1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Release Notes Archive</title>
11 <H2>Samba 4.1.6 Available for Download</H2>
15 =============================
16 Release Notes for Samba 4.1.6
18 =============================
21 This is a security release in order to address
22 CVE-2013-4496 (Password lockout not enforced for SAMR password changes) and
23 CVE-2013-6442 (smbcacls can remove a file or directory ACL by mistake).
26 Samba versions 3.4.0 and above allow the administrator to implement
27 locking out Samba accounts after a number of bad password attempts.
29 However, all released versions of Samba did not implement this check for
30 password changes, such as are available over multiple SAMR and RAP
31 interfaces, allowing password guessing attacks.
34 Samba versions 4.0.0 and above have a flaw in the smbcacls command. If
35 smbcacls is used with the "-C|--chown name" or "-G|--chgrp name"
36 command options it will remove the existing ACL on the object being
37 modified, leaving the file or directory unprotected.
43 o Jeremy Allison <jra@samba.org>
44 * BUG 10327: CVE-2013-6442: ensure we don't lose an existing ACL when
45 setting owner or group owner.
48 o Andrew Bartlett <abartlet@samba.org>
49 * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password
53 o Stefan Metzmacher <metze@samba.org>
54 * BUG 10245: CVE-2013-4496: Enforce password lockout for SAMR password