The branch, master has been updated via 6e8322d NEWS[4.7.3]: Samba 4.7.3, 4.6.11 and 4.5.15 Security Releases Available via ae93136 Add security advisories and update sec page. via be7a5ac Add Samba 4.7.3, 4.6.11 and 4.5.15 to the list. from 2d46ea3 Add Samba 4.6.10 to the list.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 6e8322ded20f63979871331ce2c61bd63210b59e Author: Karolin Seeger <ksee...@samba.org> Date: Mon Nov 20 12:22:06 2017 +0100 NEWS[4.7.3]: Samba 4.7.3, 4.6.11 and 4.5.15 Security Releases Available Signed-off-by: Karolin Seeger <ksee...@samba.org> commit ae931363c7bfbe4dc41164d2bedcba7c8e407b93 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Nov 21 08:54:45 2017 +0100 Add security advisories and update sec page. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit be7a5ac1aa81c9ffe450e69c06c6b6424c275adf Author: Karolin Seeger <ksee...@samba.org> Date: Tue Nov 21 08:42:36 2017 +0100 Add Samba 4.7.3, 4.6.11 and 4.5.15 to the list. Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.5.15.html | 70 ++++++++++++++++++++++ history/samba-4.6.11.html | 70 ++++++++++++++++++++++ history/samba-4.7.3.html | 70 ++++++++++++++++++++++ history/security.html | 19 ++++++ posted_news/20171121-080701.4.7.3.body.html | 23 +++++++ posted_news/20171121-080701.4.7.3.headline.html | 3 + .../{CVE-2017-7494.html => CVE-2017-14746.html} | 35 +++++------ security/CVE-2017-15275.html | 69 +++++++++++++++++++++ 9 files changed, 345 insertions(+), 17 deletions(-) create mode 100644 history/samba-4.5.15.html create mode 100644 history/samba-4.6.11.html create mode 100644 history/samba-4.7.3.html create mode 100644 posted_news/20171121-080701.4.7.3.body.html create mode 100644 posted_news/20171121-080701.4.7.3.headline.html copy security/{CVE-2017-7494.html => CVE-2017-14746.html} (51%) create mode 100644 security/CVE-2017-15275.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index 10a2a78..fea500a 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,9 +9,11 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.7.3.html">samba-4.7.3</a></li> <li><a href="samba-4.7.2.html">samba-4.7.2</a></li> <li><a href="samba-4.7.1.html">samba-4.7.1</a></li> <li><a href="samba-4.7.0.html">samba-4.7.0</a></li> + <li><a href="samba-4.6.11.html">samba-4.6.11</a></li> <li><a href="samba-4.6.10.html">samba-4.6.10</a></li> <li><a href="samba-4.6.9.html">samba-4.6.9</a></li> <li><a href="samba-4.6.8.html">samba-4.6.8</a></li> @@ -23,6 +25,7 @@ <li><a href="samba-4.6.2.html">samba-4.6.2</a></li> <li><a href="samba-4.6.1.html">samba-4.6.1</a></li> <li><a href="samba-4.6.0.html">samba-4.6.0</a></li> + <li><a href="samba-4.5.15.html">samba-4.5.15</a></li> <li><a href="samba-4.5.14.html">samba-4.5.14</a></li> <li><a href="samba-4.5.13.html">samba-4.5.13</a></li> <li><a href="samba-4.5.12.html">samba-4.5.12</a></li> diff --git a/history/samba-4.5.15.html b/history/samba-4.5.15.html new file mode 100644 index 0000000..70db7a8 --- /dev/null +++ b/history/samba-4.5.15.html @@ -0,0 +1,70 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.5.15 - Release Notes</title> +</head> +<body> +<H2>Samba 4.5.15 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.5.15.tar.gz">Samba 4.5.15 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.5.15.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.5.14-4.5.15.diffs.gz">Patch (gzipped) against Samba 4.5.14</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.5.14-4.5.15.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.5.15 + November 21, 2017 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +======= +Details +======= + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, but + uncleared heap memory may contain previously used data that may help + an attacker compromise the server via other methods. Uncleared heap + memory may potentially contain password hashes or other high-value + data. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-14746.html + o https://www.samba.org/samba/security/CVE-2017-15275.html + + +Changes since 4.5.14: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. + * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized + memory when talloc buffer is grown. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.6.11.html b/history/samba-4.6.11.html new file mode 100644 index 0000000..1119628 --- /dev/null +++ b/history/samba-4.6.11.html @@ -0,0 +1,70 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.6.11 - Release Notes</title> +</head> +<body> +<H2>Samba 4.6.11 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.6.11.tar.gz">Samba 4.6.11 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.6.11.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.6.10-4.6.11.diffs.gz">Patch (gzipped) against Samba 4.6.10</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.6.10-4.6.11.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.6.11 + November 21, 2017 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +======= +Details +======= + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, but + uncleared heap memory may contain previously used data that may help + an attacker compromise the server via other methods. Uncleared heap + memory may potentially contain password hashes or other high-value + data. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-14746.html + o https://www.samba.org/samba/security/CVE-2017-15275.html + + +Changes since 4.6.10: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. + * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized + memory when talloc buffer is grown. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.7.3.html b/history/samba-4.7.3.html new file mode 100644 index 0000000..a0ccda4 --- /dev/null +++ b/history/samba-4.7.3.html @@ -0,0 +1,70 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.7.3 - Release Notes</title> +</head> +<body> +<H2>Samba 4.7.3 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.7.3.tar.gz">Samba 4.7.3 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.7.3.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.7.2-4.7.3.diffs.gz">Patch (gzipped) against Samba 4.7.2</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.7.2-4.7.3.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================= + Release Notes for Samba 4.7.3 + November 21, 2017 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2017-14746 (Use-after-free vulnerability.) +o CVE-2017-15275 (Server heap memory information leak.) + + +======= +Details +======= + +o CVE-2017-14746: + All versions of Samba from 4.0.0 onwards are vulnerable to a use after + free vulnerability, where a malicious SMB1 request can be used to + control the contents of heap memory via a deallocated heap pointer. It + is possible this may be used to compromise the SMB server. + +o CVE-2017-15275: + All versions of Samba from 3.6.0 onwards are vulnerable to a heap + memory information leak, where server allocated heap memory may be + returned to the client without being cleared. + + There is no known vulnerability associated with this error, but + uncleared heap memory may contain previously used data that may help + an attacker compromise the server via other methods. Uncleared heap + memory may potentially contain password hashes or other high-value + data. + +For more details and workarounds, please see the security advisories: + + o https://www.samba.org/samba/security/CVE-2017-14746.html + o https://www.samba.org/samba/security/CVE-2017-15275.html + + +Changes since 4.7.2: +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug. + * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized + memory when talloc buffer is grown. + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index 44c33cc..79958ea 100755 --- a/history/security.html +++ b/history/security.html @@ -22,6 +22,25 @@ link to full release notes for each release.</p> </tr> <tr> + <td>21 Nov 2017</td> + <td><a href="/samba/ftp/patches/security/samba-4.7.2-security-2017-11-21.patch"> + patch for Samba 4.7.2</a><br /> + <a href="/samba/ftp/patches/security/samba-4.6.10-security-2017-11-21.patch"> + patch for Samba 4.6.10</a><br /> + <a href="/samba/ftp/patches/security/samba-4.5.14-security-2017-11-21.patch"> + patch for Samba 4.5.14</a><br /> + <td>Numerous CVEs. Please see the announcements for details. + </td> + <td>please refer to the advisories</td> + <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14746">CVE-2017-14746</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275">CVE-2017-15275</a> + </td> + <td><a href="/samba/security/CVE-2017-14746.html">Announcement</a>, + <a href="/samba/security/CVE-2017-15275.html">Announcement</a> + </td> + </tr> + + <tr> <td>20 Sep 2017</td> <td><a href="/samba/ftp/patches/security/samba-4.6.7-security-2017-09-20.patch"> patch for Samba 4.6.7</a><br /> diff --git a/posted_news/20171121-080701.4.7.3.body.html b/posted_news/20171121-080701.4.7.3.body.html new file mode 100644 index 0000000..c9d9bec --- /dev/null +++ b/posted_news/20171121-080701.4.7.3.body.html @@ -0,0 +1,23 @@ +<!-- BEGIN: posted_news/20171121-080701.4.7.3.body.html --> +<h5><a name="4.7.3">21 November 2017</a></h5> +<p class=headline>Samba 4.7.3, 4.6.11 and 4.5.15 Security Releases Available for Download</p> +<p> +These are security releases in order to address +<a href="/samba/security/CVE-2017-14746.html">CVE-2017-14746</a> +(Use-after-free vulnerability) and <a href="/samba/security/CVE-2017-15275.html">CVE-2017-15275</a> (Server heap memory information leak). +</p> +<p> +The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA). + +The 4.7.3 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.7.3.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.7.2-4.7.3.diffs.gz">patch against Samba 4.7.2</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.7.3.html">the release notes for more info</a>. +<br> +The 4.6.11 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.6.11.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.6.10-4.6.11.diffs.gz">patch against Samba 4.6.10</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.6.11.html">the release notes for more info</a>. +<br> +The 4.5.15 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.5.15.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.5.14-4.5.15.diffs.gz">patch against Samba 4.5.14</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.5.15.html">the release notes for more info</a>. +<!-- END: posted_news/20171121-080701.4.7.3.body.html --> diff --git a/posted_news/20171121-080701.4.7.3.headline.html b/posted_news/20171121-080701.4.7.3.headline.html new file mode 100644 index 0000000..a155e4b --- /dev/null +++ b/posted_news/20171121-080701.4.7.3.headline.html @@ -0,0 +1,3 @@ +<!-- BEGIN: posted_news/20171121-080701.4.7.3.headline.html --> +<li> 21 November 2017 <a href="#4.7.3">Samba 4.7.3, 4.6.11 and 4.5.15 Security Releases Available for Download</a></li> +<!-- END: posted_news/20171121-080701.4.7.3.headline.html --> diff --git a/security/CVE-2017-7494.html b/security/CVE-2017-14746.html similarity index 51% copy from security/CVE-2017-7494.html copy to security/CVE-2017-14746.html index 0b85dac..57e92ea 100644 --- a/security/CVE-2017-7494.html +++ b/security/CVE-2017-14746.html @@ -8,19 +8,19 @@ <body> - <H2>CVE-2017-7494.html:</H2> + <H2>CVE-2017-14746.html:</H2> <p> <pre> ==================================================================== -== Subject: Remote code execution from a writable share. +== Subject: Use-after-free vulnerability. == -== CVE ID#: CVE-2017-7494 +== CVE ID#: CVE-2017-14746 == -== Versions: All versions of Samba from 3.5.0 onwards. +== Versions: All versions of Samba from 4.0.0 onwards. == -== Summary: Malicious clients can upload and cause the smbd server -== to execute a shared library from a writable share. +== Summary: A client may use an SMB1 request to manipulate +== the contents of heap space. == ==================================================================== @@ -28,10 +28,10 @@ Description =========== -All versions of Samba from 3.5.0 onwards are vulnerable to a remote -code execution vulnerability, allowing a malicious client to upload a -shared library to a writable share, and then cause the server to load -and execute it. +All versions of Samba from 4.0.0 onwards are vulnerable to a use after +free vulnerability, where a malicious SMB1 request can be used to +control the contents of heap memory via a deallocated heap pointer. It +is possible this may be used to compromise the SMB server. ================== Patch Availability @@ -41,7 +41,7 @@ A patch addressing this defect has been posted to http://www.samba.org/samba/security/ -Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as +Additionally, Samba 4.7.3, 4.6.11 and 4.5.15 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to @@ -51,20 +51,21 @@ upgrade or apply the patch as soon as possible. Workaround ========== -Add the parameter: +Prevent SMB1 access to the server by setting the parameter: -nt pipe support = no +server min protocol = SMB2 to the [global] section of your smb.conf and restart smbd. This -prevents clients from accessing any named pipe endpoints. Note this -can disable some expected functionality for Windows clients. +prevents and SMB1 access to the server. Note this could cause older +clients to be unable to connect to the server. ======= Credits ======= -This problem was found by steelo <knownste...@gmail.com>. Volker -Lendecke of SerNet and the Samba Team provided the fix. +This problem was found by Yihan Lian and Zhibin Hu of Qihoo 360 +GearTeam. Jeremy Allison of Google and the Samba Team provided the +fix. </pre> </body> </html> diff --git a/security/CVE-2017-15275.html b/security/CVE-2017-15275.html new file mode 100644 index 0000000..7f70669 --- /dev/null +++ b/security/CVE-2017-15275.html @@ -0,0 +1,69 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2017-15275.html:</H2> + +<p> +<pre> +==================================================================== +== Subject: Server heap memory information leak. +== +== CVE ID#: CVE-2017-15275 +== +== Versions: All versions of Samba from 3.6.0 onwards. +== +== Summary: The server may return the contents of heap +== allocated memory to the client. +== +==================================================================== + +=========== +Description +=========== + +All versions of Samba from 3.6.0 onwards are vulnerable to a heap +memory information leak, where server allocated heap memory may be +returned to the client without being cleared. + +There is no known vulnerability associated with this error, but +uncleared heap memory may contain previously used data that may help +an attacker compromise the server via other methods. Uncleared heap +memory may potentially contain password hashes or other high-value +data. + +================== +Patch Availability +================== + +A patch addressing this defect has been posted to + + http://www.samba.org/samba/security/ + +Additionally, Samba 4.7.3, 4.6.11 and 4.5.15 have been issued as +security releases to correct the defect. Patches against older Samba +versions are available at http://samba.org/samba/patches/. Samba +vendors and administrators running affected versions are advised to +upgrade or apply the patch as soon as possible. + +========== +Workaround +========== + +None. + +======= +Credits +======= + +This problem was found by Volker Lendecke of SerNet and the Samba +Team. Jeremy Allison of Google and the Samba Team provided the fix. +</pre> +</body> +</html> -- Samba Website Repository