==============================
- Release Notes for Samba 3.6.19
- September 25, 2013
+ Release Notes for Samba 3.6.23
+ March 11, 2014
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4496 (Password lockout not enforced for SAMR password changes).
+
+o CVE-2013-4496:
+ Samba versions 3.4.0 and above allow the administrator to implement
+ locking out Samba accounts after a number of bad password attempts.
+
+ However, all released versions of Samba did not implement this check for
+ password changes, such as are available over multiple SAMR and RAP
+ interfaces, allowing password guessing attacks.
+
+
+Changes since 3.6.22:
+---------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
+ changes.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
+ Release Notes for Samba 3.6.22
+ December 9, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4408 (DCE-RPC fragment length field is incorrectly checked) and
+CVE-2012-6150 (pam_winbind login without require_membership_of restrictions).
+
+o CVE-2013-4408:
+ Samba versions 3.4.0 and above (versions 3.4.0 - 3.4.17, 3.5.0 -
+ 3.5.22, 3.6.0 - 3.6.21, 4.0.0 - 4.0.12 and including 4.1.2) are
+ vulnerable to buffer overrun exploits in the client processing of
+ DCE-RPC packets. This is due to incorrect checking of the DCE-RPC
+ fragment length in the client code.
+
+ This is a critical vulnerability as the DCE-RPC client code is part of
+ the winbindd authentication and identity mapping daemon, which is
+ commonly configured as part of many server installations (when joined
+ to an Active Directory Domain). A malicious Active Directory Domain
+ Controller or man-in-the-middle attacker impersonating an Active
+ Directory Domain Controller could achieve root-level access by
+ compromising the winbindd process.
+
+ Samba server versions 3.4.0 - 3.4.17 and versions 3.5.0 - 3.5.22 are
+ also vulnerable to a denial of service attack (server crash) due to a
+ similar error in the server code of those versions.
+
+ Samba server versions 3.6.0 and above (including all 3.6.x versions,
+ all 4.0.x versions and 4.1.x) are not vulnerable to this problem.
+
+ In addition range checks were missing on arguments returned from calls
+ to the DCE-RPC functions LookupSids (lsa and samr), LookupNames (lsa and samr)
+ and LookupRids (samr) which could also cause similar problems.
+
+ As this was found during an internal audit of the Samba code there are
+ no currently known exploits for this problem (as of December 9th 2013).
+
+o CVE-2012-6150:
+ Winbind allows for the further restriction of authenticated PAM logins using
+ the require_membership_of parameter. System administrators may specify a list
+ of SIDs or groups for which an authenticated user must be a member of. If an
+ authenticated user does not belong to any of the entries, then login should
+ fail. Invalid group name entries are ignored.
+
+ Samba versions 3.3.10, 3.4.3, 3.5.0 and later incorrectly allow login from
+ authenticated users if the require_membership_of parameter specifies only
+ invalid group names.
+
+ This is a vulnerability with low impact. All require_membership_of group
+ names must be invalid for this bug to be encountered.
+
+
+Changes since 3.6.21:
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
+
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 10185: CVE-2013-4408: Correctly check DCE-RPC fragment length field.
+
+
+o Noel Power <noel.power@suse.com>
+ * BUGs 10300, 10306: CVE-2012-6150: Fail authentication if user isn't
+ member of *any* require_membership_of specified groups.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 3.6.21
+ November 29, 2013
==============================
This is is the latest stable release of Samba 3.6.
-Major enhancements in Samba 3.6.19 include:
-o
+Changes since 3.6.20:
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 10139: Valid utf8 filenames cause "invalid conversion error"
+ messages.
+ * BUG 10167: s3-smb2 server: smb2 breaks "smb encryption = mandatory".
+ * BUG 10187: Missing talloc_free can leak stackframe in error path.
+ * BUG 10247: xattr: Fix listing EAs on *BSD for non-root users.
+
+
+o Korobkin <korobkin+samba@gmail.com>
+ * BUG 10118: Raise debug level for being unable to open a printer.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 10195: nsswitch: Fix short writes in winbind_write_sock.
+
+
+o Arvid Requate <requate@univention.de>
+ * BUG 10267: Fix Windows 8 printing via local printer drivers.
+
+
+o Andreas Schneider <asn@cryptomilk.org>
+ * BUG 10194: Make offline logon cache updating for cross child domain
+ group membership.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 3.6.20
+ November 11, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory).
+
+o CVE-2013-4475:
+ Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+ 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+ file or directory ACL when opening an alternate data stream.
+
+ According to the SMB1 and SMB2+ protocols the ACL on an underlying
+ file or directory should control what access is allowed to alternate
+ data streams that are associated with the file or directory.
+
+ By default no version of Samba supports alternate data streams
+ on files or directories.
+
+ Samba can be configured to support alternate data streams by loading
+ either one of two virtual file system modues (VFS) vfs_streams_depot or
+ vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+ servers configured this way.
+
+ To determine if your server is vulnerable, check for the strings
+ "streams_depot" or "streams_xattr" inside your smb.conf configuration
+ file.
+
+
+Changes since 3.6.19:
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+ files.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.6 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
+ Release Notes for Samba 3.6.19
+ September 25, 2013
+ ==============================
+
+
+This is is the latest maintenance release of Samba 3.6.
+
+Please note that this will probably be the last maintenance release
+of the Samba 3.6 release series. With the release of Samba 4.1.0, the
+3.6 release series will be turned into the "security fixes only" mode.
Changes since 3.6.18:
---------------------
o Jeremy Allison <jra@samba.org>
+ * BUG 5917: Make Samba work on site with Read Only Domain Controller.
+
+
+o Christian Ambach <ambi@samba.org>
+ * BUG 8955: NetrServerPasswordSet2 timeout is too short.
+
+
+o Günther Deschner <gd@samba.org>
+ * BUG 9899: Fix fallback to ncacn_np in cm_connect_lsat().
+ * BUG 9615: Fix fallback to ncacn_np in cm_connect_lsat().
+ * BUG 10127: Fix 'smbstatus' as non-root user.
+
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 8955: Give machine password changes 10 minutes of time.
+ * BUG 10106: Honour output buffer length set by the client for SMB2 GetInfo
+ requests.
+ * BUG 10114: Handle Dropbox (write-only-directory) case correctly in
+ pathname lookup.
+
+
+o Karolin Seeger <kseeger@samba.org>
+ * BUG 10076: Fix variable list in man vfs_crossrename.
+
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 9994: s3-winbind: Do not delete an existing valid credential cache.
+ * BUG 10073: 'net ads join': Fix segmentation fault in
+ create_local_private_krb5_conf_for_domain.
+
+
+o Richard Sharpe <realrichardsharpe@gmail.com>
+ * BUG 10097: MacOSX 10.9 will not follow path-based DFS referrals handed
+ out by Samba.
######################################################################
== The Samba Team
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 3.6.18