[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e8f31e5c234 pam_winbind/ro.po: fix error from previous patch merge from 9214fcec349 tests: avoid returning an already used ID in randomXid() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e8f31e5c23434ca04c921693376624a44dc36849 Author: Björn Jacke Date: Thu Oct 29 17:47:37 2020 +0100 pam_winbind/ro.po: fix error from previous patch merge fixes up d619a57804d200e351b509d67a8c76042cb9daa8 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14491 Signed-off-by: Bjoern Jacke Reviewed-by: Björn Baumbach Autobuild-User(master): Björn Jacke Autobuild-Date(master): Thu Oct 29 20:49:16 UTC 2020 on sn-devel-184 --- Summary of changes: source3/locale/pam_winbind/ru.po | 3 --- 1 file changed, 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/locale/pam_winbind/ru.po b/source3/locale/pam_winbind/ru.po index 24c482be46b..1c2ff904be8 100644 --- a/source3/locale/pam_winbind/ru.po +++ b/source3/locale/pam_winbind/ru.po @@ -557,6 +557,3 @@ msgstr "" #: ../../libsmb/nterr.c:649 msgid "No more files" msgstr "" -=== -msgstr "Извините, пароли не совпадают" ->>> s3: update Russian translation of pam_winbind -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 9214fcec349 tests: avoid returning an already used ID in randomXid() from ebd687335b9 python:tests: Add SAMR password change tests for fips https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 9214fcec349bbda1c9ceb25f835b7aef5024f61a Author: Jule Anger Date: Tue Oct 20 09:42:38 2020 +0200 tests: avoid returning an already used ID in randomXid() The error 'uidNumber xxx is already being used.' in the samba tool tests occurs when the random.randint functions returns the same value twice and therefore a user or group with an already used gid or uid should be created. Avoid this error by adding a list that stores the used IDs, so that the randomXid function can check wheter a value is already used before returning it. Signed-off-by: Jule Anger Reviewed-by: Björn Baumbach Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Oct 29 18:54:24 UTC 2020 on sn-devel-184 --- Summary of changes: python/samba/tests/samba_tool/base.py | 20 +--- 1 file changed, 17 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/samba_tool/base.py b/python/samba/tests/samba_tool/base.py index 536fbfc1617..00e742e7c5b 100644 --- a/python/samba/tests/samba_tool/base.py +++ b/python/samba/tests/samba_tool/base.py @@ -125,10 +125,24 @@ class SambaToolCmdTest(samba.tests.BlackboxTestCase): return name def randomXid(self): -# pick some hopefully unused, high UID/GID range to avoid interference +# pick some unused, high UID/GID range to avoid interference # from the system the test runs on -xid = random.randint(4711000, 4799000) -return xid + +# initialize a list to store used IDs +try: +self.used_xids +except AttributeError: +self.used_xids = [] + +# try to get an unused ID +failed = 0 +while failed < 50: +xid = random.randint(4711000, 4799000) +if xid not in self.used_xids: +self.used_xids += [xid] +return xid +failed += 1 +assert False, "No Xid are available" def assertWithin(self, val1, val2, delta, msg=""): """Assert that val1 is within delta of val2, useful for time computations""" -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via ebd687335b9 python:tests: Add SAMR password change tests for fips via 9a3ba502d81 python:tests: Add SAMR password change tests for fips via 7d54e4b49c2 s4:param: Add 'weak crypto' getter to pyparam via 32d4c75d6cb lib:crypto: Add py binding for set_relax/strict fips mode via a9c532c6d3e s4:rpc_server: Allow to use RC4 for setting passwords via c6a21e18979 s3:rpc_server: Allow to use RC4 for setting passwords via 5f1a73be631 s3:smbd: Use defines to set 'srv_smb_encrypt' via 8bbe5c8c94a librpc: Add dcerpc helper dcerpc_is_transport_encrypted() via 905c2b9722a s3:smbd: Add SMB3 connection information to session info via 56879ec5876 idl: Add SID_SAMBA_SMB3 from 3076566d656 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit ebd687335b9accfdbae7dbc65c9882ab4d5c0986 Author: Andreas Schneider Date: Wed Oct 21 10:09:22 2020 +0200 python:tests: Add SAMR password change tests for fips Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Oct 29 15:41:37 UTC 2020 on sn-devel-184 commit 9a3ba502d8193b25799ef92917efafd52de2e8c2 Author: Andreas Schneider Date: Wed Oct 21 10:09:22 2020 +0200 python:tests: Add SAMR password change tests for fips Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit 7d54e4b49c235dc571f47d15e6b0a6fa63340773 Author: Andreas Schneider Date: Wed Oct 28 17:05:36 2020 +0100 s4:param: Add 'weak crypto' getter to pyparam Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit 32d4c75d6cbf9153068a0487347097707afb356a Author: Isaac Boukris Date: Thu Aug 20 12:45:49 2020 +0200 lib:crypto: Add py binding for set_relax/strict fips mode Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit a9c532c6d3e85fbe49b7040254cfc66ab54074bc Author: Andreas Schneider Date: Fri Nov 15 13:49:40 2019 +0100 s4:rpc_server: Allow to use RC4 for setting passwords Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit c6a21e1897985f267bcfc681179cea95165c3c57 Author: Andreas Schneider Date: Tue Nov 12 16:56:45 2019 +0100 s3:rpc_server: Allow to use RC4 for setting passwords Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit 5f1a73be6311c68a21a550c0de5078baeb78f4ee Author: Andreas Schneider Date: Fri Aug 28 16:31:17 2020 +0200 s3:smbd: Use defines to set 'srv_smb_encrypt' Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit 8bbe5c8c94aaf75d715f558c363e5b2de49f7bf9 Author: Andreas Schneider Date: Thu Mar 12 14:11:56 2020 +0100 librpc: Add dcerpc helper dcerpc_is_transport_encrypted() Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit 905c2b9722a64ee57f3fbcff51e6bb591c6e3edc Author: Andreas Schneider Date: Fri Feb 7 16:48:29 2020 +0100 s3:smbd: Add SMB3 connection information to session info Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy commit 56879ec5876625346df89110f62d52e3fd5b8934 Author: Andreas Schneider Date: Fri Feb 7 16:48:16 2020 +0100 idl: Add SID_SAMBA_SMB3 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy --- Summary of changes: lib/crypto/py_crypto.c | 16 ++ librpc/idl/security.idl| 3 + librpc/rpc/dcerpc_helper.c | 137 +++ .../mscat_private.h => librpc/rpc/dcerpc_helper.h | 15 +- librpc/wscript_build | 9 + python/samba/tests/dcerpc/samr_change_password.py | 188 + selftest/target/Samba4.pm | 2 +- selftest/tests.py | 2 + source3/include/vfs.h | 1 + source3/rpc_server/samr/srv_samr_chgpasswd.c | 3 + source3/rpc_server/samr/srv_samr_nt.c | 78 - source3/rpc_server/wscript_build | 2 +- source3/smbd/pipes.c | 83 - source3/smbd/smb2_server.c | 5 + source4/param/pyparam.c| 22 +++ source4/rpc_server/samr/samr_password.c| 30 source4/rpc_server/wscript_build | 2 +- 17 files changed, 585 insertions(+), 13 deletions(-) create mode 100644 librpc/rpc/dcerpc_helper.c copy lib/mscat/mscat_private.h =>
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 3076566d656 s3: smbd: Ensure change notifies can't get set unless
the directory handle is open for SEC_DIR_LIST.
via 6e143d9c7a6 s4: torture: Add smb2.notify.handle-permissions test.
via 40f23c24598 CVE-2020-14323 torture4: Add a simple test for invalid
lookup_sids winbind call
via a380f19d570 CVE-2020-14323 winbind: Fix invalid lookupsids DoS
from cc4901123da s3:rpcclient fix NULL - deref caused by misuse of
chgpasswd3
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 3076566d6565113edce9c330b196c93f8cc5aa11
Author: Jeremy Allison
Date: Tue Jul 7 18:25:23 2020 -0700
s3: smbd: Ensure change notifies can't get set unless the directory handle
is open for SEC_DIR_LIST.
Remove knownfail entry.
CVE-2020-14318
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
Signed-off-by: Jeremy Allison
Autobuild-User(master): Karolin Seeger
Autobuild-Date(master): Thu Oct 29 11:47:35 UTC 2020 on sn-devel-184
commit 6e143d9c7a6a68fa8c99708ec01fbfd389327426
Author: Jeremy Allison
Date: Fri Jul 10 15:09:33 2020 -0700
s4: torture: Add smb2.notify.handle-permissions test.
Add knownfail entry.
CVE-2020-14318
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434
Signed-off-by: Jeremy Allison
commit 40f23c24598aee5456e41c813a37ccdc759ed000
Author: Volker Lendecke
Date: Thu Jul 9 21:48:57 2020 +0200
CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind
call
We can't add this test before the fix, add it to knownfail and have the fix
remove the knownfail entry again. As this crashes winbind, many tests after
this one will fail.
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke
commit a380f19d570003c0134e5a9618fbeee524ca332a
Author: Volker Lendecke
Date: Thu Jul 9 21:49:25 2020 +0200
CVE-2020-14323 winbind: Fix invalid lookupsids DoS
A lookupsids request without extra_data will lead to "state->domain==NULL",
which makes winbindd_lookupsids_recv trying to dereference it.
Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke
---
Summary of changes:
source3/smbd/notify.c | 8
source3/winbindd/winbindd_lookupsids.c | 2 +-
source4/torture/smb2/notify.c | 80 ++
source4/torture/winbind/struct_based.c | 27
4 files changed, 116 insertions(+), 1 deletion(-)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c
index eb6317b7e8a..5f18b5cf794 100644
--- a/source3/smbd/notify.c
+++ b/source3/smbd/notify.c
@@ -289,6 +289,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp,
char fullpath[len+1];
NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED;
+ /*
+* Setting a changenotify needs READ/LIST access
+* on the directory handle.
+*/
+ if (!(fsp->access_mask & SEC_DIR_LIST)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (fsp->notify != NULL) {
DEBUG(1, ("change_notify_create: fsp->notify != NULL, "
"fname = %s\n", fsp->fsp_name->base_name));
diff --git a/source3/winbindd/winbindd_lookupsids.c
b/source3/winbindd/winbindd_lookupsids.c
index d28b5fa9f01..a289fd86f0f 100644
--- a/source3/winbindd/winbindd_lookupsids.c
+++ b/source3/winbindd/winbindd_lookupsids.c
@@ -47,7 +47,7 @@ struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX
*mem_ctx,
DEBUG(3, ("lookupsids\n"));
if (request->extra_len == 0) {
- tevent_req_done(req);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
return tevent_req_post(req, ev);
}
if (request->extra_data.data[request->extra_len-1] != '\0') {
diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c
index b65c116b75e..6081d394c6e 100644
--- a/source4/torture/smb2/notify.c
+++ b/source4/torture/smb2/notify.c
@@ -2649,6 +2649,83 @@ done:
return ok;
}
+/*
+ Test asking for a change notify on a handle without permissions.
+*/
+
+#define BASEDIR_HPERM BASEDIR "_HPERM"
+
+static bool torture_smb2_notify_handle_permissions(
+ struct torture_context *torture,
+ struct smb2_tree *tree)
+{
+ bool ret = true;
+ NTSTATUS status;
+ union smb_notify notify;
+ union smb_open io;
+ struct smb2_handle h1 = {{0}};
+ struct smb2_request *req;
+
+
[SCM] Samba Shared Repository - branch v4-11-test updated
The branch, v4-11-test has been updated via 34af9efc6ba VERSION: Bump version up to 4.11.16. via 31e26fe4b2e Merge tag 'samba-4.11.15' into v4-11-test via 1819097773a VERSION: Disable GIT_SNAPSHOT for the 4.11.15 release. via 32ce2b3bc1e WHATSNEW: Add release notes for Samba 4.11.15. via 8e09649351e CVE-2020-14383: s4/dns: do not crash when additional data not found via 2632e8ebae8 CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. via 6093b2d815a CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call via e6fe5b4d64a CVE-2020-14323 winbind: Fix invalid lookupsids DoS via c300a858483 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. via a5da8919303 s4: torture: Add smb2.notify.handle-permissions test. via d94265fd1df VERSION: Bump version up to 4.11.15... from 76c7e432b14 VERSION: Bump version up to 4.11.15... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test - Log - commit 34af9efc6ba1dd41ce5a1f4eedcb12208f471f4d Author: Karolin Seeger Date: Thu Oct 29 10:45:07 2020 +0100 VERSION: Bump version up to 4.11.16. Signed-off-by: Karolin Seeger commit 31e26fe4b2ebb8478066a40a26809b58b7084671 Merge: 76c7e432b14 1819097773a Author: Karolin Seeger Date: Thu Oct 29 10:44:33 2020 +0100 Merge tag 'samba-4.11.15' into v4-11-test samba: tag release samba-4.11.15 --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 97 - source3/smbd/notify.c | 8 ++ source3/winbindd/winbindd_lookupsids.c | 2 +- source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 31 source4/torture/smb2/notify.c | 80 source4/torture/winbind/struct_based.c | 27 +++ 7 files changed, 229 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 6cbbafd64f6..9c72b686524 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=11 -SAMBA_VERSION_RELEASE=15 +SAMBA_VERSION_RELEASE=16 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a46f56c3bd9..8869edcdc87 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,97 @@ + === + Release Notes for Samba 4.11.15 + October 29, 2020 + === + + +This is a security release in order to address the following defects: + +o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. +o CVE-2020-14323: Unprivileged user can crash winbind. +o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily + crafted records. + + +=== +Details +=== + +o CVE-2020-14318: + The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can + request file name notification on a directory handle when a condition such as + "new file creation" or "file size change" or "file timestamp update" occurs. + + A missing permissions check on a directory handle requesting ChangeNotify + meant that a client with a directory handle open only for + FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change + notify replies from the server. These replies contain information that should + not be available to directory handles open for FILE_READ_ATTRIBUTE only. + +o CVE-2020-14323: + winbind in version 3.6 and later implements a request to translate multiple + Windows SIDs into names in one request. This was done for performance + reasons: The Microsoft RPC call domain controllers offer to do this + translation, so it was an obvious extension to also offer this batch + operation on the winbind unix domain stream socket that is available to local + processes on the Samba server. + + Due to improper input validation a hand-crafted packet can make winbind + perform a NULL pointer dereference and thus crash. + +o CVE-2020-14383: + Some DNS records (such as MX and NS records) usually contain data in the + additional section. Samba's dnsserver RPC pipe (which is an administrative + interface not used in the DNS server itself) made an error in handling the + case where there are no records present: instead of noticing the lack of + records, it dereferenced uninitialised memory, causing the RPC server to + crash. This RPC server, which also serves protocols other than dnsserver, +
[SCM] Samba Shared Repository - branch v4-12-test updated
The branch, v4-12-test has been updated via 2b4c9b9baca VERSION: Bump version up to 4.12.10. via fe8d38f49e6 Merge tag 'samba-4.12.9' into v4-12-test via 43c7685056d VERSION: Disable GIT_SNAPSHOT for Samba 4.12.9. via ba904c6999f WHATSNEW: Add release notes for Samba 4.12.9. via 425c31a599b CVE-2020-14383: s4/dns: do not crash when additional data not found via 2d7d1dff7d2 CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. via d0ca2a63aae CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call via f17967ad73e CVE-2020-14323 winbind: Fix invalid lookupsids DoS via f43ecce46a8 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. via f100bd2f2e4 s4: torture: Add smb2.notify.handle-permissions test. via 2641a2e7d54 VERSION: Bump version up to 4.12.9... from ae4d3932cfb docs: fix default value of spoolss:architecture https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-test - Log - commit 2b4c9b9bacafa243b04eb0b798810239f690eb2f Author: Karolin Seeger Date: Thu Oct 29 10:42:44 2020 +0100 VERSION: Bump version up to 4.12.10. Signed-off-by: Karolin Seeger commit fe8d38f49e60433c5520d8b30c25fa9568a7fcfc Merge: ae4d3932cfb 43c7685056d Author: Karolin Seeger Date: Thu Oct 29 10:42:15 2020 +0100 Merge tag 'samba-4.12.9' into v4-12-test samba: tag release samba-4.12.9 --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 97 - source3/smbd/notify.c | 8 ++ source3/winbindd/winbindd_lookupsids.c | 2 +- source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 31 source4/torture/smb2/notify.c | 80 source4/torture/winbind/struct_based.c | 27 +++ 7 files changed, 229 insertions(+), 18 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 188287b859c..49b2ac7887c 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=12 -SAMBA_VERSION_RELEASE=9 +SAMBA_VERSION_RELEASE=10 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8764f257ba9..674d250c71a 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,96 @@ + == + Release Notes for Samba 4.12.9 + October 29, 2020 + == + + +This is a security release in order to address the following defects: + +o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. +o CVE-2020-14323: Unprivileged user can crash winbind. +o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily + crafted records. + + +=== +Details +=== + +o CVE-2020-14318: + The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can + request file name notification on a directory handle when a condition such as + "new file creation" or "file size change" or "file timestamp update" occurs. + + A missing permissions check on a directory handle requesting ChangeNotify + meant that a client with a directory handle open only for + FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change + notify replies from the server. These replies contain information that should + not be available to directory handles open for FILE_READ_ATTRIBUTE only. + +o CVE-2020-14323: + winbind in version 3.6 and later implements a request to translate multiple + Windows SIDs into names in one request. This was done for performance + reasons: The Microsoft RPC call domain controllers offer to do this + translation, so it was an obvious extension to also offer this batch + operation on the winbind unix domain stream socket that is available to local + processes on the Samba server. + + Due to improper input validation a hand-crafted packet can make winbind + perform a NULL pointer dereference and thus crash. + +o CVE-2020-14383: + Some DNS records (such as MX and NS records) usually contain data in the + additional section. Samba's dnsserver RPC pipe (which is an administrative + interface not used in the DNS server itself) made an error in handling the + case where there are no records present: instead of noticing the lack of + records, it dereferenced uninitialised memory, causing the RPC server to + crash. This RPC server, which also serves protocols other than dnsserver, + will be
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via 05aa0b4b3d5 VERSION: Bump version up to 4.13.2. via c2fef893ca7 Merge tag 'samba-4.13.1' into v4-13-test via 9e9941a843f VERSION: Disable GIT_SNAPSHOT for the 4.13.1 release. via 5a70cd80017 WHATSNEW: Add release notes for Samba 4.13.1. via 862d6fb6f32 CVE-2020-14383: s4/dns: do not crash when additional data not found via 4cbf95e731b CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. via 0b259a48a70 CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call via 595dd9fc416 CVE-2020-14323 winbind: Fix invalid lookupsids DoS via 5dd4c789c13 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. via 22528b76ed6 s4: torture: Add smb2.notify.handle-permissions test. via 3ebed681104 VERSION: Bump version up to 4.13.1... from c4938561a97 daemons: report status to systemd even when running in foreground https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 05aa0b4b3d54f380392ea0cf0f34d926aed791ef Author: Karolin Seeger Date: Thu Oct 29 10:40:54 2020 +0100 VERSION: Bump version up to 4.13.2. Signed-off-by: Karolin Seeger commit c2fef893ca70af2d3bf2cd12f10234e5c7c484e6 Merge: c4938561a97 9e9941a843f Author: Karolin Seeger Date: Thu Oct 29 10:40:21 2020 +0100 Merge tag 'samba-4.13.1' into v4-13-test samba: tag release samba-4.13.1 --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 93 + source3/smbd/notify.c | 8 +++ source3/winbindd/winbindd_lookupsids.c | 2 +- source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 31 + source4/torture/smb2/notify.c | 80 + source4/torture/winbind/struct_based.c | 27 +++ 7 files changed, 227 insertions(+), 16 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index a9d8bb4e55a..40bee2f283d 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=13 -SAMBA_VERSION_RELEASE=1 +SAMBA_VERSION_RELEASE=2 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b7d5254d549..e35229fe06a 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,96 @@ + == + Release Notes for Samba 4.13.1 + October 29, 2020 + == + + +This is a security release in order to address the following defects: + +o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. +o CVE-2020-14323: Unprivileged user can crash winbind. +o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily + crafted records. + + +=== +Details +=== + +o CVE-2020-14318: + The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can + request file name notification on a directory handle when a condition such as + "new file creation" or "file size change" or "file timestamp update" occurs. + + A missing permissions check on a directory handle requesting ChangeNotify + meant that a client with a directory handle open only for + FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change + notify replies from the server. These replies contain information that should + not be available to directory handles open for FILE_READ_ATTRIBUTE only. + +o CVE-2020-14323: + winbind in version 3.6 and later implements a request to translate multiple + Windows SIDs into names in one request. This was done for performance + reasons: The Microsoft RPC call domain controllers offer to do this + translation, so it was an obvious extension to also offer this batch + operation on the winbind unix domain stream socket that is available to local + processes on the Samba server. + + Due to improper input validation a hand-crafted packet can make winbind + perform a NULL pointer dereference and thus crash. + +o CVE-2020-14383: + Some DNS records (such as MX and NS records) usually contain data in the + additional section. Samba's dnsserver RPC pipe (which is an administrative + interface not used in the DNS server itself) made an error in handling the + case where there are no records present: instead of noticing the lack of + records, it dereferenced uninitialised memory, causing the RPC server to + crash. This RPC server, which also serves protocols other
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via ac716e5 Add security advisories. from b287bdd Updated security page. https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit ac716e5166ee8bb03995323d764b1332d1946be0 Author: Karolin Seeger Date: Thu Oct 29 10:08:44 2020 +0100 Add security advisories. Signed-off-by: Karolin Seeger --- Summary of changes: security/CVE-2020-14318.html | 110 +++ security/CVE-2020-14323.html | 94 security/CVE-2020-14383.html | 86 + 3 files changed, 290 insertions(+) create mode 100644 security/CVE-2020-14318.html create mode 100644 security/CVE-2020-14323.html create mode 100644 security/CVE-2020-14383.html Changeset truncated at 500 lines: diff --git a/security/CVE-2020-14318.html b/security/CVE-2020-14318.html new file mode 100644 index 000..b9a96f2 --- /dev/null +++ b/security/CVE-2020-14318.html @@ -0,0 +1,110 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + + +Samba - Security Announcement Archive + + + + + CVE-2020-14318.html + + + +=== +== Subject: Missing handle permissions check in SMB1/2/3 +== ChangeNotify. +== +== CVE ID#: CVE-2020-14318 +== +== +== Versions:All versions of Samba since Samba 3.6.0 +== +== Summary: Systems where Windows ACL permissions are +== more restrictive than native filesystem +== permissions can be made to leak file name +== information to unprivileged accounts. +=== + +=== +Description +=== + +The SMB1/2/3 protocols have a concept of "ChangeNotify", where a +client can request file name notification on a directory handle when a +condition such as "new file creation" or "file size change" or "file +timestamp update" occurs. + +A missing permissions check on a directory handle requesting +ChangeNotify meant that a client with a directory handle open only for +FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain +change notify replies from the server. These replies contain +information that should not be available to directory handles open for +FILE_READ_ATTRIBUTE only. + +== +Patch Availability +== + +Patches addressing both these issues have been posted to: + +https://www.samba.org/samba/security/ + +Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued as +security releases to correct the defect. Samba administrators are +advised to upgrade to these releases or apply the patch as soon as +possible. + +== +CVSSv3 calculation +== + +CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/RL:O/RC:C/CR:L/MAV:A/MAC:L/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N + +base score of 4.3 - medium. + += +Workaround and mitigating factors += + +As Samba internally opens an underlying file system handle on a +directory when a client requests an open, even for +FILE_READ_ATTRIBUTES then if the underlying file system permissions +don't allow "r" (read) access for the connected user, then the handle +open request will be denied. + +"r" access is the normal permission needed to list or otherwise reveal +the contents of a directory, so if a connected user has "r" access +then they will be able to list the directory contents normally, and +the information received by a ChangeNofity request is already +available to the user. + +The security issue occurs if the Administrator or directory owner had +set more restrictive Windows ACL permissions on the directory to +disallow read access to the user, and this permissions change was not +reflected in the underlying file system permissions. + +This will only occur if Samba is configured with VFS modules to +decouple the underlying file system permissions from the Windows ACLs, +by setting up a share with the settings: + +[vulnerable_share] +vfs_objects = vfs_acl_xattr +acl_xattr:ignore system acls = yes + +=== +Credits +=== + +Reported by Steven French of Microsoft and the Samba Team. +Advisory written by Jeremy Allison of Google and the Samba Team. +Patches provided by Jeremy Allison of Google and the Samba Team. + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + + diff --git a/security/CVE-2020-14323.html b/security/CVE-2020-14323.html new file mode 100644 index 000..c14759f --- /dev/null +++ b/security/CVE-2020-14323.html @@ -0,0 +1,94 @@
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via b287bdd Updated security page. from ad31af5 NEWS[4.13.1]: Samba 4.13.1, 4.12.9 and 4.11.5 Security Releases Available https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit b287bddf42fec6f9701e51da93f1dfe1488bbaa9 Author: Karolin Seeger Date: Thu Oct 29 09:51:47 2020 +0100 Updated security page. Signed-off-by: Karolin Seeger --- Summary of changes: history/security.html | 22 ++ 1 file changed, 22 insertions(+) Changeset truncated at 500 lines: diff --git a/history/security.html b/history/security.html index 92ac61e..b314df2 100755 --- a/history/security.html +++ b/history/security.html @@ -26,6 +26,28 @@ link to full release notes for each release. Details + + 29 Oct 2020 + + patch for Samba 4.13.0 + + patch for Samba 4.12.8 + + patch for Samba 4.11.14 + + CVE-2020-14318, CVE-2020-14323 and CVE-2020-14383. Please see announcements for details. + + Please refer to the advisories. + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14318;>CVE-2020-14318, + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14323;>CVE-2020-14323 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14383;>CVE-2020-14383. + + Announcement, + Announcement, + Announcement. + + + 18 Sep 2020 -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via ad31af5 NEWS[4.13.1]: Samba 4.13.1, 4.12.9 and 4.11.5 Security Releases Available from 1cfa312 devel/copyright-policy: Rename DCO to Samba Developer's Declaration. https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit ad31af5e724791b84d789f16760f078b6750edc1 Author: Karolin Seeger Date: Wed Oct 28 11:42:20 2020 +0100 NEWS[4.13.1]: Samba 4.13.1, 4.12.9 and 4.11.5 Security Releases Available Signed-off-by: Karolin Seeger --- Summary of changes: history/header_history.html | 3 + history/samba-4.11.15.html | 92 +++ history/samba-4.12.9.html| 93 history/samba-4.13.1.html| 93 posted_news/20201029-082916.4.13.1.body.html | 25 +++ posted_news/20201029-082916.4.13.1.headline.html | 4 + 6 files changed, 310 insertions(+) create mode 100644 history/samba-4.11.15.html create mode 100644 history/samba-4.12.9.html create mode 100644 history/samba-4.13.1.html create mode 100644 posted_news/20201029-082916.4.13.1.body.html create mode 100644 posted_news/20201029-082916.4.13.1.headline.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 785cc79..b279de1 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,7 +9,9 @@ Release Notes + samba-4.13.1 samba-4.13.0 + samba-4.12.9 samba-4.12.8 samba-4.12.7 samba-4.12.6 @@ -19,6 +21,7 @@ samba-4.12.2 samba-4.12.1 samba-4.12.0 + samba-4.11.15 samba-4.11.14 samba-4.11.13 samba-4.11.12 diff --git a/history/samba-4.11.15.html b/history/samba-4.11.15.html new file mode 100644 index 000..869ef58 --- /dev/null +++ b/history/samba-4.11.15.html @@ -0,0 +1,92 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.11.15 - Release Notes + + +Samba 4.11.15 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.11.15.tar.gz;>Samba 4.11.15 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.11.15.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.11.14-4.11.15.diffs.gz;>Patch (gzipped) against Samba 4.11.14 +https://download.samba.org/pub/samba/patches/samba-4.11.14-4.11.15.diffs.asc;>Signature + + + + === + Release Notes for Samba 4.11.15 + October 29, 2020 + === + + +This is a security release in order to address the following defects: + +o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. +o CVE-2020-14323: Unprivileged user can crash winbind. +o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily + crafted records. + + +=== +Details +=== + +o CVE-2020-14318: + The SMB1/2/3 protocols have a concept of ChangeNotify, where a client can + request file name notification on a directory handle when a condition such as + new file creation or file size change or file timestamp update occurs. + + A missing permissions check on a directory handle requesting ChangeNotify + meant that a client with a directory handle open only for + FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change + notify replies from the server. These replies contain information that should + not be available to directory handles open for FILE_READ_ATTRIBUTE only. + +o CVE-2020-14323: + winbind in version 3.6 and later implements a request to translate multiple + Windows SIDs into names in one request. This was done for performance + reasons: The Microsoft RPC call domain controllers offer to do this + translation, so it was an obvious extension to also offer this batch + operation on the winbind unix domain stream socket that is available to local + processes on the Samba server. + + Due to improper input validation a hand-crafted packet can make winbind + perform a NULL pointer dereference and thus crash. + +o CVE-2020-14383: + Some DNS records (such as MX and NS records) usually contain data in the + additional section. Sambas dnsserver RPC pipe (which is an administrative + interface not used in the DNS server itself) made an error in handling the + case where th
[SCM] Samba Shared Repository - branch v4-11-stable updated
The branch, v4-11-stable has been updated via 1819097773a VERSION: Disable GIT_SNAPSHOT for the 4.11.15 release. via 32ce2b3bc1e WHATSNEW: Add release notes for Samba 4.11.15. via 8e09649351e CVE-2020-14383: s4/dns: do not crash when additional data not found via 2632e8ebae8 CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. via 6093b2d815a CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call via e6fe5b4d64a CVE-2020-14323 winbind: Fix invalid lookupsids DoS via c300a858483 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. via a5da8919303 s4: torture: Add smb2.notify.handle-permissions test. via d94265fd1df VERSION: Bump version up to 4.11.15... from ee1f3500a1e VERSION: Disable GIT_SNAPSHOT for the 4.11.14 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable - Log - commit 1819097773a381ba138f348e1f9d4b88182b6d9c Author: Karolin Seeger Date: Tue Oct 27 12:33:47 2020 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.11.15 release. o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. o CVE-2020-14323: Unprivileged user can crash winbind. o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records. Signed-off-by: Karolin Seeger commit 32ce2b3bc1ebaf5d43179180a3d1256b6643db5c Author: Karolin Seeger Date: Tue Oct 27 12:32:54 2020 +0100 WHATSNEW: Add release notes for Samba 4.11.15. Signed-off-by: Karolin Seeger commit 8e09649351e9e8143b4bd0b76bcbd2cfb4d2f281 Author: Douglas Bagnall Date: Fri Aug 21 17:23:17 2020 +1200 CVE-2020-14383: s4/dns: do not crash when additional data not found Found by Francis Brosnan Blázquez . BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 (based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) commit 2632e8ebae826a7305fe7d3948ee28b77d2ffbc0 Author: Douglas Bagnall Date: Fri Aug 21 17:10:22 2020 +1200 CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. Based on patches from Francis Brosnan Blázquez and Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison (based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e) commit 6093b2d815a00a577036fa001b47d7fc5514ad2c Author: Volker Lendecke Date: Thu Jul 9 21:48:57 2020 +0200 CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call We can't add this test before the fix, add it to knownfail and have the fix remove the knownfail entry again. As this crashes winbind, many tests after this one will fail. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke commit e6fe5b4d64a8e1a03e1aaebafd97f313b3c94342 Author: Volker Lendecke Date: Thu Jul 9 21:49:25 2020 +0200 CVE-2020-14323 winbind: Fix invalid lookupsids DoS A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke commit c300a85848350635e7ddd8129b31c4d439dc0f8a Author: Jeremy Allison Date: Tue Jul 7 18:25:23 2020 -0700 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison commit a5da8919303ea99937c0d3b536f964b7f1addda7 Author: Jeremy Allison Date: Fri Jul 10 15:09:33 2020 -0700 s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison commit d94265fd1df1a81b4e602490eb94b6c6fc945341 Author: Karolin Seeger Date: Fri Sep 25 11:27:41 2020 +0200 VERSION: Bump version up to 4.11.15... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION
[SCM] Samba Shared Repository - annotated tag samba-4.11.15 created
The annotated tag, samba-4.11.15 has been created at f197d0d43a06c20d96edef06d24830f51f8b8f10 (tag) tagging 1819097773a381ba138f348e1f9d4b88182b6d9c (commit) replaces samba-4.11.14 tagged by Karolin Seeger on Wed Oct 28 11:48:51 2020 +0100 - Log - samba: tag release samba-4.11.15 -BEGIN PGP SIGNATURE- iF0EABECAB0WIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCX5lMkwAKCRBvM5FbZWi3 6vbnAKCGAuRcsQBulztdNhdKtPEmsM6e8ACeOHbcUKytTjx2EzW8cPc7gXbrxdk= =u7fa -END PGP SIGNATURE- Douglas Bagnall (2): CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. CVE-2020-14383: s4/dns: do not crash when additional data not found Jeremy Allison (2): s4: torture: Add smb2.notify.handle-permissions test. s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Karolin Seeger (3): VERSION: Bump version up to 4.11.15... WHATSNEW: Add release notes for Samba 4.11.15. VERSION: Disable GIT_SNAPSHOT for the 4.11.15 release. Volker Lendecke (2): CVE-2020-14323 winbind: Fix invalid lookupsids DoS CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-12-stable updated
The branch, v4-12-stable has been updated via 43c7685056d VERSION: Disable GIT_SNAPSHOT for Samba 4.12.9. via ba904c6999f WHATSNEW: Add release notes for Samba 4.12.9. via 425c31a599b CVE-2020-14383: s4/dns: do not crash when additional data not found via 2d7d1dff7d2 CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. via d0ca2a63aae CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call via f17967ad73e CVE-2020-14323 winbind: Fix invalid lookupsids DoS via f43ecce46a8 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. via f100bd2f2e4 s4: torture: Add smb2.notify.handle-permissions test. via 2641a2e7d54 VERSION: Bump version up to 4.12.9... from 911e11ad4e3 VERSION: Disable GIT_SNAPSHOT for the 4.12.8 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-stable - Log - commit 43c7685056db075f095676873a31d46a0c47a654 Author: Karolin Seeger Date: Tue Oct 27 12:24:47 2020 +0100 VERSION: Disable GIT_SNAPSHOT for Samba 4.12.9. o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. o CVE-2020-14323: Unprivileged user can crash winbind. o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records. Signed-off-by: Karolin Seeger commit ba904c6999f6695f3f21c0c540f2a828da8a2601 Author: Karolin Seeger Date: Tue Oct 27 12:24:13 2020 +0100 WHATSNEW: Add release notes for Samba 4.12.9. Signed-off-by: Karolin Seeger commit 425c31a599bb96c7d01273fc50b682bc42dbed57 Author: Douglas Bagnall Date: Fri Aug 21 17:23:17 2020 +1200 CVE-2020-14383: s4/dns: do not crash when additional data not found Found by Francis Brosnan Blázquez . BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 (based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) commit 2d7d1dff7d20d5b06ff50452e7f714af9f6a109e Author: Douglas Bagnall Date: Fri Aug 21 17:10:22 2020 +1200 CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. Based on patches from Francis Brosnan Blázquez and Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison (based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e) commit d0ca2a63aaedf123205337aaa211426175ffcebf Author: Volker Lendecke Date: Thu Jul 9 21:48:57 2020 +0200 CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call We can't add this test before the fix, add it to knownfail and have the fix remove the knownfail entry again. As this crashes winbind, many tests after this one will fail. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke commit f17967ad73e9c1d2bd6e0b7c181f08079d2a8214 Author: Volker Lendecke Date: Thu Jul 9 21:49:25 2020 +0200 CVE-2020-14323 winbind: Fix invalid lookupsids DoS A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke commit f43ecce46a89c6380317fbb5f2ae38f48d3d42c8 Author: Jeremy Allison Date: Tue Jul 7 18:25:23 2020 -0700 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison commit f100bd2f2e4f047942002a992c99104227a17f81 Author: Jeremy Allison Date: Fri Jul 10 15:09:33 2020 -0700 s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison commit 2641a2e7d5416632be2de916663e6c262c417775 Author: Karolin Seeger Date: Wed Oct 7 10:13:02 2020 +0200 VERSION: Bump version up to 4.12.9... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION | 2 +-
[SCM] Samba Shared Repository - annotated tag samba-4.12.9 created
The annotated tag, samba-4.12.9 has been created at 93463fe58f3b99d92a1fdca33a0117997f7a5f12 (tag) tagging 43c7685056db075f095676873a31d46a0c47a654 (commit) replaces samba-4.12.8 tagged by Karolin Seeger on Wed Oct 28 11:45:15 2020 +0100 - Log - samba: tag release samba-4.12.9 -BEGIN PGP SIGNATURE- iF0EABECAB0WIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCX5lLuwAKCRBvM5FbZWi3 6joIAKCelMd2xL5dFrhBMhPPc1Y9xD7ItQCfSCDPW1/hiEVMTT5qskCS3lbmEMs= =OCnq -END PGP SIGNATURE- Douglas Bagnall (2): CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. CVE-2020-14383: s4/dns: do not crash when additional data not found Jeremy Allison (2): s4: torture: Add smb2.notify.handle-permissions test. s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Karolin Seeger (3): VERSION: Bump version up to 4.12.9... WHATSNEW: Add release notes for Samba 4.12.9. VERSION: Disable GIT_SNAPSHOT for Samba 4.12.9. Volker Lendecke (2): CVE-2020-14323 winbind: Fix invalid lookupsids DoS CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-13-stable updated
The branch, v4-13-stable has been updated via 9e9941a843f VERSION: Disable GIT_SNAPSHOT for the 4.13.1 release. via 5a70cd80017 WHATSNEW: Add release notes for Samba 4.13.1. via 862d6fb6f32 CVE-2020-14383: s4/dns: do not crash when additional data not found via 4cbf95e731b CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. via 0b259a48a70 CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call via 595dd9fc416 CVE-2020-14323 winbind: Fix invalid lookupsids DoS via 5dd4c789c13 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. via 22528b76ed6 s4: torture: Add smb2.notify.handle-permissions test. via 3ebed681104 VERSION: Bump version up to 4.13.1... from 3fe82c204f0 VERSION: Disable GIT_SNAPSHOT for the 4.13.0 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-stable - Log - commit 9e9941a843f68790cbc9089eed0c31fcac817476 Author: Karolin Seeger Date: Tue Oct 27 10:04:58 2020 +0100 VERSION: Disable GIT_SNAPSHOT for the 4.13.1 release. o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify. o CVE-2020-14323: Unprivileged user can crash winbind. o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records. Signed-off-by: Karolin Seeger commit 5a70cd8001772a6589304bdbc4596d8351f78908 Author: Karolin Seeger Date: Tue Oct 27 10:04:21 2020 +0100 WHATSNEW: Add release notes for Samba 4.13.1. Signed-off-by: Karolin Seeger commit 862d6fb6f3235126c96683516c12a284bcf84901 Author: Douglas Bagnall Date: Fri Aug 21 17:23:17 2020 +1200 CVE-2020-14383: s4/dns: do not crash when additional data not found Found by Francis Brosnan Blázquez . BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 (based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) commit 4cbf95e731b39b2dbfec02f33fd6b195d0b0f7a8 Author: Douglas Bagnall Date: Fri Aug 21 17:10:22 2020 +1200 CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. Based on patches from Francis Brosnan Blázquez and Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 Signed-off-by: Douglas Bagnall Reviewed-by: Jeremy Allison (based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e) commit 0b259a48a70bde4dfd482e0720e593ae5a9c414a Author: Volker Lendecke Date: Thu Jul 9 21:48:57 2020 +0200 CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call We can't add this test before the fix, add it to knownfail and have the fix remove the knownfail entry again. As this crashes winbind, many tests after this one will fail. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke commit 595dd9fc4162dd70ad937db8669a0fddbbba9584 Author: Volker Lendecke Date: Thu Jul 9 21:49:25 2020 +0200 CVE-2020-14323 winbind: Fix invalid lookupsids DoS A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 Signed-off-by: Volker Lendecke commit 5dd4c789c13035b805fdd2c3a9c38721657b05b3 Author: Jeremy Allison Date: Tue Jul 7 18:25:23 2020 -0700 s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison commit 22528b76ed6eb6251fdf01875aaa955480e7663d Author: Jeremy Allison Date: Fri Jul 10 15:09:33 2020 -0700 s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. CVE-2020-14318 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 Signed-off-by: Jeremy Allison commit 3ebed6811046741aa1d6e3e0735fa9172d7c8782 Author: Karolin Seeger Date: Tue Sep 22 15:41:37 2020 +0200 VERSION: Bump version up to 4.13.1... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger --- Summary of changes: VERSION
[SCM] Samba Shared Repository - annotated tag samba-4.13.1 created
The annotated tag, samba-4.13.1 has been created at 54eb3d2a2450a468d0d9d3fe299b0bdf9c022ce9 (tag) tagging 9e9941a843f68790cbc9089eed0c31fcac817476 (commit) replaces samba-4.13.0 tagged by Karolin Seeger on Wed Oct 28 11:42:04 2020 +0100 - Log - samba: tag release samba-4.13.1 -BEGIN PGP SIGNATURE- iF0EABECAB0WIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCX5lK/AAKCRBvM5FbZWi3 6vBCAJ4/NUW8PuLSoCMxvUoW/vYF73qddACgh2DWhAwjugZLNtU1FnkbmHsEfYA= =AC9q -END PGP SIGNATURE- Douglas Bagnall (2): CVE-2020-14383: s4/dns: Ensure variable initialization with NULL. CVE-2020-14383: s4/dns: do not crash when additional data not found Jeremy Allison (2): s4: torture: Add smb2.notify.handle-permissions test. s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Karolin Seeger (3): VERSION: Bump version up to 4.13.1... WHATSNEW: Add release notes for Samba 4.13.1. VERSION: Disable GIT_SNAPSHOT for the 4.13.1 release. Volker Lendecke (2): CVE-2020-14323 winbind: Fix invalid lookupsids DoS CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call --- -- Samba Shared Repository
