+ <h5><a name="4.1.1">11 November 2013</a></h5>
+ <p class="headline">Samba 4.1.1, 4.0.11 and 3.6.20 <b>Security
+ Releases</b> Available for Download</p>
+ <p>These are security releases in order to address
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475">CVE-2013-4475</a>
+ (<b>ACLs are not checked on opening an alternate data stream on a file
+ or directory)</b> and
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476">CVE-2013-4476</a>
+ (<b>Private key in key.pem world readable</b>).
+ </p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA).</p>
+ <p>
+ The source code can be downloaded here:
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.1.1.tar.gz">download
+ Samba 4.1.1</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.0.11.tar.gz">download
+ Samba 4.0.11</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.6.20.tar.gz">download
+ Samba 3.6.20</a>.</li>
+ </p>
+
<h5><a name="4.1.0">11 October 2013</a></h5>
<p class="headline">Samba 4.1.0 Available for Download</p>
<p>This is the first stable release of the Samba 4.1 series.</p>
<li><a href="http://samba.org/samba/history/samba-3.5.22.html">release notes
Samba 3.5.22</a>.</li>
</p>
-
- <h5><a name="4.1.0rc1">11 July 2013</a></h5>
- <p class="headline">Samba 4.1.0rc1 Available for Download</p>
- <p>This is the first release candidate of the upcoming Samba 4.1 release series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="https://download.samba.org/pub/samba/rc/samba-4.1.0rc1.tar.gz">downloaded
-now</a>. See <a href="https://download.samba.org/pub/samba/rc/WHATSNEW-4.1.0rc1.txt">the
-release notes for more info</a>.</p>
<ul>
+ <li> 11 November 2013 <a href="#4.1.1">Samba 4.1.1, 4.0.11
+ (CVE-2013-4475 and CVE-2013-4475) and 3.6.20 (CVE-2013-4475)
+ Security Releases Available for Download</a></li>
+
<li> 11 October 2013 <a href="#4.1.0">Samba 4.1.0 Available for Download</a></li>
<li> 08 October 2013 <a href="#4.0.10">Samba 4.0.10 Available for Download</a></li>
<li> 05 August 2013 <a href="#4.0.8">Samba 4.0.8, 3.6.17 and 3.5.22
Security Releases Available for Download (CVE-2013-4124)</a></li>
-
- <li> 11 July 2013 <a href="4.1.0rc1">Samba 4.1.0rc1 Available for
- Download</a></li>
</ul>
+ <h5><a name="4.1.1">11 November 2013</a></h5>
+ <p class="headline">Samba 4.1.1, 4.0.11 and 3.6.20 <b>Security
+ Releases</b> Available for Download</p>
+ <p>These are security releases in order to address
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475">CVE-2013-4475</a>
+ (<b>ACLs are not checked on opening an alternate data stream on a file
+ or directory)</b> and
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476">CVE-2013-4476</a>
+ (<b>Private key in key.pem world readable</b>).
+ </p>
+
+ <p>The uncompressed tarballs and patch files have been signed
+ using GnuPG (ID 6568B7EA).</p>
+ <p>
+ The source code can be downloaded here:
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.1.1.tar.gz">download
+ Samba 4.1.1</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-4.0.11.tar.gz">download
+ Samba 4.0.11</a>,</li>
+ <li><a href="http://samba.org/samba/ftp/stable/samba-3.6.20.tar.gz">download
+ Samba 3.6.20</a>.</li>
+ </p>
+
+
<h5><a name="4.1.0">11 October 2013</a></h5>
<p class="headline">Samba 4.1.0 Available for Download</p>
<p>This is the first stable release of the Samba 4.1 series.</p>
now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.10-4.1.0.diffs.gz">
patch against Samba 4.0.10</a> is also available. See
<a href="http://samba.org/samba/history/samba-4.1.0.html"> the release notes
- for more info</a>.</p>
-
- <h5><a name="4.0.10">08 October 2013</a></h5>
- <p class="headline">Samba 4.0.10 Available for Download</p>
- <p>This is the latest stable release of the Samba 4.0 series.</p>
-
-<p>The uncompressed tarballs and patch files have been signed
-using GnuPG (ID 6568B7EA). The source code can be
-<a href="http://samba.org/samba/ftp/stable/samba-4.0.10.tar.gz">downloaded
-now</a>. A <a href="http://samba.org/samba/ftp/patches/patch-4.0.9-4.0.10.diffs.gz">
-patch against Samba 4.0.9</a> is also available. See
-<a href="http://samba.org/samba/history/samba-4.0.10.html"> the release notes
for more info</a>.</p>
<li class="navSub">
<ul>
<li><a href="/samba/security/CVE-2013-0454.html">CVE-2013-0454</a></li>
+ <li><a href="samba-4.1.1.html">samba-4.1.1</a></li>
<li><a href="samba-4.1.0.html">samba-4.1.0</a></li>
+ <li><a href="samba-4.0.11.html">samba-4.0.11</a></li>
<li><a href="samba-4.0.10.html">samba-4.0.10</a></li>
<li><a href="samba-4.0.9.html">samba-4.0.9</a></li>
<li><a href="samba-4.0.8.html">samba-4.0.8</a></li>
<li><a href="samba-4.0.2.html">samba-4.0.2</a></li>
<li><a href="samba-4.0.1.html">samba-4.0.1</a></li>
<li><a href="samba-4.0.0.html">samba-4.0.0</a></li>
+ <li><a href="samba-3.6.20.html">samba-3.6.20</a></li>
<li><a href="samba-3.6.19.html">samba-3.6.19</a></li>
<li><a href="samba-3.6.18.html">samba-3.6.18</a></li>
<li><a href="samba-3.6.17.html">samba-3.6.17</a></li>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 3.6.20 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 3.6.20
+ November 11, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory).
+
+o CVE-2013-4475:
+ Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+ 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+ file or directory ACL when opening an alternate data stream.
+
+ According to the SMB1 and SMB2+ protocols the ACL on an underlying
+ file or directory should control what access is allowed to alternate
+ data streams that are associated with the file or directory.
+
+ By default no version of Samba supports alternate data streams
+ on files or directories.
+
+ Samba can be configured to support alternate data streams by loading
+ either one of two virtual file system modues (VFS) vfs_streams_depot or
+ vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+ servers configured this way.
+
+ To determine if your server is vulnerable, check for the strings
+ "streams_depot" or "streams_xattr" inside your smb.conf configuration
+ file.
+
+
+Changes since 3.6.19:
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+ files.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 4.0.11 Available for Download</H2>
+
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.0.11
+ November 11, 2013
+ ==============================
+
+
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory) and
+CVE-2013-4476 (Private key in key.pem world readable).
+
+o CVE-2013-4475:
+ Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+ 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+ file or directory ACL when opening an alternate data stream.
+
+ According to the SMB1 and SMB2+ protocols the ACL on an underlying
+ file or directory should control what access is allowed to alternate
+ data streams that are associated with the file or directory.
+
+ By default no version of Samba supports alternate data streams
+ on files or directories.
+
+ Samba can be configured to support alternate data streams by loading
+ either one of two virtual file system modues (VFS) vfs_streams_depot or
+ vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+ servers configured this way.
+
+ To determine if your server is vulnerable, check for the strings
+ "streams_depot" or "streams_xattr" inside your smb.conf configuration
+ file.
+
+o CVE-2013-4476:
+ In setups which provide ldap(s) and/or https services, the private
+ key for SSL/TLS encryption might be world readable. This typically
+ happens in active directory domain controller setups.
+
+
+Changes since 4.0.10:
+---------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+ files.
+
+
+o Björn Baumbach <bb@sernet.de>
+ * BUG 10234: CVE-2013-4476: Private key in key.pem world readable.
+</pre>
+
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Release Notes Archive</title>
+</head>
+
+<body>
+
+ <H2>Samba 4.1.1 Available for Download</H2>
+
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.1.1
+ November 11, 2013
+ =============================
+
+
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory) and
+CVE-2013-4476 (Private key in key.pem world readable).
+
+o CVE-2013-4475:
+ Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+ 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+ file or directory ACL when opening an alternate data stream.
+
+ According to the SMB1 and SMB2+ protocols the ACL on an underlying
+ file or directory should control what access is allowed to alternate
+ data streams that are associated with the file or directory.
+
+ By default no version of Samba supports alternate data streams
+ on files or directories.
+
+ Samba can be configured to support alternate data streams by loading
+ either one of two virtual file system modues (VFS) vfs_streams_depot or
+ vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+ servers configured this way.
+
+ To determine if your server is vulnerable, check for the strings
+ "streams_depot" or "streams_xattr" inside your smb.conf configuration
+ file.
+
+o CVE-2013-4476:
+ In setups which provide ldap(s) and/or https services, the private
+ key for SSL/TLS encryption might be world readable. This typically
+ happens in active directory domain controller setups.
+
+
+Changes since 4.1.0:
+--------------------
+
+o Jeremy Allison <jra@samba.org>
+ * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+ files.
+
+
+o Björn Baumbach <bb@sernet.de>
+ * BUG 10234: CVE-2013-4476: Private key in key.pem world readable.
+</pre>
+
+</body>
+</html>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>11 Nov 2013</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.1.0-CVE-2013-4475-CVE-2013-4476.patch">
+ patch for Samba 4.1.0</a>
+ <a href="/samba/ftp/patches/security/samba-4.0.10-CVE-2013-4475-CVE-2013-4476.patch">
+ patch for Samba 4.0.10</a>
+ <a href="/samba/ftp/patches/security/samba-3.6.19-CVE-2013-4475.patch">
+ patch for Samba 3.6.19</a>
+ <td>ACLs are not checked on opening an alternate data stream on a file
+ or directory, Private key in key.pem world readable.</td>
+ <td>3.2.0 - 4.1.0, 4.0.0 - 4.0.10, 4.1.0</td>
+ <td><a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4475">CVE-2013-4475</a>,
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4476">CVE-2013-4476</a>
+ </td>
+ <td><a href="/samba/security/CVE-2013-4475">Announcement</a>
+ <a href="/samba/security/CVE-2013-4476">Announcement</a>
+ </td>
+ </tr>
+
<tr>
<td>05 Aug 2013</td>
<td><a href="/samba/ftp/patches/security/samba-4.0.7-CVE-2013-4124.patch">
<p>
- <a href="/samba/ftp/stable/samba-4.1.0.tar.gz">Samba 4.1.0 (gzipped)</a><br>
- <a href="/samba/history/samba-4.1.0.html">Release Notes</a> ·
- <a href="/samba/ftp/stable/samba-4.1.0.tar.asc">Signature</a>
+ <a href="/samba/ftp/stable/samba-4.1.1.tar.gz">Samba 4.1.1 (gzipped)</a><br>
+ <a href="/samba/history/samba-4.1.1.html">Release Notes</a> ·
+ <a href="/samba/ftp/stable/samba-4.1.1.tar.asc">Signature</a>
</p>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2013-4475.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: ACLs are not checked on opening an alternate
+== data stream on a file or directory.
+==
+== CVE ID#: CVE-2013-4475
+==
+== Versions: All versions of Samba later than 3.2.0
+==
+== Summary: When opening an alternate data stream on a file
+== or directory, any Windows ACL present on that
+== underlying file or directory is not used to
+== control access to the alternate data stream.
+==
+===========================================================
+
+===========
+Description
+===========
+
+Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+file or directory ACL when opening an alternate data stream.
+
+According to the SMB1 and SMB2+ protocols the ACL on an underlying
+file or directory should control what access is allowed to alternate
+data streams that are associated with the file or directory.
+
+By default no version of Samba supports alternate data streams
+on files or directories.
+
+Samba can be configured to support alternate data streams by loading
+either one of two virtual file system modues (VFS) vfs_streams_depot or
+vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+servers configured this way.
+
+To determine if your server is vulnerable, check for the strings
+"streams_depot" or "streams_xattr" inside your smb.conf configuration
+file.
+
+==================
+Patch Availability
+==================
+
+Patches addressing this issue have been posted to:
+
+ http://www.samba.org/samba/security/
+
+Samba versions 3.6.20, 4.0.11, and 4.1.1 have been released to
+address this issue.
+
+==========
+Workaround
+==========
+
+Remove all uses of:
+
+vfs objects = streams_depot
+
+and:
+
+vfs objects = streams_xattr
+
+from the [global] section of your smb.conf file, and from
+all share definitions in your smb.conf file.
+
+=======
+Credits
+=======
+
+This issue was discovered by Hemanth Thummala <hemanth.thummala@gmail.com>,
+and the Samba Team would like to thank Hemanth for bringing this to
+our attention.
+
+Patches provided by Jeremy Allison of the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2013-4476.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Private key in key.pem world readable
+==
+== CVE ID#: CVE-2013-4476
+==
+== Versions: Samba 4.0.0 - 4.0.10 (inclusive),
+== Samba 4.1.0 (inclusive)
+==
+== Summary: In setups which provide ldap(s) and/or
+== https services, the private key for SSL/TLS encryption
+== might be world readable. This typically happens in
+== active directory domain controller setups.
+==
+===========================================================
+
+===========
+Description
+===========
+
+Due to incorrect directory and file permissions a local attacker might
+obtain the private key that is used for the SSL/TLS encryption for
+ldaps (including STARTTLS on ldap) and https network traffic.
+
+The attacker is then able to decrypt encrypted network traffic which
+may contain confidential information like passwords.
+
+Note that the http(s) service is not started by default, only if the
+"server services" option contains "web".
+
+The ldap(s) service is only started if Samba is configured as an
+active directory domain controller.
+
+$ samba-tool testparm -v --suppress-prompt | grep 'server role'
+ server role = active directory domain controller
+
+$ samba-tool testparm -v --suppress-prompt | grep 'server service'
+ server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns
+
+$ samba-tool testparm -v --suppress-prompt | grep tls
+ tls enabled = Yes
+ tls keyfile = tls/key.pem
+ tls certfile = tls/cert.pem
+ tls cafile = tls/ca.pem
+ tls crlfile =
+ tls dh params file =
+$ samba-tool testparm -v --suppress-prompt | grep 'private dir'
+ private dir = /var/lib/samba/private
+
+The full path to the keyfile is ${private_dir}/${tls_keyfile},
+e.g. /var/lib/samba/private/tls/key.pem.
+
+The tls certificates are autogenerated and selfsigned on the first
+start of 'samba'. With the unpatched Samba versions the permissions
+typically look like this:
+
+$ ls -lad /var/lib/samba
+drwxr-xr-x 7 root root 4096 Feb 13 2013 /var/lib/samba
+
+$ ls -lad /var/lib/samba/private
+drwxr-xr-x 6 root root 4096 Sep 24 04:00 /var/lib/samba/private
+
+$ ls -la /var/lib/samba/private/tls/
+total 20
+drwxr-xr-x 2 root root 4096 Feb 5 2013 .
+drwxr-xr-x 6 root root 4096 Sep 24 04:00 ..
+-rw-r--r-- 1 root root 985 Feb 5 2013 ca.pem
+-rw-r--r-- 1 root root 985 Feb 5 2013 cert.pem
+-rw-r--r-- 1 root root 883 Feb 5 2013 key.pem
+
+Note: Your vendor/packager might have installed the private directory
+with more restrictive permissions (0750 or 700).
+
+In all cases you should change the permissions of the 'tls' directory
+to 0700.
+
+You should remove ca.pem, cert.pem and key.pem and let a (re)start of
+'samba' take care of autogenerating a new set of files, if you are not
+100% certain that key.pem was protected all the time by parent
+directory permissions.
+
+If you can be 100% certain that key.pem has never been exposed for
+unauthorized access, you may just change its permission to 0600, if
+you really have a good reason to keep the existing keys.
+
+Note: A patched version of Samba will refuse to start if the
+permissions of key.pem are not 0600.
+
+==========
+Workaround
+==========
+
+Follow the instructions for autoregenerating the related files above
+and change the permissions of key.pem to 0600 yourself.
+
+==================
+Patch Availability
+==================
+
+A patch addressing this defect has been posted to
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.0.11 and 4.1.1 have been issued as security
+releases to correct the defect. Samba vendors and administrators
+running affected versions are advised to upgrade or apply the patch as
+soon as possible or manually apply the workaround.
+
+In the fixed version, samba refuses to start if the permissions of
+/var/lib/samba/private/tls/key.pem are not 0600.
+
+=======
+Credits
+=======
+
+This problem was found by an internal audit of the Samba code by
+Stefan Metzmacher and Björn Baumbach of SerNet.
+
+Patches provided by Björn Baumbach of SerNet.
+</pre>
+</body>
+</html>