<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>21 Nov 2017</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.7.2-security-2017-11-21.patch">
+ patch for Samba 4.7.2</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.6.10-security-2017-11-21.patch">
+ patch for Samba 4.6.10</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.5.14-security-2017-11-21.patch">
+ patch for Samba 4.5.14</a><br />
+ <td>Numerous CVEs. Please see the announcements for details.
+ </td>
+ <td>please refer to the advisories</td>
+ <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746">CVE-2017-14746</a>,
+ <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275">CVE-2017-15275</a>
+ </td>
+ <td><a href="/samba/security/CVE-2017-14746.html">Announcement</a>,
+ <a href="/samba/security/CVE-2017-15275.html">Announcement</a>
+ </td>
+ </tr>
+
<tr>
<td>20 Sep 2017</td>
<td><a href="/samba/ftp/patches/security/samba-4.6.7-security-2017-09-20.patch">
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2017-14746.html:</H2>
+
+<p>
+<pre>
+====================================================================
+== Subject: Use-after-free vulnerability.
+==
+== CVE ID#: CVE-2017-14746
+==
+== Versions: All versions of Samba from 4.0.0 onwards.
+==
+== Summary: A client may use an SMB1 request to manipulate
+== the contents of heap space.
+==
+====================================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 4.0.0 onwards are vulnerable to a use after
+free vulnerability, where a malicious SMB1 request can be used to
+control the contents of heap memory via a deallocated heap pointer. It
+is possible this may be used to compromise the SMB server.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.7.3, 4.6.11 and 4.5.15 have been issued as
+security releases to correct the defect. Patches against older Samba
+versions are available at http://samba.org/samba/patches/. Samba
+vendors and administrators running affected versions are advised to
+upgrade or apply the patch as soon as possible.
+
+==========
+Workaround
+==========
+
+Prevent SMB1 access to the server by setting the parameter:
+
+server min protocol = SMB2
+
+to the [global] section of your smb.conf and restart smbd. This
+prevents and SMB1 access to the server. Note this could cause older
+clients to be unable to connect to the server.
+
+=======
+Credits
+=======
+
+This problem was found by Yihan Lian and Zhibin Hu of Qihoo 360
+GearTeam. Jeremy Allison of Google and the Samba Team provided the
+fix.
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2017-15275.html:</H2>
+
+<p>
+<pre>
+====================================================================
+== Subject: Server heap memory information leak.
+==
+== CVE ID#: CVE-2017-15275
+==
+== Versions: All versions of Samba from 3.6.0 onwards.
+==
+== Summary: The server may return the contents of heap
+== allocated memory to the client.
+==
+====================================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 3.6.0 onwards are vulnerable to a heap
+memory information leak, where server allocated heap memory may be
+returned to the client without being cleared.
+
+There is no known vulnerability associated with this error, but
+uncleared heap memory may contain previously used data that may help
+an attacker compromise the server via other methods. Uncleared heap
+memory may potentially contain password hashes or other high-value
+data.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.7.3, 4.6.11 and 4.5.15 have been issued as
+security releases to correct the defect. Patches against older Samba
+versions are available at http://samba.org/samba/patches/. Samba
+vendors and administrators running affected versions are advised to
+upgrade or apply the patch as soon as possible.
+
+==========
+Workaround
+==========
+
+None.
+
+=======
+Credits
+=======
+
+This problem was found by Volker Lendecke of SerNet and the Samba
+Team. Jeremy Allison of Google and the Samba Team provided the fix.
+</pre>
+</body>
+</html>