<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.11.5.html">samba-4.11.5</a></li>
<li><a href="samba-4.11.4.html">samba-4.11.4</a></li>
<li><a href="samba-4.11.3.html">samba-4.11.3</a></li>
<li><a href="samba-4.11.2.html">samba-4.11.2</a></li>
<li><a href="samba-4.11.1.html">samba-4.11.1</a></li>
<li><a href="samba-4.11.0.html">samba-4.11.0</a></li>
+ <li><a href="samba-4.10.12.html">samba-4.10.12</a></li>
<li><a href="samba-4.10.11.html">samba-4.10.11</a></li>
<li><a href="samba-4.10.10.html">samba-4.10.10</a></li>
<li><a href="samba-4.10.9.html">samba-4.10.9</a></li>
<li><a href="samba-4.10.2.html">samba-4.10.2</a></li>
<li><a href="samba-4.10.1.html">samba-4.10.1</a></li>
<li><a href="samba-4.10.0.html">samba-4.10.0</a></li>
+ <li><a href="samba-4.9.18.html">samba-4.9.18</a></li>
<li><a href="samba-4.9.17.html">samba-4.9.17</a></li>
<li><a href="samba-4.9.16.html">samba-4.9.16</a></li>
<li><a href="samba-4.9.15.html">samba-4.9.15</a></li>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.10.12 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.10.12 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.12.tar.gz">Samba 4.10.12 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.12.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.11-4.10.12.diffs.gz">Patch (gzipped) against Samba 4.10.11</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.11-4.10.12.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.10.12
+ January 21, 2020
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
+ Directory not automatic.
+o CVE-2019-14907: Crash after failed character conversion at log level 3 or
+ above.
+o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14902:
+ The implementation of ACL inheritance in the Samba AD DC was not complete,
+ and so absent a 'full-sync' replication, ACLs could get out of sync between
+ domain controllers.
+
+o CVE-2019-14907:
+ When processing untrusted string input Samba can read past the end of the
+ allocated buffer when printing a "Conversion error" message to the logs.
+
+o CVE-2019-19344:
+ During DNS zone scavenging (of expired dynamic entries) there is a read of
+ memory after it has been freed.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.10.11
+----------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
+ not automatic.
+ * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
+ string into the logs.
+
+o Gary Lockyer <gary@catalyst.net.nz>
+ * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
+ dns_tombstone_records_zone.
+
+
+</pre>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.11.5 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.11.5 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.5.tar.gz">Samba 4.11.5 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.11.5.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.11.4-4.11.5.diffs.gz">Patch (gzipped) against Samba 4.11.4</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.11.4-4.11.5.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.11.5
+ January 21, 2020
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
+ Directory not automatic.
+o CVE-2019-14907: Crash after failed character conversion at log level 3 or
+ above.
+o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14902:
+ The implementation of ACL inheritance in the Samba AD DC was not complete,
+ and so absent a 'full-sync' replication, ACLs could get out of sync between
+ domain controllers.
+
+o CVE-2019-14907:
+ When processing untrusted string input Samba can read past the end of the
+ allocated buffer when printing a "Conversion error" message to the logs.
+
+o CVE-2019-19344:
+ During DNS zone scavenging (of expired dynamic entries) there is a read of
+ memory after it has been freed.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.11.4:
+---------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
+ not automatic.
+ * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
+ string into the logs.
+
+o Gary Lockyer <gary@catalyst.net.nz>
+ * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
+ dns_tombstone_records_zone.
+
+
+</pre>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.9.18 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.9.18 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.18.tar.gz">Samba 4.9.18 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.18.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.17-4.9.18.diffs.gz">Patch (gzipped) against Samba 4.9.17</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.17-4.9.18.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.9.18
+ January 21, 2020
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
+ Directory not automatic.
+o CVE-2019-14907: Crash after failed character conversion at log level 3 or
+ above.
+o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14902:
+ The implementation of ACL inheritance in the Samba AD DC was not complete,
+ and so absent a 'full-sync' replication, ACLs could get out of sync between
+ domain controllers.
+
+o CVE-2019-14907:
+ When processing untrusted string input Samba can read past the end of the
+ allocated buffer when printing a "Conversion error" message to the logs.
+
+o CVE-2019-19344:
+ During DNS zone scavenging (of expired dynamic entries) there is a read of
+ memory after it has been freed.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.9.17:
+---------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
+ not automatic.
+ * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
+ string into the logs.
+
+o Gary Lockyer <gary@catalyst.net.nz>
+ * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
+ dns_tombstone_records_zone.
+
+
+</pre>
+</p>
+</body>
+</html>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>21 Jan 2020</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.11.4-security-2020-01-21.patch">
+ patch for Samba 4.11.4</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.10.11-security-2020-01-21.patch">
+ patch for Samba 4.10.11</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.9.17-security-2020-01-21.patch">
+ patch for Samba 4.9.17</a><br />
+ </td>
+ <td>CVE-2019-14902, CVE-2019-14907 and CVE-2019-19344. Please see announcements for
+ details.
+ </td>
+ <td>Please refer to the advisories.</td>
+ <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14902">CVE-2019-14902</a>,
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14907">CVE-2019-14907</a>,
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19344">CVE-2019-19344.</a>.
+ </td>
+ <td><a href="/samba/security/CVE-2019-14902.html">Announcement</a>,
+ <a href="/samba/security/CVE-2019-14907.html">Announcement</a>,
+ <a href="/samba/security/CVE-2019-19344.html">Announcement</a>
+ </td>
+ </tr>
+
<tr>
<td>10 Dec 2019</td>
<td><a
--- /dev/null
+<!-- BEGIN: posted_news/20200121-090843.4.11.5.body.html -->
+<h5><a name="4.11.5">21 January 2020</a></h5>
+<p class=headline>Samba 4.11.5, 4.10.12 and 4.9.18 Security Releases Available</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2019-14902.html">CVE-2019-14902</a>
+(Replication of ACLs set to inherit down a subtree on AD Directory not automatic).
+<a href="/samba/security/CVE-2019-14907.html">CVE-2019-14907</a>
+(Crash after failed character conversion at log level 3 or above).
+<a href="/samba/security/CVE-2019-19344.html">CVE-2019-19344</a>
+(Use after free during DNS zone scavenging in Samba AD DC).
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).</br>
+The 4.11.5 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.11.5.tar.gz">downloaded now</a>.</br>
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.11.4-4.11.5.diffs.gz">patch
+against Samba 4.11.4</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.11.5.html">4.11.5 release notes</a> for more info.</br>
+The 4.10.12 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.10.12.tar.gz">downloaded now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.10.11-4.10.12.diffs.gz">patch
+against Samba 4.10.11</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.10.12.html">4.10.12 release notes</a> for more info.
+The 4.9.18 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.9.18.tar.gz">downloaded now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.9.17-4.9.18.diffs.gz">patch
+against Samba 4.9.17</a> is also available.</br>
+See the <a href="https://www.samba.org/samba/history/samba-4.9.18.html">4.9.18 release notes</a> for more info.
+</p>
+<!-- END: posted_news/20200121-090843.4.11.5.body.html -->
--- /dev/null
+<!-- BEGIN: posted_news/20200121-090843.4.11.5.headline.html -->
+<li> 21 January 2020 <a href="#4.11.5">Samba 4.11.5, 4.10.12 and 4.9.18 Security
+Releases Available</a></li>
+<!-- END: posted_news/20200121-090843.4.11.5.headline.html -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2019-14902.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Replication of ACLs set to inherit down a
+== subtree on AD Directory not automatic
+==
+== CVE ID#: CVE-2019-14902
+==
+== Versions: Samba 4.0 and later
+==
+== Summary: The implementation of ACL inheritance in the
+== Samba AD DC was not complete, and so absent a
+== 'full-sync' replication, ACLs could get out of
+== sync between domain controllers.
+===========================================================
+
+===========
+Description
+===========
+
+A newly delegated right, but more importantly the removal of a
+delegated right, would not be inherited on any DC other than the one
+where the change was made.
+
+For example:
+ - if a user or group was previously delegated the right to
+create or modify a subtree (say to allow desktop support to reset
+passwords and create users)
+ - and subsequently this right was taken away
+
+The removal would not automatically be taken away on all domain
+controllers.
+
+Because this patch only fixes new replication into the future, it is
+vital that a full-sync be done TO each Domain Controller to ensure
+each ACL (ntSecurityDescriptor) is re-calculated on the whole set of
+DCs. See the instructions in "workaround and required steps
+post-upgrade" below.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)
+
+==========================================
+Workaround and required steps post-upgrade
+==========================================
+
+Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause
+all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
+context), eg:
+
+samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync
+samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync
+
+samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync
+samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync
+
+Internally both in patched and un-patched versions, for every object
+replicated with a --full-sync, the inheritance will be correctly
+calculated. This only needs to be done TO each DC, not for each
+pair-wise pair.
+
+=======
+Credits
+=======
+
+Reported by a number of Samba users and sites since 2017, but now
+recognised as a security issue after triage. We apologise for the
+delay in dealing with this issue.
+
+Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
+
+Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2019-14907.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Crash after failed character conversion at
+== log level 3 or above
+==
+== CVE ID#: CVE-2019-14907
+==
+== Versions: Samba 4.0 and later versions
+==
+== Summary: When processing untrusted string input Samba
+== can read past the end of the allocated buffer
+== when printing a "Conversion error" message
+== to the logs.
+==
+===========================================================
+
+===========
+Description
+===========
+
+If samba is set with "log level = 3" (or above) then the string
+obtained from the client, after a failed character conversion, is
+printed. Such strings can be provided during the NTLMSSP
+authentication exchange.
+
+In the Samba AD DC in particular, this may cause a long-lived process
+(such as the RPC server) to terminate. (In the file server case, the
+most likely target, smbd, operates as process-per-client and so a
+crash there is harmless).
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (6.5)
+
+==========
+Workaround
+==========
+
+Do not set a log level of 3 or above in production.
+
+=======
+Credits
+=======
+
+Originally reported by Robert Święcki using a fuzzer he wrote.
+
+Patches provided by Andrew Bartlett of the Samba team and Catalyst.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2019-19344.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Use after free during DNS zone scavenging
+== in Samba AD DC
+==
+== CVE ID#: CVE-2019-19344
+==
+== Versions: Samba 4.9 and later versions
+==
+== Summary: During DNS zone scavenging (of expired dynamic
+== entries) there is a read of memory after it has
+== been freed.
+===========================================================
+
+===========
+Description
+===========
+
+Samba 4.9 introduced an off-by-default feature to tombstone
+dynamically created DNS records that had reached their expiry time.
+
+This feature is controlled by the smb.conf option:
+ dns zone scavenging = yes
+
+There is a use-after-free issue in this code, essentially due to a
+call to realloc() while other local variables still point at the
+original buffer.
+
+The use is a read, but in quite unlikely conditions (due to NDR
+validation unpacking the buffer) that read memory might be saved back
+into the DB.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
+
+==========
+Workaround
+==========
+
+The code in question is not run in the default configuration, so
+the workaround is simply to not set
+ dns zone scavenging = yes
+
+=======
+Credits
+=======
+
+Originally reported by Christian Naumer.
+
+Patches provided by Andrew Bartlett of the Samba team and Catalyst.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
git.samba.org / samba-web.git / commitdiff