The branch, master has been updated via cb0b96e NEWS[4.9.3]: Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available from 218c436 Rework github contributor link text
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit cb0b96e83cb3cdc121236273c570994e514f2448 Author: Karolin Seeger <ksee...@samba.org> Date: Sun Nov 25 15:27:09 2018 +0100 NEWS[4.9.3]: Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available Signed-off-by: Karolin Seeger <ksee...@samba.org> ----------------------------------------------------------------------- Summary of changes: history/header_history.html | 3 + history/samba-4.7.12.html | 98 ++++++++++++++++++ history/samba-4.8.7.html | 98 ++++++++++++++++++ history/samba-4.9.3.html | 126 ++++++++++++++++++++++++ history/security.html | 27 +++++ posted_news/20181127-085351.4.9.3.body.html | 35 +++++++ posted_news/20181127-085351.4.9.3.headline.html | 4 + security/CVE-2018-14629.html | 76 ++++++++++++++ security/CVE-2018-16841.html | 82 +++++++++++++++ security/CVE-2018-16851.html | 83 ++++++++++++++++ security/CVE-2018-16852.html | 79 +++++++++++++++ security/CVE-2018-16853.html | 75 ++++++++++++++ security/CVE-2018-16857.html | 117 ++++++++++++++++++++++ 13 files changed, 903 insertions(+) create mode 100644 history/samba-4.7.12.html create mode 100644 history/samba-4.8.7.html create mode 100644 history/samba-4.9.3.html create mode 100644 posted_news/20181127-085351.4.9.3.body.html create mode 100644 posted_news/20181127-085351.4.9.3.headline.html create mode 100644 security/CVE-2018-14629.html create mode 100644 security/CVE-2018-16841.html create mode 100644 security/CVE-2018-16851.html create mode 100644 security/CVE-2018-16852.html create mode 100644 security/CVE-2018-16853.html create mode 100644 security/CVE-2018-16857.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index bfc59e0..6ffd230 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,9 +9,11 @@ <li><a href="/samba/history/">Release Notes</a> <li class="navSub"> <ul> + <li><a href="samba-4.9.3.html">samba-4.9.3</a></li> <li><a href="samba-4.9.2.html">samba-4.9.2</a></li> <li><a href="samba-4.9.1.html">samba-4.9.1</a></li> <li><a href="samba-4.9.0.html">samba-4.9.0</a></li> + <li><a href="samba-4.8.7.html">samba-4.8.7</a></li> <li><a href="samba-4.8.6.html">samba-4.8.6</a></li> <li><a href="samba-4.8.5.html">samba-4.8.5</a></li> <li><a href="samba-4.8.4.html">samba-4.8.4</a></li> @@ -19,6 +21,7 @@ <li><a href="samba-4.8.2.html">samba-4.8.2</a></li> <li><a href="samba-4.8.1.html">samba-4.8.1</a></li> <li><a href="samba-4.8.0.html">samba-4.8.0</a></li> + <li><a href="samba-4.7.12.html">samba-4.7.12</a></li> <li><a href="samba-4.7.11.html">samba-4.7.11</a></li> <li><a href="samba-4.7.10.html">samba-4.7.10</a></li> <li><a href="samba-4.7.9.html">samba-4.7.9</a></li> diff --git a/history/samba-4.7.12.html b/history/samba-4.7.12.html new file mode 100644 index 0000000..b9647bd --- /dev/null +++ b/history/samba-4.7.12.html @@ -0,0 +1,98 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.7.12 - Release Notes</title> +</head> +<body> +<H2>Samba 4.7.12 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.7.12.tar.gz">Samba 4.7.12 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.7.12.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.7.11-4.7.12.diffs.gz">Patch (gzipped) against Samba 4.7.11</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.7.11-4.7.12.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================== + Release Notes for Samba 4.7.12 + November 27, 2018 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD + Internal DNS server) +o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) +o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) +o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos + configuration (unsupported)) + + +======= +Details +======= + +o CVE-2018-14629: + All versions of Samba from 4.0.0 onwards are vulnerable to infinite + query recursion caused by CNAME loops. Any dns record can be added via + ldap by an unprivileged user using the ldbadd tool, so this is a + security issue. + +o CVE-2018-16841: + When configured to accept smart-card authentication, Samba's KDC will call + talloc_free() twice on the same memory if the principal in a validly signed + certificate does not match the principal in the AS-REQ. + + This is only possible after authentication with a trusted certificate. + + talloc is robust against further corruption from a double-free with + talloc_free() and directly calls abort(), terminating the KDC process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16851: + During the processing of an LDAP search before Samba's AD DC returns + the LDAP entries to the client, the entries are cached in a single + memory object with a maximum size of 256MB. When this size is + reached, the Samba process providing the LDAP service will follow the + NULL pointer, terminating the process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16853: + A user in a Samba AD domain can crash the KDC when Samba is built in the + non-default MIT Kerberos configuration. + + With this advisory we clarify that the MIT Kerberos build of the Samba + AD DC is considered experimental. Therefore the Samba Team will not + issue security patches for this configuration. + +For more details and workarounds, please refer to the security advisories. + + +Changes since 4.7.11: +-------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with + mis-matching principal. + * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT + Kerberos is experimental + +o Aaron Haslett <aaronhasl...@catalyst.net.nz> + * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.8.7.html b/history/samba-4.8.7.html new file mode 100644 index 0000000..cf148d8 --- /dev/null +++ b/history/samba-4.8.7.html @@ -0,0 +1,98 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.8.7 - Release Notes</title> +</head> +<body> +<H2>Samba 4.8.7 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.8.7.tar.gz">Samba 4.8.7 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.8.7.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.8.6-4.8.7.diffs.gz">Patch (gzipped) against Samba 4.8.6</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.8.6-4.8.7.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================= + Release Notes for Samba 4.8.7 + November 27, 2018 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD + Internal DNS server) +o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) +o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) +o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos + configuration (unsupported)) + + +======= +Details +======= + +o CVE-2018-14629: + All versions of Samba from 4.0.0 onwards are vulnerable to infinite + query recursion caused by CNAME loops. Any dns record can be added via + ldap by an unprivileged user using the ldbadd tool, so this is a + security issue. + +o CVE-2018-16841: + When configured to accept smart-card authentication, Samba's KDC will call + talloc_free() twice on the same memory if the principal in a validly signed + certificate does not match the principal in the AS-REQ. + + This is only possible after authentication with a trusted certificate. + + talloc is robust against further corruption from a double-free with + talloc_free() and directly calls abort(), terminating the KDC process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16851: + During the processing of an LDAP search before Samba's AD DC returns + the LDAP entries to the client, the entries are cached in a single + memory object with a maximum size of 256MB. When this size is + reached, the Samba process providing the LDAP service will follow the + NULL pointer, terminating the process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16853: + A user in a Samba AD domain can crash the KDC when Samba is built in the + non-default MIT Kerberos configuration. + + With this advisory we clarify that the MIT Kerberos build of the Samba + AD DC is considered experimental. Therefore the Samba Team will not + issue security patches for this configuration. + +For more details and workarounds, please refer to the security advisories. + + +Changes since 4.8.6: +-------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with + mis-matching principal. + * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT + Kerberos is experimental + +o Aaron Haslett <aaronhasl...@catalyst.net.nz> + * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob. + + +</pre> +</p> +</body> +</html> diff --git a/history/samba-4.9.3.html b/history/samba-4.9.3.html new file mode 100644 index 0000000..ed12cab --- /dev/null +++ b/history/samba-4.9.3.html @@ -0,0 +1,126 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> +<head> +<title>Samba 4.9.3 - Release Notes</title> +</head> +<body> +<H2>Samba 4.9.3 Available for Download</H2> +<p> +<a href="https://download.samba.org/pub/samba/stable/samba-4.9.3.tar.gz">Samba 4.9.3 (gzipped)</a><br> +<a href="https://download.samba.org/pub/samba/stable/samba-4.9.3.tar.asc">Signature</a> +</p> +<p> +<a href="https://download.samba.org/pub/samba/patches/samba-4.9.2-4.9.3.diffs.gz">Patch (gzipped) against Samba 4.9.2</a><br> +<a href="https://download.samba.org/pub/samba/patches/samba-4.9.2-4.9.3.diffs.asc">Signature</a> +</p> +<p> +<pre> + ============================= + Release Notes for Samba 4.9.3 + November 27, 2018 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD + Internal DNS server) +o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) +o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) +o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers) +o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos + configuration (unsupported)) +o CVE-2018-16857 (Bad password count in AD DC not always effective) + + +======= +Details +======= + +o CVE-2018-14629: + All versions of Samba from 4.0.0 onwards are vulnerable to infinite + query recursion caused by CNAME loops. Any dns record can be added via + ldap by an unprivileged user using the ldbadd tool, so this is a + security issue. + +o CVE-2018-16841: + When configured to accept smart-card authentication, Samba's KDC will call + talloc_free() twice on the same memory if the principal in a validly signed + certificate does not match the principal in the AS-REQ. + + This is only possible after authentication with a trusted certificate. + + talloc is robust against further corruption from a double-free with + talloc_free() and directly calls abort(), terminating the KDC process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16851: + During the processing of an LDAP search before Samba's AD DC returns + the LDAP entries to the client, the entries are cached in a single + memory object with a maximum size of 256MB. When this size is + reached, the Samba process providing the LDAP service will follow the + NULL pointer, terminating the process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16852: + During the processing of an DNS zone in the DNS management DCE/RPC server, + the internal DNS server or the Samba DLZ plugin for BIND9, if the + DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS + property is set, the server will follow a NULL pointer and terminate. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16853: + A user in a Samba AD domain can crash the KDC when Samba is built in the + non-default MIT Kerberos configuration. + + With this advisory we clarify that the MIT Kerberos build of the Samba + AD DC is considered experimental. Therefore the Samba Team will not + issue security patches for this configuration. + +o CVE-2018-16857: + AD DC Configurations watching for bad passwords (to restrict brute forcing + of passwords) in a window of more than 3 minutes may not watch for bad + passwords at all. + +For more details and workarounds, please refer to the security advisories. + + +Changes since 4.9.2: +-------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with + mis-matching principal. + * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT + Kerberos is experimental + +o Tim Beale <timbe...@catalyst.net.nz> + * BUG 13683: CVE-2018-16857: dsdb/util: Correctly treat + lockOutObservationWindow as 64-bit int. + +o Joe Guo <j...@catalyst.net.nz> + * BUG 13683: CVE-2018-16857 PEP8: Fix E305: Expected 2 blank lines after + class or function definition, found 1. + +o Aaron Haslett <aaronhasl...@catalyst.net.nz> + * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter. + +o Gary Lockyer <g...@catalyst.net.nz> + * BUG 13669: CVE-2018-16852: Fix NULL pointer de-reference in Samba AD DC + DNS management. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob. + + +</pre> +</p> +</body> +</html> diff --git a/history/security.html b/history/security.html index aa6b4fb..014857e 100755 --- a/history/security.html +++ b/history/security.html @@ -21,6 +21,33 @@ link to full release notes for each release.</p> <td><em>Details</em></td> </tr> + <tr> + <td>27 Nov 2018</td> + <td><a href="/samba/ftp/patches/security/samba-4.9.2-security-2018-11-27.patch"> + patch for Samba 4.9.2 (all CVEs)</a><br /> + <a href="/samba/ftp/patches/security/samba-4.8.6-security-2018-11-27.patch"> + patch for Samba 4.8.6 (all CVEs except CVE-2018-16852 and CVE-2018-16857)</a><br /> + <a href="/samba/ftp/patches/security/samba-4.7.11-security-2018-11-27.patch"> + patch for Samba 4.7.11 (all CVEs except CVE-2018-16852 and CVE-2018-16857)</a><br /> + <td>Numerous CVEs. Please see the announcements for details. + </td> + <td>please refer to the advisories</td> + <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14629">CVE-2018-14629</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16841">CVE-2018-16841</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16851">CVE-2018-16851</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16852">CVE-2018-16852</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16853">CVE-2018-16853</a>, + <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16857">CVE-2018-16857</a> + </td> + <td><a href="/samba/security/CVE-2018-14629.html">Announcement</a>, + <a href="/samba/security/CVE-2018-16841.html">Announcement</a>, + <a href="/samba/security/CVE-2018-16851.html">Announcement</a>, + <a href="/samba/security/CVE-2018-16852.html">Announcement</a>, + <a href="/samba/security/CVE-2018-16853.html">Announcement</a>, + <a href="/samba/security/CVE-2018-16857.html">Announcement</a> + </td> + </tr> + <tr> <td>14 Aug 2018</td> <td><a href="/samba/ftp/patches/security/samba-4.8.3-security-2018-08-14.patch"> diff --git a/posted_news/20181127-085351.4.9.3.body.html b/posted_news/20181127-085351.4.9.3.body.html new file mode 100644 index 0000000..1b5da5c --- /dev/null +++ b/posted_news/20181127-085351.4.9.3.body.html @@ -0,0 +1,35 @@ +<!-- BEGIN: posted_news/20181127-085351.4.9.3.body.html --> +<h5><a name="4.9.3">27 November 2018</a></h5> +<p class=headline>Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available</p> +<p> +These are security releases in order to address<br> +<a href="/samba/security/CVE-2018-14629.html">CVE-2018-14629</a> +(Unprivileged adding of CNAME record causing loop in AD Internal DNS server),<br> +<a href="/samba/security/CVE-2018-16841.html">CVE-2018-16841</a> +(Double-free in Samba AD DC KDC with PKINIT),<br> +<a href="/samba/security/CVE-2018-16851.html">CVE-2018-16851</a> +(NULL pointer de-reference in Samba AD DC LDAP server),<br> +<a href="/samba/security/CVE-2018-16852.html">CVE-2018-16852</a> +(NULL pointer de-reference in Samba AD DC DNS servers),<br> +<a href="/samba/security/CVE-2018-16853.html">CVE-2018-16853</a> +(Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) and<br> +<a href="/samba/security/CVE-2018-16857.html">CVE-2018-16857</a> +(Bad password count in AD DC not always effective). +</p> +<p> +The uncompressed tarball has been signed using GnuPG (ID 6F33915B6568B7EA). +<br> +The 4.9.3 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.9.3.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.9.2-4.9.3.diffs.gz">patch against Samba 4.9.2</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.9.3.html">the release notes for more info</a>. +<br> +The 4.8.7 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.8.7.tar.gz">downloaded now</a>. +A <a href="https://download.samba.org/pub/samba/patches/samba-4.8.6-4.8.7.diffs.gz">patch against Samba 4.8.6</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.8.7.html">the release notes for more info</a>. +<br> +The 4.7.12 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.7.12.tar.gz">downloaded now</a>. +A <a +href="https://download.samba.org/pub/samba/patches/samba-4.7.11-4.7.12.diffs.gz">patch against Samba 4.7.11</a> is also available. +See <a href="https://www.samba.org/samba/history/samba-4.7.12.html">the release notes for more info</a>. +</p> +<!-- END: posted_news/20181127-085351.4.9.3.body.html --> diff --git a/posted_news/20181127-085351.4.9.3.headline.html b/posted_news/20181127-085351.4.9.3.headline.html new file mode 100644 index 0000000..cc1efe6 --- /dev/null +++ b/posted_news/20181127-085351.4.9.3.headline.html @@ -0,0 +1,4 @@ +<!-- BEGIN: posted_news/20181127-085351.4.9.3.headline.html --> +<li> 27 November 2018 <a href="#4.9.3">Samba 4.9.3, 4.8.7 and 4.7.12 Security +Releases Available</a></li> +<!-- END: posted_news/20181127-085351.4.9.3.headline.html --> diff --git a/security/CVE-2018-14629.html b/security/CVE-2018-14629.html new file mode 100644 index 0000000..37fae39 --- /dev/null +++ b/security/CVE-2018-14629.html @@ -0,0 +1,76 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html xmlns="http://www.w3.org/1999/xhtml"> + +<head> +<title>Samba - Security Announcement Archive</title> +</head> + +<body> + + <H2>CVE-2018-14629.html + +<p> +<pre> +==================================================================== +== Subject: Unprivileged adding of CNAME record causing loop +== in AD Internal DNS server +== +== CVE ID#: CVE-2018-14629 +== +== Versions: All versions of Samba from 4.0.0 onwards. +== +== Summary: CNAME loops can cause DNS server crashes, and CNAMEs +== can be added by unprivileged users. +== +==================================================================== + +=========== +Description +=========== + +All versions of Samba from 4.0.0 onwards are vulnerable to infinite +query recursion caused by CNAME loops. Any dns record can be added via +ldap by an unprivileged user using the ldbadd tool, so this is a +security issue. + +================== +Patch Availability +================== + +Patches addressing both these issues have been posted to: -- Samba Website Repository