+ ==============================
+ Release Notes for Samba 4.19.4
+ January 08, 2024
+ ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.3
+--------------------
+
+o Samuel Cabrero <scabrero@samba.org>
+ * BUG 13577: net changesecretpw cannot set the machine account password if
+ secrets.tdb is empty.
+
+o Björn Jacke <bjacke@samba.org>
+ * BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES.
+ * BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c.
+ * BUG 15542: vfs_linux_xfs is incorrectly named.
+
+o Björn Jacke <bj@sernet.de>
+ * BUG 15377: systemd stumbled over copyright-message at smbd startup.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15505: Following intermediate abolute share-local symlinks is broken.
+ * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
+ a non-public address disconnects first.
+ * BUG 15544: shadow_copy2 broken when current fileset's directories are
+ removed.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15377: systemd stumbled over copyright-message at smbd startup.
+ * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
+ a non-public address disconnects first.
+ * BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel
+ exclusion.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted
+ domains = no' is set.
+ * BUG 15525: smbget debug logging doesn't work.
+ * BUG 15532: smget: username in the smburl and interactive password entry
+ doesn't work.
+ * BUG 15538: smbget auth function doesn't set values for password prompt
+ correctly.
+
+o Martin Schwenke <mschwenke@ddn.com>
+ * BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
+ a non-public address disconnects first.
+
+o Shachar Sharon <ssharon@redhat.com>
+ * BUG 15440: Unable to copy and write files from clients to Ceph cluster via
+ SMB Linux gateway with Ceph VFS module.
+
+o Jones Syue <jonessyue@qnap.com>
+ * BUG 15547: Multichannel refresh network information.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+ ==============================
+ Release Notes for Samba 4.19.3
+ November 27, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+It contains the security-relevant bugfix CVE-2018-14628:
+
+ Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
+ allow read of object tombstones over LDAP
+ (Administrator action required!)
+ https://www.samba.org/samba/security/CVE-2018-14628.html
+
+
+Description of CVE-2018-14628
+-----------------------------
+
+All versions of Samba from 4.0.0 onwards are vulnerable to an
+information leak (compared with the established behaviour of
+Microsoft's Active Directory) when Samba is an Active Directory Domain
+Controller.
+
+When a domain was provisioned with an unpatched Samba version,
+the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
+instead of being very strict (as on a Windows provisioned domain).
+
+This means also non privileged users can use the
+LDAP_SERVER_SHOW_DELETED_OID control in order to view,
+the names and preserved attributes of deleted objects.
+
+No information that was hidden before the deletion is visible, but in
+with the correct ntSecurityDescriptor value in place the whole object
+is also not visible without administrative rights.
+
+There is no further vulnerability associated with this error, merely an
+information disclosure.
+
+Action required in order to resolve CVE-2018-14628!
+---------------------------------------------------
+
+The patched Samba does NOT protect existing domains!
+
+The administrator needs to run the following command
+(on only one domain controller)
+in order to apply the protection to an existing domain:
+
+ samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
+
+The above requires manual interaction in order to review the
+changes before they are applied. Typicall question look like this:
+
+ Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
+ Owner mismatch: SY (in ref) DA(in current)
+ Group mismatch: SY (in ref) DA(in current)
+ Part dacl is different between reference and current here is the detail:
+ (A;;LCRPLORC;;;AU) ACE is not present in the reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
+ (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
+ (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
+ (A;;LCRP;;;BA) ACE is not present in the current
+ [y/N/all/none] y
+ Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
+
+The change should be confirmed with 'y' for all objects starting with
+'CN=Deleted Objects'.
+
+
+Changes since 4.19.2
+--------------------
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15520: sid_strings test broken by unix epoch > 1700000000.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15487: smbd crashes if asked to return full information on close of a
+ stream handle with delete on close disposition set.
+ * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
+ smb_fname_fsp_destructor().
+
+o Pavel Filipenský <pfilipensky@samba.org>
+ * BUG 15499: Improve logging for failover scenarios.
+
+o Björn Jacke <bj@sernet.de>
+ * BUG 15093: Files without "read attributes" NFS4 ACL permission are not
+ listed in directories.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
+ AD LDAP to normal users.
+ * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
+ accounts.
+
+o Christof Schmitt <cs@samba.org>
+ * BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
+
+o Andreas Schneider <asn@samba.org>
+ * BUG 15513: Samba doesn't build with Python 3.12.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+ ==============================
+ Release Notes for Samba 4.19.2
+ October 16, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.1
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
+ after failed IPC FSCTL_PIPE_TRANSCEIVE.
+ * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
+ call.
+
+o Ralph Boehme <slow@samba.org>
+ * BUG 15463: macOS mdfind returns only 50 results.
+
+o Volker Lendecke <vl@samba.org>
+ * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
+ previous cache entry value.
+
+o Stefan Metzmacher <metze@samba.org>
+ * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
+ impacts sendmail, zabbix, potentially more.
+
+o Martin Schwenke <mschwenke@ddn.com>
+ * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
+ Heimdal KDC in Samba 4.19
+ * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
+ in use.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.19.1
October 10, 2023
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.19.0
September 04, 2023
git.samba.org / metze / samba / wip.git / blobdiff