The branch, master has been updated via 4c18f0f NEWS[4.6.8]: Samba 4.6.8, 4.5.14 and 4.4.16 Available for Download from 7f6aa86 NEWS[4.7.0rc6]: Samba 4.7.0rc6 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 4c18f0f75b7e8bb912a8f0d2260c753a127dff70 Author: Karolin Seeger <ksee...@samba.org> Date: Wed Sep 13 13:09:28 2017 -0700 NEWS[4.6.8]: Samba 4.6.8, 4.5.14 and 4.4.16 Available for Download Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 5 +- history/samba-4.6.8.html | 79 ++++++++++++++++++++++++ history/security.html | 21 +++++++ posted_news/20170920-071640.4.6.8.body.html | 26 ++++++++ posted_news/20170920-071640.4.6.8.headline.html | 3 + security/CVE-2017-12150.html | 76 +++++++++++++++++++++++ security/CVE-2017-12151.html | 80 +++++++++++++++++++++++++ security/CVE-2017-12163.html | 75 +++++++++++++++++++++++ 8 files changed, 364 insertions(+), 1 deletion(-) create mode 100644 history/samba-4.6.8.html create mode 100644 posted_news/20170920-071640.4.6.8.body.html create mode 100644 posted_news/20170920-071640.4.6.8.headline.html create mode 100644 security/CVE-2017-12150.html create mode 100644 security/CVE-2017-12151.html create mode 100644 security/CVE-2017-12163.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 1f66566..995c08a 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,6 +9,7 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.6.8.html">samba-4.6.8</a></li> <li><a href="samba-4.6.7.html">samba-4.6.7</a></li> <li><a href="samba-4.6.6.html">samba-4.6.6</a></li> <li><a href="samba-4.6.5.html">samba-4.6.5</a></li> @@ -17,6 +18,7 @@ <li><a href="samba-4.6.2.html">samba-4.6.2</a></li> <li><a href="samba-4.6.1.html">samba-4.6.1</a></li> <li><a href="samba-4.6.0.html">samba-4.6.0</a></li> + <li><a href="samba-4.5.14.html">samba-4.5.14</a></li> <li><a href="samba-4.5.13.html">samba-4.5.13</a></li> <li><a href="samba-4.5.12.html">samba-4.5.12</a></li> <li><a href="samba-4.5.11.html">samba-4.5.11</a></li> @@ -31,7 +33,8 @@ <li><a href="samba-4.5.2.html">samba-4.5.2</a></li> <li><a href="samba-4.5.1.html">samba-4.5.1</a></li> <li><a href="samba-4.5.0.html">samba-4.5.0</a></li> - <li><a href="samba-4.4.14.html">samba-4.4.15</a></li> + <li><a href="samba-4.4.16.html">samba-4.4.16</a></li> + <li><a href="samba-4.4.15.html">samba-4.4.15</a></li> <li><a href="samba-4.4.14.html">samba-4.4.14</a></li> <li><a href="samba-4.4.13.html">samba-4.4.13</a></li> <li><a href="samba-4.4.12.html">samba-4.4.12</a></li> diff --git a/history/samba-4.6.8.html b/history/samba-4.6.8.html new file mode 100644 index 0000000..cfd082b --- /dev/null +++ b/history/samba-4.6.8.html @@ -0,0 +1,79 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.6.8 - Release Notes</title> +</head> +<body> +<H2>Samba 4.6.8 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.gz">Samba 4.6.8 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.gz">Patch (gzipped) against Samba 4.6.7</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================= + Release Notes for Samba 4.6.8 + September 20, 2017 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2017-12150 (SMB1/2/3 connections may not require signing where they + should) +o CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects) +o CVE-2017-12163 (Server memory information leak over SMB1) + + +======= +Details +======= + +o CVE-2017-12150: + A man in the middle attack may hijack client connections. + +o CVE-2017-12151: + A man in the middle attack can read and may alter confidential + documents transferred via a client connection, which are reached + via DFS redirect when the original connection used SMB3. + +o CVE-2017-12163: + Client with write access to a share can cause server memory contents to be + written into a file or printer. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-12150.html + o https://www.samba.org/samba/security/CVE-2017-12151.html + o https://www.samba.org/samba/security/CVE-2017-12163.html + + +Changes since 4.6.7: +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 12836: s3: smbd: Fix a read after free if a chained SMB1 call goes + async. + * BUG 13020: CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from + writing server memory to file. + +o Ralph Boehme <s...@samba.org> + * BUG 12885: s3/smbd: Let non_widelink_open() chdir() to directories + directly. + +o Stefan Metzmacher <me...@samba.org> + * BUG 12996: CVE-2017-12151: Keep required encryption across SMB3 dfs + redirects. + * BUG 12997: CVE-2017-12150: Some code path don't enforce smb signing + when they should. + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index 8f8dd63..44c33cc 100755 --- a/history/security.html +++ b/history/security.html @@ -22,6 +22,27 @@ link to full release notes for each release.</p> </tr> <tr> + <td>20 Sep 2017</td> + <td><a href="/samba/ftp/patches/security/samba-4.6.7-security-2017-09-20.patch"> + patch for Samba 4.6.7</a><br /> + <a href="/samba/ftp/patches/security/samba-4.5.13-security-2017-09-20.patch"> + patch for Samba 4.5.13</a><br /> + <a href="/samba/ftp/patches/security/samba-4.4.15-security-2017-09-20.patch"> + patch for Samba 4.4.15</a><br /> + <td>Numerous CVEs. Please see the announcements for details. + </td> + <td>please refer to the advisories</td> + <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150">CVE-2017-12150</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12151">CVE-2017-12151</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163">CVE-2017-12163</a> + </td> + <td><a href="/samba/security/CVE-2017-12150.html">Announcement</a>, + <a href="/samba/security/CVE-2017-12151.html">Announcement</a>, + <a href="/samba/security/CVE-2017-12163.html">Announcement</a> + </td> + </tr> + + <tr> <td>12 July 2017</td> <td><a href="/samba/ftp/patches/security/samba-4.x.y-CVE-2017-11103.patch"> patch for Samba 4.x.y</a><br /> diff --git a/posted_news/20170920-071640.4.6.8.body.html b/posted_news/20170920-071640.4.6.8.body.html new file mode 100644 index 0000000..b80d820 --- /dev/null +++ b/posted_news/20170920-071640.4.6.8.body.html @@ -0,0 +1,26 @@ +<!-- BEGIN: posted_news/20170920-071640.4.6.8.body.html --> +<h5><a name="4.6.8">20 September 2017</a></h5> +<p class=headline>Samba 4.6.8, 4.5.14 and 4.4.16 Security Releases Available</p> +<p> +This is a security release in order to address the following defects:<ul> +<li><a href="/samba/security/CVE-2017-12150.html">CVE-2017-12150</a> +(SMB1/2/3 connections may not require signing where they should) +<li><a href="/samba/security/CVE-2017-12151.html">CVE-2017-12151</a> +(SMB3 connections don't keep encryption across DFS redirects) +<li><a href="/samba/security/CVE-2017-12163.html">CVE-2017-12163</a> +(CVE-2017-12163 (Server memory information leak over SMB1) +</ul> +</p> +<p> +The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).<br> +The 4.6.8 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.6.8.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.6.7-4.6.8.diffs.gz">patch against Samba 4.6.7</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.6.8.html">the 4.6.8 release notes for more info</a>.<br> +The 4.5.14 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.5.14.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.5.13-4.5.14.diffs.gz">patch against Samba 4.5.13</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.5.14.html">the 4.5.14 release notes for more info</a>.<br> +The 4.4.16 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.4.16.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.4.15-4.4.16.diffs.gz">patch against Samba 4.4.15</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.4.16.html">the 4.4.16 release notes for more info</a>. +</p> +<!-- END: posted_news/20170920-071640.4.6.8.body.html --> diff --git a/posted_news/20170920-071640.4.6.8.headline.html b/posted_news/20170920-071640.4.6.8.headline.html new file mode 100644 index 0000000..2958683 --- /dev/null +++ b/posted_news/20170920-071640.4.6.8.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20170920-071640.4.6.8.headline.html --> +<li> 20 September 2017 <a href="#4.6.8">Samba 4.6.8, 4.5.14 and 4.4.16 Security Releases Available</a></li> +<!-- END: posted_news/20170920-071640.4.6.8.headline.html --> diff --git a/security/CVE-2017-12150.html b/security/CVE-2017-12150.html new file mode 100644 index 0000000..e885bd0 --- /dev/null +++ b/security/CVE-2017-12150.html @@ -0,0 +1,76 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2017-12150.html:</H2> + +<p> +<pre> +=============================================================================== +== Subject: SMB1/2/3 connections may not require signing where they should +== +== CVE ID#: CVE-2017-12150 +== +== Versions: Samba 3.0.25 to 4.6.7 +== +== Summary: A man in the middle attack may hijack client connections. +== +=============================================================================== + +=========== +Description +=========== + +There are several code paths where the code doesn't enforce SMB signing: + +* The fixes for CVE-2015-5296 didn't apply the implied signing protection + when enforcing encryption for commands like 'smb2mount -e', 'smbcacls -e' and + 'smbcquotas -e'. + +* The python binding exported as 'samba.samba3.libsmb_samba_internal' + doesn't make use of the "client signing" smb.conf option. + +* libgpo as well as 'net ads gpo' doesn't require SMB signing when fetching + group policies. + +* Commandline tools like 'smbclient', 'smbcacls' and 'smbcquotas' allow + a fallback to an anonymous connection when using the '--use-ccache' + option and this happens even if SMB signing is required. + +================== +Patch Availability +================== + +A patch addressing this defect has been posted to + + https://www.samba.org/samba/security/ + +Additionally 4.6.8, 4.5.14 and 4.4.16 have been issued as +security releases to correct the defect. Samba vendors and administrators +running affected versions are advised to upgrade or apply the patch as +soon as possible. + +========== +Workaround +========== + +The missing implied signing for 'smb2mount -e', 'smbcacls -e' and +'smbcquotas -e' can be enforced by explicitly using '--signing=required' +on the commandline or "client signing = required" in smb.conf. + +======= +Credits +======= + +This vulnerability was discovered and researched by Stefan Metzmacher of +SerNet (https://samba.plus) and the Samba Team (https://www.samba.org), +who also provides the fixes. +</pre> +</body> +</html> diff --git a/security/CVE-2017-12151.html b/security/CVE-2017-12151.html new file mode 100644 index 0000000..e42a3eb --- /dev/null +++ b/security/CVE-2017-12151.html @@ -0,0 +1,80 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2017-12151.html:</H2> + +<p> +<pre> +=============================================================================== +== Subject: SMB3 connections don't keep encryption across DFS redirects +== +== CVE ID#: CVE-2017-12151 +== +== Versions: Samba 4.1.0 to 4.6.7 +== +== Summary: A man in the middle attack can read and may alter confidential +== documents transferred via a client connection, which are reached +== via DFS redirect when the original connection used SMB3. +== +================================================================================ + +=========== +Description +=========== + +Client command line tools like 'smbclient' as well as applications +using 'libsmbclient' library have support for requiring +encryption. This is activated by the '-e|--encrypt' command line +option or the smbc_setOptionSmbEncryptionLevel() library call. + +By default, only SMB1 is used in order to connect to a server, as the +effective default for "client max protocol" smb.conf option as well +for the "-m|--max-protocol=" command line option is "NT1". + +If the original client connection used encryption, following DFS +redirects to another server should also enforce encryption. This is +important as these redirects are transparent to the application. + +In the case where "SMB3", "SMB3_00", "SMB3_02", "SMB3_10" or "SMB3_11" +was used as max protocol and a connection actually made use of the +SMB3 encryption, any redirected connection would lose the requirement +for encryption and also the requirement for signing. That means, a +man in the middle could read and/or alter the content of the +connection. + +================== +Patch Availability +================== + +A patch addressing this defect has been posted to + + https://www.samba.org/samba/security/ + +Additionally, Samba 4.6.8, 4.5.14 and 4.4.16 have been issued as +security releases to correct the defect. Samba vendors and +administrators running affected versions are advised to upgrade or +apply the patch as soon as possible. + +========== +Workaround +========== + +Keep the default of "client max protocol = NT1". + +======= +Credits +======= + +This vulnerability was discovered and researched by Stefan Metzmacher +of SerNet (https://samba.plus) and the Samba Team +(https://www.samba.org), who also provides the fixes. +</pre> +</body> +</html> diff --git a/security/CVE-2017-12163.html b/security/CVE-2017-12163.html new file mode 100644 index 0000000..6944c5d --- /dev/null +++ b/security/CVE-2017-12163.html @@ -0,0 +1,75 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2017-12163.html:</H2> + +<p> +<pre> +==================================================================== +== Subject: Server memory information leak over SMB1 +== +== CVE ID#: CVE-2017-12163 +== +== Versions: All versions of Samba. +== +== Summary: Client with write access to a share can cause +== server memory contents to be written into a file +== or printer. +== +==================================================================== + +=========== +Description +=========== + +All versions of Samba are vulnerable to a server memory information +leak bug over SMB1 if a client can write data to a share. Some SMB1 +write requests were not correctly range checked to ensure the client +had sent enough data to fulfill the write, allowing server memory +contents to be written into the file (or printer) instead of client +supplied data. The client cannot control the area of the server memory +that is written to the file (or printer). + +================== +Patch Availability +================== + +A patch addressing this defect has been posted to + + http://www.samba.org/samba/security/ + +Additionally, Samba 4.6.8, 4.5.14 and 4.4.16 have been issued as +security releases to correct the defect. Patches against older Samba +versions are available at http://samba.org/samba/patches/. Samba +vendors and administrators running affected versions are advised to +upgrade or apply the patch as soon as possible. + +========== +Workaround +========== + +As this is an SMB1-only vulnerability, it can be avoided by setting +the server to only use SMB2 via adding: + +server min protocol = SMB2_02 + +to the [global] section of your smb.conf and restarting smbd. + +======= +Credits +======= + +This problem was reported by Yihan Lian and Zhibin Hu, security +researchers with Qihoo 360 GearTeam. Stefan Metzmacher of SerNet and the +Samba Team and Jeremy Allison of Google and the Samba Team provided +the fix. +</pre> +</body> +</html> -- Samba Website Repository