lp_load_initial_only(lp_ctx->szConfigFile)) return -1; if (self->cli_creds) { realm = cli_credentials_get_realm(self->cli_creds); @@ -244,6 +248,7 @@ static PyObject* py_ads_connect(ADS *self) if (!strupper_m(self->ads_ptr->auth.realm)) { PyErr_SetString(PyExc_SystemError, "Failed to strdup"); TALLOC_FREE(frame); + SAFE_FREE(passwd); Py_RETURN_FALSE; } @@ -251,6 +256,7 @@ static PyObject* py_ads_connect(ADS *self) if (!ADS_ERR_OK(status)) { PyErr_SetString(PyExc_SystemError, "ads_connect() failed"); TALLOC_FREE(frame); + SAFE_FREE(passwd); Py_RETURN_FALSE; } } -- Samba Shared Repository
autobuild[sn-devel-144]: intermittent test failure detected
The autobuild test system (on sn-devel-144) has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey.sn-devel-144/2017-11-22-0108/flakey.log The samba build logs are available here: http://git.samba.org/autobuild.flakey.sn-devel-144/2017-11-22-0108/samba.stderr http://git.samba.org/autobuild.flakey.sn-devel-144/2017-11-22-0108/samba.stdout The top commit at the time of the failure was: commit 33f88abe6b14cf86360efd98ab4b66520244c2a7 Author: Jeremy AllisonDate: Wed Sep 20 11:04:50 2017 -0700 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Ensure we zero out unused grown area. CVE-2017-15275 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 Signed-off-by: Jeremy Allison Autobuild-User(master): Karolin Seeger Autobuild-Date(master): Tue Nov 21 19:42:22 CET 2017 on sn-devel-144
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 33f88ab s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. via deda043 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 from 8212c34 docs: Fix the "aio r/w size" smb.conf entries https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 33f88abe6b14cf86360efd98ab4b66520244c2a7 Author: Jeremy AllisonDate: Wed Sep 20 11:04:50 2017 -0700 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Ensure we zero out unused grown area. CVE-2017-15275 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 Signed-off-by: Jeremy Allison Autobuild-User(master): Karolin Seeger Autobuild-Date(master): Tue Nov 21 19:42:22 CET 2017 on sn-devel-144 commit deda04389a7e0baddb88d4d611a6f07926776b28 Author: Jeremy Allison Date: Tue Sep 19 16:11:33 2017 -0700 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 When setting up the chain, always use 'next->' variables not the 'req->' one. Bug discovered by 连一汉 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 Signed-off-by: Jeremy Allison --- Summary of changes: source3/smbd/process.c | 7 --- source3/smbd/reply.c | 5 + source3/smbd/srvstr.c | 14 ++ 3 files changed, 23 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/process.c b/source3/smbd/process.c index 11a5ae8..b5f528f 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req) next->vuid = SVAL(req->outbuf, smb_uid); next->tid = SVAL(req->outbuf, smb_tid); - status = smb1srv_tcon_lookup(req->xconn, req->tid, + status = smb1srv_tcon_lookup(req->xconn, next->tid, now, ); + if (NT_STATUS_IS_OK(status)) { - req->conn = tcon->compat; + next->conn = tcon->compat; } else { - req->conn = NULL; + next->conn = NULL; } next->chain_fsp = req->chain_fsp; next->inbuf = req->inbuf; diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 9c82ebf..623f83b 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req) } TALLOC_FREE(tcon); + /* +* This tree id is gone. Make sure we can't re-use it +* by accident. +*/ + req->tid = 0; } if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) { diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c index 56dceba..c2d70b3 100644 --- a/source3/smbd/srvstr.c +++ b/source3/smbd/srvstr.c @@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags) DEBUG(0, ("srvstr_push failed\n")); return -1; } + + /* +* Ensure we clear out the extra data we have +* grown the buffer by, but not written to. +*/ + if (buf_size + result < buf_size) { + return -1; + } + if (grow_size < result) { + return -1; + } + + memset(tmp + buf_size + result, '\0', grow_size - result); + set_message_bcc((char *)tmp, smb_buflen(tmp) + result); *outbuf = tmp; -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 8212c34 docs: Fix the "aio r/w size" smb.conf entries from c1b4a74 ctdb-common: Add async version of shutdown in sock_daemon https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 8212c34ae409f64615a53f9665134a3e7a04312d Author: Volker LendeckeDate: Mon Nov 20 17:18:44 2017 +0100 docs: Fix the "aio r/w size" smb.conf entries Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison Autobuild-User(master): Volker Lendecke Autobuild-Date(master): Tue Nov 21 15:45:20 CET 2017 on sn-devel-144 --- Summary of changes: docs-xml/smbdotconf/tuning/aioreadsize.xml | 15 ++- docs-xml/smbdotconf/tuning/aiowritesize.xml | 18 ++ 2 files changed, 16 insertions(+), 17 deletions(-) Changeset truncated at 500 lines: diff --git a/docs-xml/smbdotconf/tuning/aioreadsize.xml b/docs-xml/smbdotconf/tuning/aioreadsize.xml index 0c9cc52..c6028b8 100644 --- a/docs-xml/smbdotconf/tuning/aioreadsize.xml +++ b/docs-xml/smbdotconf/tuning/aioreadsize.xml @@ -3,20 +3,17 @@ type="bytes" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc;> - If Samba has been built with asynchronous I/O support and this -integer parameter is set to non-zero value, -Samba will read from file asynchronously when size of request is bigger + If this integer parameter is set to a non-zero value, +Samba will read from files asynchronously when the request size is bigger than this value. Note that it happens only for non-chained and non-chaining reads and when not using write cache. - - Current implementation of asynchronous I/O in Samba 3.0 does support -only up to 10 outstanding asynchronous requests, read and write combined. - + The only reasonable values for this parameter are 0 (no async I/O) and +1 (always do async I/O). write cache size aio write size 0 -16384 Use asynchronous I/O for reads bigger than 16KB -request size +1Always do reads asynchronously + diff --git a/docs-xml/smbdotconf/tuning/aiowritesize.xml b/docs-xml/smbdotconf/tuning/aiowritesize.xml index c2ad118..8f42284 100644 --- a/docs-xml/smbdotconf/tuning/aiowritesize.xml +++ b/docs-xml/smbdotconf/tuning/aiowritesize.xml @@ -3,20 +3,22 @@ type="bytes" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc;> - If Samba has been built with asynchronous I/O support and this -integer parameter is set to non-zero value, -Samba will write to file asynchronously when size of request is bigger + If this integer parameter is set to a non-zero value, +Samba will write to files asynchronously when the request size is bigger than this value. Note that it happens only for non-chained and non-chaining reads and when not using write cache. - - Current implementation of asynchronous I/O in Samba 3.0 does support -only up to 10 outstanding asynchronous requests, read and write combined. + The only reasonable values for this parameter are 0 (no async I/O) and +1 (always do async I/O). + Compared to this parameter has +a smaller effect, most writes should end up in the +file system cache. Writes that require space allocation might +benefit most from going asynchronous. write cache size aio read size 0 -16384 Use asynchronous I/O for writes bigger than 16KB -request size +1Always do writes asynchronously + -- Samba Shared Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 6e8322d NEWS[4.7.3]: Samba 4.7.3, 4.6.11 and 4.5.15 Security Releases Available via ae93136 Add security advisories and update sec page. via be7a5ac Add Samba 4.7.3, 4.6.11 and 4.5.15 to the list. from 2d46ea3 Add Samba 4.6.10 to the list. https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 6e8322ded20f63979871331ce2c61bd63210b59e Author: Karolin Seeger <ksee...@samba.org> Date: Mon Nov 20 12:22:06 2017 +0100 NEWS[4.7.3]: Samba 4.7.3, 4.6.11 and 4.5.15 Security Releases Available Signed-off-by: Karolin Seeger <ksee...@samba.org> commit ae931363c7bfbe4dc41164d2bedcba7c8e407b93 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Nov 21 08:54:45 2017 +0100 Add security advisories and update sec page. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit be7a5ac1aa81c9ffe450e69c06c6b6424c275adf Author: Karolin Seeger <ksee...@samba.org> Date: Tue Nov 21 08:42:36 2017 +0100 Add Samba 4.7.3, 4.6.11 and 4.5.15 to the list. Signed-off-by: Karolin Seeger <ksee...@samba.org> --- Summary of changes: history/header_history.html| 3 + history/samba-4.5.15.html | 70 ++ history/samba-4.6.11.html | 70 ++ history/samba-4.7.3.html | 70 ++ history/security.html | 19 ++ posted_news/20171121-080701.4.7.3.body.html | 23 +++ posted_news/20171121-080701.4.7.3.headline.html| 3 + .../{CVE-2017-7494.html => CVE-2017-14746.html}| 35 +-- security/CVE-2017-15275.html | 69 + 9 files changed, 345 insertions(+), 17 deletions(-) create mode 100644 history/samba-4.5.15.html create mode 100644 history/samba-4.6.11.html create mode 100644 history/samba-4.7.3.html create mode 100644 posted_news/20171121-080701.4.7.3.body.html create mode 100644 posted_news/20171121-080701.4.7.3.headline.html copy security/{CVE-2017-7494.html => CVE-2017-14746.html} (51%) create mode 100644 security/CVE-2017-15275.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 10a2a78..fea500a 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,9 +9,11 @@ Release Notes + samba-4.7.3 samba-4.7.2 samba-4.7.1 samba-4.7.0 + samba-4.6.11 samba-4.6.10 samba-4.6.9 samba-4.6.8 @@ -23,6 +25,7 @@ samba-4.6.2 samba-4.6.1 samba-4.6.0 + samba-4.5.15 samba-4.5.14 samba-4.5.13 samba-4.5.12 diff --git a/history/samba-4.5.15.html b/history/samba-4.5.15.html new file mode 100644 index 000..70db7a8 --- /dev/null +++ b/history/samba-4.5.15.html @@ -0,0 +1,70 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.5.15 - Release Notes + + +Samba 4.5.15 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.5.15.tar.gz;>Samba 4.5.15 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.5.15.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.5.14-4.5.15.diffs.gz;>Patch (gzipped) against Samba 4.5.14 +https://download.samba.org/pub/samba/patches/samba-4.5.14-4.5.15.diffs.asc;>Signature + + + + == + Release Notes for Samba 4.5.15 + November 21, 2017 + == + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +=== +Details +=== + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, bu
[SCM] Samba Shared Repository - branch v4-7-stable updated
The branch, v4-7-stable has been updated via d0b59a5 VERSION: Disable GIT_SNAPSHOT for the 4.7.3 release. via 6dc9b5f WHATSNEW: Add release notes for Samba 4.7.3. via 8c08a4e s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. via 7e17418 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 via 70d7a5c VERSION: Bump version up to 4.7.3... from c5bb8ef VERSION: Disable GIT_SNAPSHOT for the 4.7.2 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-stable - Log - commit d0b59a548fe77dad16c410b43beecba4feb37214 Author: Karolin SeegerDate: Mon Nov 20 12:16:01 2017 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.7.3 release. Signed-off-by: Karolin Seeger commit 6dc9b5f79fc46bcb9436cb31dad13d869eaf5ade Author: Karolin Seeger Date: Mon Nov 20 12:15:26 2017 +0100 WHATSNEW: Add release notes for Samba 4.7.3. Signed-off-by: Karolin Seeger commit 8c08a4ec5f9795903703efaff4f7a89671fc355f Author: Jeremy Allison Date: Wed Sep 20 11:04:50 2017 -0700 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Ensure we zero out unused grown area. CVE-2017-15275 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 Signed-off-by: Jeremy Allison commit 7e174187f01e98c4c7eb81576e19b51a6d6f3273 Author: Jeremy Allison Date: Tue Sep 19 16:11:33 2017 -0700 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 When setting up the chain, always use 'next->' variables not the 'req->' one. Bug discovered by 连一汉 CVE-2017-14746 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 Signed-off-by: Jeremy Allison --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 75 -- source3/smbd/process.c | 7 +++-- source3/smbd/reply.c | 5 source3/smbd/srvstr.c | 14 ++ 5 files changed, 97 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 2f5c246..7a17821 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=7 -SAMBA_VERSION_RELEASE=2 +SAMBA_VERSION_RELEASE=3 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8074a83..4e403ae 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,75 @@ = + Release Notes for Samba 4.7.3 + November 21, 2017 + = + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +=== +Details +=== + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, but + uncleared heap memory may contain previously used data that may help + an attacker compromise the server via other methods. Uncleared heap + memory may potentially contain password hashes or other high-value + data. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-14746.html + o https://www.samba.org/samba/security/CVE-2017-15275.html + + +Changes since 4.7.2: + + +o Jeremy Allison + * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. + * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized + memory when talloc buffer is grown. + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to
[SCM] Samba Shared Repository - branch v4-6-stable updated
The branch, v4-6-stable has been updated via 4878a25 VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release via a3a3053 WHATSNEW: Add release notes for Samba 4.6.11. via 3a6b1ba s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. via 3ef34e9 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 via 8d7602d VERSION: Re-enable GIT_SNAPSHOT. via 1cd9157 VERSION: Bump version up to 4.6.11... from a56f9ed VERSION: Disable GIT_SNAPSHOT for the 4.6.10 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable - Log - commit 4878a25aea72c0bbd43344ab68d72f88406aacb4 Author: Karolin SeegerDate: Mon Nov 20 11:13:55 2017 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release Signed-off-by: Karolin Seeger commit a3a30536fb31c2f48be448cd5b59f7a740855b5d Author: Karolin Seeger Date: Mon Nov 20 11:10:36 2017 +0100 WHATSNEW: Add release notes for Samba 4.6.11. Signed-off-by: Karolin Seeger commit 3a6b1baeb84ada35745109a11dacab328a1d6a5b Author: Jeremy Allison Date: Wed Sep 20 11:04:50 2017 -0700 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Ensure we zero out unused grown area. CVE-2017-15275 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 Signed-off-by: Jeremy Allison commit 3ef34e983d79746d47c5a894d5325e1a8618dc7a Author: Jeremy Allison Date: Tue Sep 19 16:11:33 2017 -0700 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 When setting up the chain, always use 'next->' variables not the 'req->' one. Bug discovered by 连一汉 CVE-2017-14746 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 Signed-off-by: Jeremy Allison commit 8d7602dd0defb30dce6b0c4ac5adc67ba936b84b Author: Karolin Seeger Date: Mon Nov 20 11:09:57 2017 +0100 VERSION: Re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 1cd91577aed6c9952cd2d88905ba1173e679df05 Author: Karolin Seeger Date: Tue Nov 14 13:01:58 2017 +0100 VERSION: Bump version up to 4.6.11... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger (cherry picked from commit b196d0efcfaad6ea42ed0873b430ff3d416dd731) --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 75 -- source3/smbd/process.c | 7 +++-- source3/smbd/reply.c | 5 source3/smbd/srvstr.c | 14 ++ 5 files changed, 97 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 4ccbdb5..c0e85a2 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=10 +SAMBA_VERSION_RELEASE=11 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 375d340..8199d91 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,75 @@ == + Release Notes for Samba 4.6.11 + November 21, 2017 + = + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +=== +Details +=== + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, but + uncleared heap memory may contain previously used data that may help + an attacker compromise the server via other methods. Uncleared heap + memory may potentially contain password hashes or other high-value + data. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-14746.html + o https://www.samba.org/samba/security/CVE-2017-15275.html + + +Changes since 4.6.10:
[SCM] Samba Shared Repository - branch v4-5-stable updated
The branch, v4-5-stable has been updated via f333815 VERSION: Disable GIT_SNAPSHOT for the 4.5.15 release. via d7526d6 WHATSNEW: Add release notes for Samba 4.5.15. via c1a22e5 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. via 007f5b5 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 via bd200ea python: use communicate to fix Popen deadlock via c28d922 blackbox tests: method to check specific exit codes via 21811ac VERSION: Bump version up to 4.5.15... from f261c9a VERSION: Disable GIT_SNAPSHOTS for the 4.5.14 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable - Log - commit f333815481d8f5354f605751b627379ed3b8ae6e Author: Karolin SeegerDate: Fri Nov 17 11:29:01 2017 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.5.15 release. Signed-off-by: Karolin Seeger commit d7526d66f5412c3421a95e716183eea7c7f50d14 Author: Karolin Seeger Date: Fri Nov 17 11:28:17 2017 +0100 WHATSNEW: Add release notes for Samba 4.5.15. Signed-off-by: Karolin Seeger commit c1a22e59f87783d88dfbaeeb132b89be166b2754 Author: Jeremy Allison Date: Wed Sep 20 11:04:50 2017 -0700 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Ensure we zero out unused grown area. CVE-2017-15275 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077 Signed-off-by: Jeremy Allison commit 007f5b54d76bf69f441cc277b7f41f478e258aab Author: Jeremy Allison Date: Tue Sep 19 16:11:33 2017 -0700 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 When setting up the chain, always use 'next->' variables not the 'req->' one. Bug discovered by 连一汉 CVE-2017-14746 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041 Signed-off-by: Jeremy Allison commit bd200ea5d2fb7e3948fae8fbeb114de557a14313 Author: Joe Guo Date: Fri Sep 15 16:13:26 2017 +1200 python: use communicate to fix Popen deadlock `Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and the child process generates large output to a pipe such that it blocks waiting for the OS pipe buffer to accept more data. Use communicate() to avoid that. Signed-off-by: Joe Guo Reviewed-by: Douglas Bagnall Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Oct 19 09:27:16 CEST 2017 on sn-devel-144 (cherry picked from commit 5dc773a5b00834c7a53130a73a48f49048bd55e8) Autobuild-User(v4-5-test): Stefan Metzmacher Autobuild-Date(v4-5-test): Tue Nov 14 14:35:22 CET 2017 on sn-devel-144 commit c28d92278842b5b29f954996c6e45d61cd5c35a8 Author: Gary Lockyer Date: Wed Aug 16 13:52:25 2017 +1200 blackbox tests: method to check specific exit codes Signed-off-by: Gary Lockyer Reviewed-by: Douglas Bagnall Reviewed-by: Garming Sam (cherry picked from commit 74ebcf6dfc84b6aab6838fa99e12808eb6b913d9) commit 21811ac6882ccb8def448f80a03b699cae81a251 Author: Karolin Seeger Date: Wed Sep 20 13:03:53 2017 +0200 VERSION: Bump version up to 4.5.15... and re-enable GIT_SNAPSHOTS. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION| 2 +- WHATSNEW.txt | 75 -- python/samba/tests/__init__.py | 25 ++ source3/smbd/process.c | 7 ++-- source3/smbd/reply.c | 5 +++ source3/smbd/srvstr.c | 14 6 files changed, 115 insertions(+), 13 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 7d102b0..d874810 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=5 -SAMBA_VERSION_RELEASE=14 +SAMBA_VERSION_RELEASE=15 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index ea845c3..b245e30 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,75 @@ == + Release Notes for Samba 4.5.15 + November 21, 2017 +
[SCM] Samba Shared Repository - annotated tag samba-4.7.3 created
The annotated tag, samba-4.7.3 has been created at dd18d593546e2e5651558da657928e50f76d1e61 (tag) tagging d0b59a548fe77dad16c410b43beecba4feb37214 (commit) replaces samba-4.7.2 tagged by Karolin Seeger on Mon Nov 20 12:21:46 2017 +0100 - Log - samba: tag release samba-4.7.3 -BEGIN PGP SIGNATURE- iEYEABECAAYFAloSusoACgkQbzORW2Vot+qBBACgiqGoaIV7Oar9el8lfK1JSSMJ ZU4An08CQbXY4lcYMZXPXVGLVgjzSXOq =/6r8 -END PGP SIGNATURE- Jeremy Allison (2): s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Karolin Seeger (3): VERSION: Bump version up to 4.7.3... WHATSNEW: Add release notes for Samba 4.7.3. VERSION: Disable GIT_SNAPSHOT for the 4.7.3 release. --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.6.11 created
The annotated tag, samba-4.6.11 has been created at 9edc89a482ec1915d76f7ae5de6732ad9c74b6bd (tag) tagging 4878a25aea72c0bbd43344ab68d72f88406aacb4 (commit) replaces samba-4.6.10 tagged by Karolin Seeger on Mon Nov 20 12:05:59 2017 +0100 - Log - samba: tag release samba-4.6.11 -BEGIN PGP SIGNATURE- iEYEABECAAYFAloStxcACgkQbzORW2Vot+ri8ACfZXlfqg5bb5j1vEAwruWeTCpG uQIAn3qZnhg4a8gYqBi5YaT8+mivJJvT =t3Xd -END PGP SIGNATURE- Jeremy Allison (2): s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Karolin Seeger (4): VERSION: Bump version up to 4.6.11... VERSION: Re-enable GIT_SNAPSHOT. WHATSNEW: Add release notes for Samba 4.6.11. VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release --- -- Samba Shared Repository
[SCM] Samba Shared Repository - annotated tag samba-4.5.15 created
The annotated tag, samba-4.5.15 has been created at 1f2f62060c81bd2e8283f1f8a46d974315e96c99 (tag) tagging f333815481d8f5354f605751b627379ed3b8ae6e (commit) replaces samba-4.5.14 tagged by Karolin Seeger on Fri Nov 17 12:14:03 2017 +0100 - Log - samba: tag release samba-4.5.15 -BEGIN PGP SIGNATURE- iEYEABECAAYFAloOxHsACgkQbzORW2Vot+qKnACgp6xmL5YU6X98gqxS7qGXJ6wD FQEAoIwuPbGmNtBGTnMYAezfSwo8ltR9 =7k7G -END PGP SIGNATURE- Gary Lockyer (1): blackbox tests: method to check specific exit codes Jeremy Allison (2): s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746 s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown. Joe Guo (1): python: use communicate to fix Popen deadlock Karolin Seeger (3): VERSION: Bump version up to 4.5.15... WHATSNEW: Add release notes for Samba 4.5.15. VERSION: Disable GIT_SNAPSHOT for the 4.5.15 release. --- -- Samba Shared Repository