The branch, v3-5-test has been updated via d9377cc WHATSNEW: Start release notes for 3.5.16. via 5c95d26 VERSION: Bump version number up to 3.5.16. via 3c89d62 Fix self granting privileges in security=ads. via c7a6c29 WHASNEW: Release notes for 3.5.15. from 5118001 docs-xml: fix default name resolve order (fix bug #7564)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log ----------------------------------------------------------------- commit d9377cc6fd0db9fa00ffd6b47cb48036779221ae Author: Karolin Seeger <ksee...@samba.org> Date: Mon Apr 30 20:48:52 2012 +0200 WHATSNEW: Start release notes for 3.5.16. Karolin (cherry picked from commit f28fea98458e0b3c3510f02b98177e8c46c12d3c) commit 5c95d266b596536adf674f5f40b63e3cc29fd236 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Apr 30 20:46:52 2012 +0200 VERSION: Bump version number up to 3.5.16. Karolin (cherry picked from commit 452e5d110fa64f0e10cbce19bac0efbd5f0931e0) commit 3c89d625a1c1d29b60b390f59cca887f16984db7 Author: Jeremy Allison <j...@samba.org> Date: Tue Apr 17 11:49:55 2012 -0700 Fix self granting privileges in security=ads. CVE-2012-2111 (cherry picked from commit b1061ab00f59fdf4ebab622ab7a9c29a3aa51eee) commit c7a6c295747c89005e9f278bdc6c952295b139cc Author: Karolin Seeger <ksee...@samba.org> Date: Fri Apr 27 21:09:56 2012 +0200 WHASNEW: Release notes for 3.5.15. Karolin (cherry picked from commit 0b278804b1aa020e03c89e9276408dd7097bb4d2) ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 58 +++++++++++++++++++++++++++++++++++--- source3/VERSION | 2 +- source3/rpc_server/srv_lsa_nt.c | 20 +++++++++---- 3 files changed, 68 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 712748f..3e8711d 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,20 +1,20 @@ ============================== - Release Notes for Samba 3.5.15 + Release Notes for Samba 3.5.16 , 2012 ============================== This is the latest stable release of Samba 3.5. -Major enhancements in Samba 3.5.15 include: +Major enhancements in Samba 3.5.16 include: -o +o -Changes since 3.5.14: +Changes since 3.5.15: --------------------- -o Stefan Metzmacher <me...@samba.org> +o Jeremy Allison <j...@samba.org> ###################################################################### @@ -41,6 +41,54 @@ Release notes for older releases follow: ---------------------------------------- ============================== + Release Notes for Samba 3.5.15 + April 30, 2012 + ============================== + + +This is a security release in order to address +CVE-2012-2111 (Incorrect permission checks when granting/removing +privileges can compromise file server security). + +o CVE-2012-2111: + Samba 3.4.x to 3.6.4 are affected by a + vulnerability that allows arbitrary users + to modify privileges on a file server. + + +Changes since 3.5.14: +--------------------- + + +o Jeremy Allison <j...@samba.org> + * Fix incorrect permission checks when granting/removing + privileges (CVE-2012-2111). + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.5 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================== Release Notes for Samba 3.5.14 April 10, 2012 ============================== diff --git a/source3/VERSION b/source3/VERSION index efb2c88..53fad4d 100644 --- a/source3/VERSION +++ b/source3/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=5 -SAMBA_VERSION_RELEASE=15 +SAMBA_VERSION_RELEASE=16 ######################################################## # Bug fix releases use a letter for the patch revision # diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index e903f0e..b9ea2d2 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1691,6 +1691,10 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, struct lsa_info *handle; struct lsa_info *info; uint32_t acc_granted; + uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS & + ~(LSA_ACCOUNT_ADJUST_PRIVILEGES| + LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| + STD_RIGHT_DELETE_ACCESS)); struct security_descriptor *psd; size_t sd_size; @@ -1718,7 +1722,7 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_POLICY_ALL_ACCESS); + r->in.sid, owner_access); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -1764,6 +1768,10 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p, size_t sd_size; uint32_t des_access = r->in.access_mask; uint32_t acc_granted; + uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS & + ~(LSA_ACCOUNT_ADJUST_PRIVILEGES| + LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| + STD_RIGHT_DELETE_ACCESS)); NTSTATUS status; /* find the connection policy handle. */ @@ -1788,7 +1796,7 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p, /* get the generic lsa account SD until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + r->in.sid, owner_access); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2174,10 +2182,10 @@ NTSTATUS _lsa_AddAccountRights(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; } - /* get the generic lsa account SD for this SID until we store it */ + /* get the generic lsa account SD until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + NULL, 0); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2245,10 +2253,10 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p, return NT_STATUS_INVALID_HANDLE; } - /* get the generic lsa account SD for this SID until we store it */ + /* get the generic lsa account SD until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + NULL, 0); if (!NT_STATUS_IS_OK(status)) { return status; } -- Samba Shared Repository